“Easy Steal”: A Tor Vulnerability May Have Enabled Dark Web Bitcoin Theft

Confirmed malicious Tor exit capacity controlled by a malicious player.

Stealing Bitcoin from Tor users is easy.

According to recently published research, an attacker has found vulnerabilities in the Tor browser network that might have allowed them to steal Bitcoin (BTC) from users. Tor was developed by the U.S. government for anonymous internet communication and has since been adopted by privacy advocates. Because of its privacy-preserving features, it is also popular with the denizens of the Dark Web. Many in the crypto community rely on Tor, entrusting their Bitcoin transactions to its security and anonymity.

However, according to nusenu, who discovered this attack, this might not be a good choice. Tor protects user anonymity by routing data through a number of relays. Tor exit relays are the last hop in this process, and the only ones that get to see the actual destination of the Tor user. Starting in January, a malicious party allegedly began running a large number of Tor exit relays, peaking at 23% of the total in May.

The malicious Tor exit relays were performing what is known as a “person-in-the-middle” attack:

“They perform person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays. They (selectively) remove HTTP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings.”

This is a known vulnerability and there are countermeasures that are available, but unfortunately, many website operators do not implement them. According to nusenu, the attackers were primarily focused on cryptocurrency related sites. They would replace user’s Bitcoin address with their own, thus, routing coin to their wallets:

“It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address.”

The number of relays controlled by the hacker has gone down to about 10% as of August. While the researcher has informed some affected Bitcoin services of the vulnerability, we do not know how much Bitcoin has already been stolen by the hackers.