Threat Actor Attempting to Mass Decrypt Tor Users’ Info

Published · Dec 07, 2021

A threat actor, labeled KAX17, has been running thousands of malicious servers on the Tor network. The Tor Project routinely identifies and removes them, only for more to appear in their place. The Record spoke to a number of specialists about the ongoing situation.

Users can access the Tor network via the free Tor browser. It’s essentially a network of servers that bounce people around to mask their activity, enabling anonymous browsing.

While its effect is similar to that of a good VPN service, it isn’t as secure. Plus, it can require some tinkering. 

The KAX17 servers have numbered as much as 900 at a time. The Tor network is usually made up of between 9,000-10,000 servers daily. According to Nusenu, the researcher who first identified the problem, this means there was a 35% chance one would pass through a malicious server while using Tor.

Nusenu first identified these servers in 2019 and traced their existence back to at least 2017. Apparently, most of the servers are configured as entry and midpoints, with a small number configured as exit points.

Dr. Neal Krawetz, a researcher studying the Tor network, told The Record that the purpose of these servers is probably to “decloak” users. This would expose their identity to the threat actor.

Questions Leading to Questions

Nusenu finds the fact that the threat actor is focusing on entry and midpoints instead of exit points strange.

Cybercriminals normally choose the latter because that allows them to hijack credentials. For example, they can change Bitcoin wallet addresses to redirect payments.

It appears that the threat actor is trying to collect information on Tor users and map their routes through the network. For now, no one knows why.

A spokesperson from Tor confirmed that the service has removed hundreds of these servers over the past year. However, more replace them.

Neither Nusenu nor the Tor representatives The Record spoke to would go so far as to speculate who may be behind this. Research is ongoing.

Luckily, while Tor solves the problem, users can rely on other methods to protect themselves. For example, they can mask their activity with commercially available proxy servers or VPN services.

Garan van Rensburg
Garan van Rensburg

Garan is a writer interested in how tech reshapes the environment, and how the environment reshapes tech. You'll usually find him inoculating against future shock and arguing with bots.