Someone Is Running Hundreds of Malicious Servers on the Tor Network and Might Be De-Anonymizing Users

A new research shows that someone has been running hundreds of malicious server on the Tor network, potentially in an attempt to de-anonymize users and reveal their web activity. The activity is thought to be coming from a user who has the resources to run droves of high-bandwidth server for years.

The best known online privacy platform is called the "Onion router," and it is supposed to protect your web browsing activity from scrutiny by hiding your IP address and encrypting your traffic. The network, which was launched in 2002, has experienced attacks and malicious activity before, though this recent activity appears to reveal a craftier, less obvious actor than your typical cybercriminal.

The malicious server was spotted by a security researcher who goes by the name of nusenu, who operates his own server on the Tor network. nusenu writes on their Medium that they discovered evidence of the threat actor back in 2019. They discovered that they had been on the network for a long time.

KAX appears to be running large segments of the network in the hopes of being able to track the path of specific web users.

Understanding this requires a quick primer on how Tor works. Users are anonymized by using a method called "tor anonymization" which involves encrypting their traffic and then sending it through a series of different "relays" before it reaches its final destination. Since you can only use one part of your traffic's journey, it is not possible for a node-provider to view your traffic.

It is not uncommon for bad actors to set up nodes in the hopes of attacking users for one, and since the network are volunteer-run, you don't have to pass a background check to run one.

In the case of KAX17, the threat actor appears to be better resourced than your average dark web malcontent, as they have been running hundreds of malicious server all over the world. The researcher shows that the chances of a circuit being traced by KAX is relatively high with that amount of activity.

KAX had so many server that you had a 16 percent chance of using their relay as a firsthop when you log onto the internet. You had a 35 percent chance of using one of their relays during your secondhop, and a 5 percent chance of using them as an exit relay.

There is evidence that the threat actor was involved in discussions about the removal of their server from the network.

KAX17 has apparently been kicked off the network multiple times. The threat actor's server were taken down by the authorities. Last month, authorities removed a large number of relays that were tied to the threat actor. The actor seems to have bounced back and begun reconstituting in both cases.

Whoever they are, they have a lot of resources, so it is not clear who is behind all this. We have no evidence that they are actually doing de-anonymization attacks, but they are in a position to do so. The fact that someone runs a large network fraction of relays is enough to alarm people.

Their actions and motives are not well understood.

We will update this story if the Tor Project responds to our inquiry.