In brief

  • An unknown hacker has been adding thousands of malicious servers to the Tor Network since early 2020.
  • Acting as "exit relays," the nodes are pinpointing and modifying users' data to steal their cryptocurrencies, a new report suggested.

Users of the anonymity-focused Tor Network are at risk of losing their cryptocurrencies to a continuous large-scale cyberattack that was launched in early 2020, new data suggests.

According to a report published by cybersecurity researcher and Tor node operator Nusenu yesterday, an unidentified hacker has been adding thousands of malicious servers to the Tor network since as early as January 2020. Despite being shut down several times, the attacker continues to track and intercept users’ crypto-related data to this day.

Exploiting demand for anonymity

Tor is free and open-source software that allows users to anonymize their Internet traffic by sending it through a network of servers operated by volunteers. In order to take advantage of this system, the hacker has been adding their own malicious nodes, marked as “exit relays,” to the network.


“In May 2020 we found a group of Tor exit relays that were messing with exit traffic. Specifically, they left almost all exit traffic alone, and they intercepted connections to a small number of cryptocurrency exchange websites,” Tor developers revealed last August.

As the name suggests, Tor exit relays are responsible for sending users’ requests back into the “normal” Internet after they have been anonymized. However, the hacker made some adjustments to the code that allowed him to pinpoint crypto-related traffic and modify it before sending it out.

The Tor Project explained that these servers stopped websites from redirecting visitors to more secure HTTPS versions of their platforms. If users didn’t notice, and continued to send or receive sensitive information, it could have been intercepted by the attacker.

It is believed that the hacker is using their servers to switch crypto addresses in transaction requests made by users and redirect their cryptocurrencies to their own wallets. The hacker recently also began modifying downloads made through Tor, but it is unclear to what end or what other techniques they might be using.

Long game of whack-a-mole

Over the past 16 months, the hacker’s servers have been shut down by Tor developers at least three times already, Nusenu explained. Notably, the malicious nodes accounted for roughly a quarter of the Tor network’s exit capacity on several occasions, peaking at 27% in February 2021.


Recently, the hacker even turned all of their servers on suddenly, boosting the network’s exit capacity from roughly 1,500 relays to 2,500. Such a sharp increase did not go unnoticed, however, and the malicious relays were removed.

However, the hacker is constantly rebuilding their network. By Nusenu’s estimations, up to 10% or even more of Tor’s exit relay capacity could still be controlled by the attacker to this day.

“The reoccurring events of large scale malicious Tor relay operations make it clear that current checks and approaches for bad-relays detection are insufficient to prevent such events from reoccurring and that the threat landscape for Tor users has changed,” Nusenu concluded.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.