Malicious Tor Browser Version Steals Cryptocurrency from Darknet Market Users

A malicious version of the Tor browser is stealing cryptocurrency from users of darknet markets and tracking the websites they visit. According to ESET experts, cybercriminals registered three cryptocurrency wallets back in 2017, which have since received $40,000 in Bitcoin.

The attackers promote their malicious Tor variant on Pastebin, advertising it as a “Russian-language version” of the browser. Their promotional posts are optimized to appear at the top of search results for queries like drugs, cryptocurrency, bypassing blocks, and Russian politicians. Potential victims are enticed by claims that this version of the browser can allegedly bypass CAPTCHA challenges.

Another method of spreading the malware is through spam emails. Disguised as the “official Russian version,” the malicious browser is downloaded from domains such as tor-browser[.]org and torproect[.]org, which were registered in 2014. The design of these sites is copied from the legitimate Tor Project website. When users visit these sites, regardless of the Tor version they are using, they see a notification claiming their browser is outdated and needs to be updated.

If the user chooses to “update” their browser, a script is downloaded to their system that can modify web pages. Specifically, it steals content from forms, hides original content, displays fake messages, and adds other content. This allows the malware to substitute the cryptocurrency wallet address in real time, so any cryptocurrency sent by the user goes to the attackers instead. The script can also steal Qiwi wallet data.

When a victim tries to deposit cryptocurrency, the script replaces their wallet address with one belonging to the attackers. Since cryptocurrency addresses are long strings of random characters, users often do not notice the substitution.