In brief

  • Hackers this year controlled 24% of exit relays on Tor—that's more than ever in the last five years, according to a cyber security researcher.
  • This is allowing hackers to snoop on crypto transactions and redirect Bitcoin funds to themselves.
  • "Bitcoin address rewriting attacks are not new, but the scale of their operations is," the researcher said.

Hackers this year exercised significant influence over the privacy browser Tor, according to a report by pseudonymous cyber security researchernusenu.” 

And they’re using this influence to hijack cryptocurrency transactions, specifically targeting Bitcoin mixer services. 

The Tor browser works by bouncing your traffic about several different anonymous relays. This means that it’s very difficult to trace your identity. When, say, a search query hits the final relay, called the “exit relay,” your data the Internet and out pops your search result. 

But the researcher found that hackers at their peak operated 24% of the exit relays on the network, or 380, by May of this year. That’s the most control they’ve had over Tor exit relays in the last five years, the researcher said. Controlling these exit relays, hackers can remove encryption protocols on websites to see the users’ data and manipulate it. And they’re using the control to steal Bitcoin, said the researcher.

“It appears that they are primarily after cryptocurrency related websites—namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address,” said nusenu. 

While these sorts of man-in-the-middle attacks are not new, nor are they unique to the Tor browser, the scale of this particular attack is unprecedented, according to the report.

The researcher has been reporting the hackers’ misdeeds to Tor administrators since May and many were taken down on June 21. But the attacker still controls more than 10% of the exit relay nodes, said nusenu. 


The vulnerabilities come as a shock to those for whom Tor is the gold standard of anonymity for a web browser. Tor is the interface many use to access the dark web, the underbelly of the Internet that houses drug marketplaces and other illegal activity. The browser is also used by whistleblowers and journalists trying to evade surveillance. 

To fix the issue, the researcher suggests a short term solution—limiting the amount of exit relays, and a long term solution—having a certain amount of “known” operators; those may require, say, verifying email addresses or submitting physical addresses. 

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.