A Malicious Actor Gaining Control Over Tor Exit Relays

A Malicious Actor Gaining Control Over Tor Exit Relays

A malicious actor has been detected to have controlled more than 27% of the Tor network exit relays to manipulate the crypto currency transaction related traffic.


A Malicious Actor Gaining Control Over Tor Exit Relays: A researcher (Nusenu) recently revealed that an unknown malicious actor gained control over more than 27% of the Tor network exit relay capacity in February 2021.

According to the researcher, the malicious actor is trying to exploit the Tor users since over a year by expanding his control over the exit relays (the last node in the chain of 3 relays). The threat actors’ malicious activities on the Tor have possibly started around January 2020. On average, the malicious actor has controlled over 14% of all the Tor exit relays throughout the past 12 months.

What is Tor?

Tor (short for The Onion Router) is an open source project and a free software that aims to provide online privacy and anonymity for browsing the Internet. Tor achieves this privacy and security by routing Internet traffic through specially crafted relays that encrypts and decrypts transient data in a layered fashion. Fundamentally, it hides the IP addresses of its users (anonymity) in addition to encrypting (secrecy) the traffic while browsing online.

The relays, a.k.a. onion routers, are non-proprietary and operated by thousands of volunteers around the world. This mechanism of exchanging traffic over a number of onion routers makes it extremely hard for anyone to identify the source of the information. Additionally, encrypting data multiple times in layers further prevents prying eyes from eavesdropping and analyzing your data.

In addition to surfing anonymously and in secrecy, Tor also allows for hosting specially designed hidden websites, a.k.a., onion sites, that are accessible only through Tor network.

Who Created Tor?

Tor was developed during the early 2000s by Naval Research Lab and the Defense Advanced Research Projects Agency (DARPA). The project was mostly funded by the US State Department and Department of Defense (DoD), though there were other supporters too, such as Electronic Frontier Foundation, Knight Foundation, and Swedish International Development Cooperation Agency. After its public release in 2002, it has transformed into what is now known as Tor Project, an open source anonymity service project.


Threat Actor Origin: Russia (Not Confirmed)
Attacker’s Motivation:
– Not known to the full extent.
– One of the attacker motivation is to gain money by manipulating the crypto currency transaction traffic.
Attacker’s TTPs (Tactics, Techniques and Procedures):
– Gaining control over Tor exit relays by setting up new relays in large quantities.
– Setting up new relays with empty or fake ContactInfo and MyFamily attributes to evade detection as a group.
– Using multiple hosting providers to disguise malicious activity as a single threat actor.
– Enforcing HTTPS at the browsers by installing an extension such as HTTPS Everywhere.
– Implementing HSTS at the server side.

What is the Purpose of the Attack?

The full extent of the goals of this malicious actor is not known yet. However, one of the identified purpose of this malicious activity is to carry out man-in-the-middle attacks on Tor users with a monetary motivation, as claimed by the researcher. Specifically, the attackers targets crypto currency transaction related traffic in order to steal crypto currency by way of manipulating transaction amounts and addresses.

Attacker’s TTPs (Tactics, Techniques and Procedures)

For this purpose, the attacker aims to control as much exit relays as possible so that more users can fall as victims of the attacks and more monetary gains can be achieved. To understand the attacker’s dominance on the Tor exit relays better, compare the second highest exit relay control capacity by relay operators, that is 2%, to the 27% control at its peak by the attacker.

Technically, there is no restriction over how many relays can be added by a single entity on the Tor network. Tor Project only removes relays that have been detected to act maliciously, together with all the other relays that belong to the same group. To determine relay groups, MyFamily and ContactInfo attributes of the relays can be leveraged by the authorities and the researcher.

According to the Tor manual, if an entity runs more than one relay, ContactInfo must be set to a working address and the MyFamily attribute must list all the other relays. However, malicious actors can simply ignore this guidance and set up multiple relays with empty ContactInfo field. This appears to be one of the measures how the attackers evade detection as a group. The reason for the unnatural increase of relays with no ContactInfo from less than 30% to more than 45% in 2020 could be explained by this theory.

