For over a year now, unknown attackers have been adding malicious exit nodes to the Tor network in order to intercept traffic and carry out SSL-stripping attacks on users visiting cryptocurrency-related sites.
SSL stripping – downgrade a connection from secure HTTPS to plain HTTP.
The attacks became known back in August 2020 thanks to a security researcher under the pseudonym Nusenu, who is also the operator of the Tor exit node. At the time, it was reported that the attacks began in January last year, and at the height of the operation, attackers controlled approximately four hundred malicious Tor exit nodes. According to experts, during the attacks, the attackers changed the addresses of cryptocurrency wallets with their own to intercept transactions.
Despite the publicity last year, attacks are still ongoing – in February 2021, attacks hit 27% of malicious Tor exit nodes. Although the second wave of attacks was noticed and neutralized, by then the malicious infrastructure had been active for several weeks.
The main reason for the success of this operation is that the attackers added malicious nodes in small numbers, quietly creating an impressive infrastructure. However, in early May, the attackers tried to simultaneously return online all the disconnected servers, which could not go unnoticed. The attack was discovered just a day after the number of Tor exit nodes skyrocketed from 1,500 to more than 2,500.
Despite shutting down over 1,000 malicious servers, attackers still have 4-6% of Tor’s power output under their control, Nusenu noted. Moreover, according to him, after the SSL-stripping attack, the attackers download modifications, but what exactly they do is still unclear.
See how to protect yourself here
Catch up on more stories here