Login Register

Hundreds of Malicious Tor Relays Detected

By Dr.Dang March 22, 2022, 7:13 p.m.
Hundreds of Malicious Tor Relays Detected

There's an online threat actor running hundreds of malicious Tor relays. Researchers suspect that this is part of an operation aimed at deanonymizing Tor users.

Hundreds of Malicious Tor Relays Detected

Now, according to Nusenu, a Tor relay operator, he first came across "KAX17" as a sophisticated threat actor in 2019. During this time, Nusenu had identified a "long-running suspicious relay group." The group is said to have been in operation since 2017, or earlier.
"At their peak, they reached >10% of the Tor network’s guard capacity,” Nusenu wrote in 2019.
Below is the summary of the actor's behavior according to Nusenu's most recent blog post:
–Active since at least 2017
–Sophistication: non-amateur level and persistent
–Uses large amounts of servers across many autonomous systems
–Operated relay types: mainly non-exits relays (entry guards and middle relays) and to a lesser extend tor exit relays
–Concurrently running relays peak: >900 relays
–Advertised bandwidth capacity peak: 155 Gbit/s
–Probability to use KAX17 as first hop (guard) peak: 16%
–Probability to use KAX17 as second hop (middle) peak: 35%
–Motivation: unknown; plausible: Sybil attack; a collection of tor client and/or onion service IP addresses; deanonymization of tor users and/or onion services

Last year, in October, Nusenu raised concerns over KAX17's exit relays to the Tor project. Consequently, they were removed from the network. Before Tor operators removed their exit relays, a Tor user had upto 16% chance of connecting to one of KAX17's guard relays.  Again, there was 35% chance of using KAX17's middle relays and upto 5% chance of using the exit relay.

Worst case scenario

On 2020, 09, 08, Nusenu reported a worst case scenario. He wrote that KAX17 could de-anonymize tor users with the following probabilities:
–First hop probability (guard) : 10.34%
–Second hop probability (middle): 24.33%
–Last hop probability (exit): 4.6%’

Barely a day after Tor Project had removed the exit relays that Nusenu reported, another large no-name exit relay group” emerged. Nusenu hasn't attributed the new group to KAX17. He however doesn't believe KAX17 completely halted their exit operations.

In the process of investigating the new threat actor's relays, Nusenu reportedly came across an email address that had connections with KAX17. The actor however realized and later removed the email. After thorough scrutiny, Nusenu found the email address on Tor's relay mailing list.

"Interestingly, it became almost exclusively involved on the mailing list when policy proposals with regards to malicious relays were discussed or when large malicious relay groups got removed. They apparently disliked the proposals to make their activities less effective.”

Do you find this content interesting?
This is just a MIRROR ! Find us via our Main TOR domain
And Let us know by leaving a comment and a rating.

Also, don't forget to follow our Official Telegram Channel to stay informed and safe by Reading  NOIRdotNEWS


Please visit our onion version to comment.