To evade detection as a whole group of relays, this particular treat actor has also been observed to use multiple hosting providers, both well-known Tor hosting providers (such as OVH and Hetzner) and less-known providers. But, even if the malicious relays can be detected and removed, there is no mechanism that can prevent attackers from setting up new relays to gain dominance back on the relays. This specific malicious actors has also been observed to have recovered repeatedly after initial removal attempts by Tor directory authorities.

After gaining enough control over the Tor network, the malicious actor performs SSL stripping on Tor users to downgrade the traffic heading to crypto currency sites from HTTPS to HTTP. This enables the attacker to manipulate or redirect the traffic exchanged between the users and web servers. To put it more clearly, the attacker can change the crypto currency address and amount information on the exchanged crypto currency transaction data. This threat model is depicted in Figure 1.

Figure 1: SSL Stripping Attack On The Tor Network

To explain a little bit more in detail, the attacker targets careless users who types the HTTP address of the sites that serve both in HTTP and HTTPS. Note that, the protocol chosen by the users (HTTP or HTTPS) determines whether a malicious exit relay can see and manipulate the traffic exchanged. As a security countermeasure, most sites promotes the HTTP (unencrypted) traffic to HTTPS (encrypted) by making HTTPS redirect requests back to the users. At this point, the attacker intercepts the HTTPS redirect requests and prevents it from reaching to the users. Instead, impersonating the user, the attacker itself establishes an HTTPS connection with the targeted server and establishes another connection with the user in HTTP. Thus, attackers can read and manipulate the content of the traffic exchanged between the users and the targeted servers, if the users don’t notice that they end up with an HTTP connection.


To facilitate detecting malicious relays as groups, Tor Project might require non-empty and verified ContactInfo attributes when setting up relays. However, there is no such enforcement by the Tor Project currently.

To prevent attacks like SSL stripping, HTTP requests can be disabled at the web browsers. This could be achieved in a number of ways.

The first approach could be disabiling HTTP traffic by using the built-in settings provided by the browsers. For instance, Firefox 83 introduced HTTPS-Only mode, where users can opt to use only HTTPS traffic. In Tor Browser, which is a FireFox derivation, HTTPS-Only feature can also be enforced by default. However, preventing all HTTP requests and allowing only HTTPS requests could be a little bit problematic since not all web sites have transitioned to HTTPS and this could prevent users from accessing to HTTP only sites.

As a second approach, third party add-ons such as HTTPS Everywhere can be used to prevent HTTP traffic. Luckily, HTTPS Everywhere comes installed by default in Tor Browser. However, users should ensure that HTTPS Everywhere is not disabled and reenable it after visiting sites that serve only HTTP content. Figure 2 displays a screenshot of the HTTPS Everywhere extension on the Tor Browser.

Figure 2: HTTPS Everywhere Extension on the Tor Browser

As a last countermeasure, HSTS (HTTP Strict Transport Security) can be enforced by the web sites. HSTS is a response header used to instruct the browsers to always use HTTPS to communicate with the HSTS enforced web sites. This feature currently cannot protect users 100% since not all web sites implement it currently. Secondly, HSTS still leaves users vulnerable on their very first connections even if the web sites implement HSTS.

Final Remarks

Controlling large number of Tor exit relays in order to compromise the very security property offered by the Tor Project should be taken seriously by every stake holder. Though partial and precarious control measures such as HTTPS-Only and HSTS can be implemented by the users and the web sites optionally, more reliable and holistic security controls are actually needed to protect users’ security and privacy. For this purpose, Tor Project and the Tor directory authorities should consider enforcing more stringent security policies on relay setups and act more diligently to detect and remove malicious relays.

Quote by Bruce Schneier
Quote by Bruce Schneier

History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It’s always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you’ll be glad you did.

Bruce Schneier

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.


To learn more about anonymous browsing and protecting your privacy, you could also read our articles What Is Tor? or How to Use Tor Safely?