Tor Network Compromised by Bitcoin Hackers

Reading Time: 2 minutes
  • The Tor network has been partially compromised by hackers who are targeting Bitcoin mixing services
  • Hackers have taken over a proportion of exit relays, meaning they can bypass HTTPS security and conduct man in the middle attacks
  • There is no solution as yet, meaning that Tor network users should exercise caution when transacting in cryptocurrency

The Tor network has been compromised by hackers who are using their powers to steal Bitcoin. A report from independent security researcher Nusenu reveals that 2020 has seen the highest number of exit relay attacks on the Tor network in at least five years, with hackers using their position to unencrypt web traffic and target Bitcoin mixing services in order to steal user funds.

Tor Network Hackers Sidestep HTTPS

The Tor network is used by those seeking the ultimate privacy when using the internet, with exit relays playing a crucial role, according to Nusenu:

Tor exit relays are the last hop in the chain of 3 relays and the only type of relay that gets to see the connection to the actual destination chosen by the Tor Browser user.

In short, they are the servers through which user traffic is funnelled before reaching the public internet, and hackers have introduced hundreds of malicious exit relays this year alone. Nusenu says that just one of the malicious actors he has been monitoring on the Tor network is responsible for 23% of the attacks, meaning that “roughly about one out of 4 connections leaving the Tor network were going through exit relays controlled by a single attacker.”

Hackers Stealing Bitcoin

So how do these exit relay attacks lead to Bitcoin theft? Hackers are able to strip the Secure Socket Layer (SSL) from a site, bypassing HTTPS security controls, and leaving the site open to “man in the middle” attacks through which they can “gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings”, with Nusenu further explaining their rationale:

It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address.

Despite efforts to take them down, Nusenu says that the attackers still control around a tenth of all Tor nodes. There is no simple solution to those wishing to use Tor websites as users cannot choose the exit relays they operate through. It is simply a case therefore of being aware of the risk and acting accordingly, perhaps not sending large transactions through Bitcoin mixing services on the Tor network until the issue is under control.