The hackers have introduced hundreds of malicious exit relays (servers through which user traffic is funnelled before reaching the public internet) to the Tor network since January 2020.
These exit relays allow the cybercriminal group to perform perform SSL stripping attacks, bypassing HTTPS security controls.
“They perform person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays,” Nusenu explains. “They (selectively) remove HTTP-to-HTTPS redirects to gain full access to plain unencrypted HTTP traffic without causing TLS certificate warnings.”
The hackers are using this exploit to attack users of bitcoin mixing services, which allow cryptocurrency holders to obscure the relationship between the sender and recipient in a transaction.
By replacing the recipient wallet address in unsecured HTTP traffic, the hackers are able to funnel cryptocurrency into their own wallets.
According to the report, the attackers still control a tenth of all Tor nodes today, despite repeated attempts to eliminate malicious exit relays from the network.