Proxy Service for Tor Access Caught Replacing Bitcoin Wallet Addresses

Operators of at least one proxy service that allows users to access the Tor network from a regular browser have been caught replacing Bitcoin wallet addresses on ransomware sites. This was reported by security researchers from Proofpoint.

Proxy services for accessing the Tor network are websites that let users visit .onion domains hosted on Tor without needing to install the Tor browser. Users can add a domain extension, such as .top, .cab, or .to, to the end of any Tor URL and access it from standard browsers like Firefox, Chrome, Vivaldi, Edge, and others. Over the past two years, these services have become extremely popular, especially among ransomware operators. Ransomware programs typically include ransom notes listing Tor network URLs for payment, as well as alternative addresses for various proxy services.

According to the researchers, one such service, Onion.top, was secretly analyzing web pages loaded through its portal for strings that looked like Bitcoin wallet addresses, then replacing them with one of the service operators’ own wallets. Experts observed this behavior on the ransomware sites LockeR, Sigma, and GlobeImposter.

During their analysis, the researchers found that the service had various “replacement rules” for Bitcoin wallets, indicating that the operators manually configured addresses for each specific site. In total, the experts identified two Bitcoin wallet addresses belonging to the Onion.to operators, which together held no more than 2 bitcoins (about $22,000).

According to the researchers, ransomware operators took note of this incident and removed links to all proxy services from their programs, recommending that victims make payments only through the Tor browser. Some took additional precautions; for example, the operators of the MagniBear ransomware began splitting the displayed Bitcoin wallet address for victims using different HTML tags.