Someone is taking over Tor, since January there has been a group of hackers working tirelessly to hijack the private network, considered one of the most secure in the world, and currently control more than 10% of the exit nodes that allow intercepting the traffic of the network.
According to a report by independent security researcher nusenu, who has been monitoring the Tor network for years, more than 23% of the Tor network’s throughput capacity has been attacking Tor users.
Nusenu has been warning about the growing problem of malicious relays within the Tor network since December 2019, but so far this year has only gotten worse.
When we use a traditional browser our computer connects directly to the server of the website that we want to visit through a relatively simple route (PC> ISP router> Web server). With Tor, that path is much less direct and much more complex: the so-called Onion Routing.
Explained in the simplest possible way, Onion Routing calculates a more or less random route and makes the traffic go through several intermediate nodes, encrypting the message in several layers like those of an onion. Only the last node in the path can decrypt the message from the previous node, and the process is repeated several times.
The exit nodes or “exit relays” are the last hop in the chain of 3 relays and it is the only type of relay that gets to see the connection with the real destination chosen by the Tor browser user. It is these nodes that are being attacked. Depending on the protocol used (http vs. https), the exit node can see and manipulate the content that is transferred.
The Tor network consists of more than 7,000 nodes in its overlay network, and the hacking group that is attacking it has managed to operate 380 Tor exit nodes, which put the risk of traffic being compromised in one of four possibilities for each Tor user.
Tor has been fighting the problem, but despite three separate attempts to get rid of the malicious nodes, the group still controls more than 10% of the exit nodes to this day. The objective seems to be the theft of cryptocurrencies since hackers have launched attacks targeting users of cryptocurrency websites such as Bitcoin.