Hundreds of Malicious Tor Nodes Used to De-Anonymize Users

Since at least 2017, a mysterious attacker or group, tracked by cybersecurity experts as KAX17, has been adding malicious servers to the Tor network. These servers have operated as entry, relay, and exit nodes. According to a security researcher known as Nusenu, the campaign’s goal was to de-anonymize Tor users.

Nusenu, who also operates a Tor node, first discovered this malicious activity in 2019, but believes KAX17 has been active since at least 2017. According to Nusenu, hundreds of malicious servers without any contact information were regularly added to the Tor network. At its peak, the network included more than 900 malicious servers.

Typically, servers added to the Tor network are required to provide contact information (such as an email address) so that Tor administrators or law enforcement can reach node operators in case of misconfiguration or abuse reports. Despite this rule, servers without contact information are often added, mainly to maintain their numbers.

KAX17’s servers are located in data centers around the world and are mostly configured as relay and entry nodes, with only a small number acting as exit nodes. Nusenu notes that this is unusual, as most attackers running malicious nodes configure them as exit nodes to allow traffic modification. For example, the BTCMITM20 group operated a network of thousands of malicious exit nodes to attack users visiting cryptocurrency-related sites.

The researcher believes that KAX17 is collecting information about users connecting to the Tor network and mapping their routes. Nusenu reported his findings to the Tor Project team last year, and in October 2020, the servers were removed from the network. Shortly after, another group of exit nodes without contact information appeared on Tor, but it is unclear if they were connected to KAX17.

In October and November 2021, the Tor Project also removed hundreds of KAX17’s servers. Neither Nusenu nor the Tor Project have speculated on who is behind KAX17.