Thousands of Tor Exit Nodes Attacked Cryptocurrency Users Over the Past Year

For more than 16 months, a threat actor has been seen adding malicious servers to the Tor network in order to intercept traffic and perform SSL stripping attacks on users accessing cryptocurrency-related sites. From a report: The attacks, which began in January 2020, consisted of adding servers to the Tor network and marking them as 'exit relays,' which are the servers through which traffic leaves the Tor network to re-enter the public internet after being anonymized. But since January 2020, a threat actor has been inserting thousands of malicious servers into the Tor network to identify traffic heading to cryptocurrency mixing websites and perform an SSL stripping attack, which is when traffic is downgraded from an encrypted HTTPS connection to plaintext HTTP. The belief is that the attacker has been downgrading traffic to HTTP in order to replace cryptocurrency addresses with their own and hijack transactions for their own profit. The attacks are not new and were first documented and exposed last year, in August, by a security researcher and Tor node operator known as Nusenu. At the time, the researcher said the attacker managed to flood the Tor network with malicious Tor exit relays on three occasions, peaking their attack infrastructure at around 23% of the entire Tor network's exit capacity before being shut down by the Tor team on every occasion.

Read more of this story at Slashdot.