Advertisement

Hackers exploited Tor exit relays to generate bitcoin: research

The attackers regained control of relays after Tor's oversees kicked them off, according to the research.
Tor Browser, dark web, onion router
(Tor logo wia Wikicommons/Image by Greg Otto)

At one point this spring, a single set of money-hungry hackers controlled nearly a quarter of the endpoint infrastructure through which the anonymizing internet browser Tor routed traffic, a researcher who tracks Tor claimed this week.

The unidentified attacker likely used those Tor “exit relays” — the IP addresses through which Tor traffic passes — to manipulate the traffic and mine cryptocurrency, said the researcher, who goes by nusenu. How much bitcoin the attackers were able to generate, if any, remains unclear.

It’s the latest example of how malicious hackers can subvert parts of Tor’s infrastructure for their own gain, and follows another set of malicious Tor activity documented by the same researcher last year. Users ranging from human rights workers in repressive countries to U.S. drug dealers rely on Tor to try to maintain their anonymity online.

“So far, 2020 is probably the worst year in terms of malicious Tor exit relay activity since I started monitoring it about five years ago,” nusenu wrote in an Aug. 9 Medium post. “It demonstrates once more that current checks are insufficient to prevent such large-scale attacks.”

Advertisement

Nusenu showed that, as Tor’s overseers kicked the attackers off of exit relays, the hackers were able to regain a similar level of control over the relays within a month. That cat-and-mouse game looks likely to continue, nusenu’s data shows.

The researcher uses a pseudonym, but draws heavily on Tor’s own data. And independent security researchers said the findings document a known security issue. Computer scientist Neal Krawetz pointed out that the hijacking of Tor nodes for financial gain has been a problem for years.

A spokesperson for the Tor Project, the nonprofit that oversees the software, said the coronavirus pandemic had forced the nonprofit to lay off a third of staff who track malicious relays.

“We still have contributors watching the network and reporting malicious relays to be rejected by our Directory Authorities, but they cannot do this full time,” the spokesperson said. “Our goal is to recover our funds to be able to get that Network Health team back in shape.”

Multiple governments have sought to ban Tor, or undercut it entirely. Court records previously revealed U.S. government efforts to crack the software, while the FBI has deployed techniques to try to subvert Tor’s encryption.

Advertisement

One way of countering the most recent attack, nusenu suggested, would be to require all new Tor relay operators that run more than 0.5% of the Tor network’s “exit or guard capacity” to verify their physical addresses.

“It is a balance between the risk of malicious Tor relay capacity and the required effort for verification,” the researcher wrote.

The Tor Project spokesperson said the nonprofit is considering a “design proposal” that would limit the total number of suspicious relays to some proportion of the network.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts