Mysterious Group Takes Control of a Quarter of Tor Exit Nodes

Since January 2020, a mysterious cybercriminal group has been targeting users through the Tor network. By adding their own servers, the attackers attempt to strip SSL protection from visitors to cryptocurrency-related websites.

The cybercriminals were so well-prepared that by May 2020, they managed to control a quarter of all Tor exit nodes—special servers through which user traffic leaves the Tor network and enters the internet.

An independent cybersecurity researcher known as Nusenu published a report stating that, at the peak of their attacks, the group operated 380 malicious Tor exit nodes.

“The true scale of their operations is still unknown. However, their motive is clear—profit,” Nusenu explains.

According to the expert, the group carries out “Man-in-the-Middle” attacks, allowing them to manipulate Tor users’ traffic as it passes through their exit nodes.

Main Targets: Cryptocurrency Users

The primary targets for these cybercriminals are visitors to sites related to digital currencies. Using a technique called “SSL stripping,” the attackers try to redirect traffic from the secure HTTPS protocol to the unprotected HTTP protocol.

This approach allowed the group to replace Bitcoin addresses within HTTP traffic.

How to Stay Safe

• Always check for HTTPS in the address bar when visiting cryptocurrency sites.
• Use trusted wallets and services for transactions.
• Be cautious when using public or unknown Tor exit nodes.

Staying vigilant and using secure protocols can help protect your digital assets from such sophisticated attacks.