Security researcher Nusenu tracked down the secret operator of thousands of malicious Tor network servers that allowed him to conduct a Sybil attack.
An experienced and well-endowed specialist, who is conventionally referred to as KAX17, has launched and managed thousands of malicious servers on the input, intermediate and output positions of the Tor network since at least 2017.
According to conservative estimates, the attacker launched more than 900 malicious servers in Tor, while on average the network included up to 9,000-10,000 such nodes per day that implement encryption and anonymization of user traffic.
As a rule, the servers added to the Tor network have the contact information: at a minimum, an email to contact the administration to resolve various issues related to incorrect configuration or various abuses.
Back in 2019, Nusenu was able to identify the pattern of Tor repeaters without contact information and analyze it up to 2017. Grouping the servers, it became clear that the attacker was constantly adding servers without contact data to the Tor network on an industrial scale, administering several hundred nodes at a time.
Servers were placed in data centers around the world, receiving configuration primarily as input and midpoints, which does not correspond to the usual criminal aspirations of hackers who prefer to control output nodes, which allows them to change user traffic. For example, an attacker tracked as BTCMITM20 launched thousands of malicious Tor exit nodes to replace bitcoin wallet addresses in web traffic and intercept user payments & various bitcoin blender users.
According to his tip-off from the Tor project management, in October 2020, the Tor security group removed all the KAX17 output relays.
However, the next batch of output repeaters was reconnected immediately after the purge. In 2021, representatives of the Tor Project again disconnected up to a hundred KAX17 servers in October and November, initiating their investigation.
At the same time, thanks to the OpSec error, Nusenu was able to track the attacker’s real email address. KAX17 used it to subscribe to the Tor Project mailing lists and also participated in discussions trying to understand the reasons for removing malicious servers.
Thus, KAX17 could control through its nodes the traffic of any user connected to the network with a probability of up to 35%. The researchers concluded that the attacker was engaged in deanonymization and identification of both Tor users and services within the network, having serious technical and financial potential for this.