A Mysterious Threat Actor Is Running Hundreds of Malicious Tor Relays

Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users. The Record reports: Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000. Some of these servers work as entry points (guards), others as middle relays, and others as exit points from the Tor network. Their role is to encrypt and anonymize user traffic as it enters and leaves the Tor network, creating a giant mesh of proxy servers that bounce connections between each other and provide the much-needed privacy that Tor users come for. Servers added to the Tor network typically must have contact information included in their setup, such as an email address, so Tor network administrators and law enforcement can contact server operators in the case of a misconfiguration or file an abuse report. However, despite this rule, servers with no contact information are often added to the Tor network, which is not strictly policed, mainly to ensure there's always a sufficiently large number of nodes to bounce and hide user traffic.

But a security researcher and Tor node operator going by Nusenu told The Record this week that it observed a pattern in some of these Tor relays with no contact information, which he first noticed in 2019 and has eventually traced back as far as 2017. Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point. The actor's servers are typically located in data centers spread all over the world and are typically configured as entry and middle points primarily, although KAX17 also operates a small number of exit points. Nusenu said this is strange as most threat actors operating malicious Tor relays tend to focus on running exit points, which allows them to modify the user's traffic.

KAX17's focus on Tor entry and middle relays led Nusenu to believe that the group, which he described as "non-amateur level and persistent," is trying to collect information on users connecting to the Tor network and attempting to map their routes inside it. In research published this week and shared with The Record, Nusenu said that at one point, there was a 16% chance that a Tor user would connect to the Tor network through one of KAX17's servers, a 35% chance they would pass through one of its middle relays, and up to 5% chance to exit through one. While all signs point to a nation-level and well-resourced threat actor who is behind this group, neither Nusenu nor the Tor Project wanted to speculate.

Surprised this didn’t happen sooner

[Powercntrl]

There’s very little incentive for an average person to run a Tor exit node. It eats up your bandwidth and there’s a good likelihood you’ll have to answer nastygrams from your ISP (and they’re generally not all that understanding either, since people use “..but I’m running a Tor exit node!” as a plausible deniability excuse for their own illegal actions - piracy, spam, etc.)

So yeah, naturally the network is going to have a problem with nodes run as government honeypots, since they have the resources and an agenda (de-anonymize criminals and catch ‘em). Same thing basically happened to Bitcoin - it was supposed to be a peer-to-peer network of just regular people running their machines to help secure the network, but then greed took over and now there’s really no reason (or profit) for an average person to mine Bitcoin on a single machine.

Re:

[tlhIngan]

Thereâ(TM)s very little incentive for an average person to run a Tor exit node. It eats up your bandwidth and thereâ(TM)s a good likelihood youâ(TM)ll have to answer nastygrams from your ISP (and theyâ(TM)re generally not all that understanding either, since people use âoe..but Iâ(TM)m running a Tor exit node!â as a plausible deniability excuse for their own illegal actions - piracy, spam, etc.)

Not to mention having to answer CAPTCHAs every other website because they use c

Re:

[h33t l4x0r]

Since at least 2017, a mysterious threat actor...

Sooner than at least 2017?

We will find out

[Papaspud]

all of the TOR servers are either law enforcement or government agencies, they know everything you are doing..

Re: We will find out

[NagrothAgain]

I'm guessing it's either the NSA, Interpol, China, or Russia. Whichever three it's not, most likely each have their own set of servers doing the same thing.

Re:

[Shag]

I'm guessing it's either the NSA, Interpol, China, or Russia. Whichever three it's not, most likely each have their own set of servers doing the same thing.

Given who created Tor in the first place, and what sorts of things people like to use it for, and which government agencies those people get surprise visits from, I'm not thinking NSA, but a different three-letter agency in the US government.

Re: We will find out

[Scutter]

Of course. I've always suspected the Fish and Wildlife Service. It's so obvious now that I think about it.

Re:

[Walt Dismal]

We know where you're spawning, SalmonySalmonface - we've got our eye on you.

Re:

[PPH]

Ministry of Agriculture. They denied their responsibility for Gundam [fanverse.org] as well.

Re:

[Nahor]

As long as the traffic goes through multiple non-cooperating agencies, then that's fine.That's the whole point of onion routing. Problems arise when the whole chain is controlled by only entity, which is, at least in part, what KAX17 seems to be trying.

Hmmm looks like it's a

[presidenteloco]

(N)ational (S)tate (A)ctor

Everyone knows TOR is a honeypot, right?

[Nocturrne]

No really... there are people that don't know this?

Re:

[laughingskeptic]

Seriously! Every Tor node has a motivation behind it whether it is criminal, law enforcement, government-scale anonymity, etc. My favorite current criminal example: https://therecord.media/thousa... [therecord.media] The odd mix makes it interesting.

What about Tor over VPN

[InterGuru]

Does running your Tor browser over a VPN reduce or eliminate the risk of being traced?

Re: What about Tor over VPN

[Frobnicator]

It adds an element, but typically once there is enough known traffic de-anonymizing becomes possible. If governments want to spend the resources it is not particularly expensive, likely a few hundred to a few thousand dollars, expensive in aggregate but cheap per individual as they have a comprehensive system in place.

Re:

[VeryFluffyBunny]

TOR reduces blanket surveillance. If a well enough resourced organisation or agency targets you, they can de-anonymise you easily & without you knowing so that they know who's talking to whom, when & where but not what about.

Re:

[ledow]

Depends on what the endpoints are.

The endpoint being a machine that's identifiable to you? Whoops. You're no better off. Maybe even worse-off.

VPNs don't really solve much in terms of anonymity at all. You generally have to tell someone who you are in order to get one. That person - and you - can see everything you do over the VPN.

And despite assurances from dozens of "We'll never tell anyone" VPN providers, they almost universally turn out to be either doing exactly that on the quiet anyway, usually at

Re:

[witz2]

FBI are not rocket scientists. You can see them coming from miles away.

not exit nodes?

[cstacy]

The malicious exit nodes have a different profile, so that it doesn't look like they are related. They are slightly more trouble to operate, too. Bur behind the scenes, all the entry-traverse-exit information is correlated.

Tor has been compromised for decades.

Harvesting

[witz2]

Similar projects happening for a long time: https://www.theregister.com/2017/08/25/brazilians_waxed_for_slurping_tor_addresses/ [theregister.com]

VPNs and TOR have always been honeypots

[humankind]

I've always been amused that anybody thinks a system/service designed primarily to help people hide their tracks when doing nefarious things, wouldn't be overrun by law enforcement and nation states? The notion that Tor really exists to help Chinese dissidents is a farce. It's just a front to cover criminal activity. The only safe VPN is one you set up yourself.

Re:The only safe VPN is one you set up yourself

[NotInKansas]

This is a ubiquitous piece of remarkably BAD ADVICE.

Anonymity requires a "forest". If you are running a personally set up VPN, then the only person using it is you! Tracing back through a possible list of ONE is not a difficult undertaking.

The matching recurring argument when this is pointed out is, "Oh but my VPN/VPS is using Amazon, millions of people use Amazon." That's like arguing that millions of people use the Internet. ONLY YOU are using that particular IP address. There is no forest unless others a

My guess is a country that shall remain unnamed ..

[the bluebrain]

... starts with "C" and rhymes with "hina".

Sounds a bit like Government

[BrookSmith]

Sounds a bit like Government scare mongering.