Those who don’t understand much about the field of cryptocurrencies, accuse themselves in not buying a couple of bitcoins when they were valued a few thousands of dollars. Now, this cryptocurrency rises by $4000 daily. Moreover, other cryptocurrencies are raising as well. Say, recently, Ethereum broke $4,000 mark as it hits record high. Shortly, the cryptocurrency is a buzzword now. But this also means threat actors are thinking of new ways of hacking cryptocurrency systems. In 2020, financial crime related to cryptocurrency was nearly $10.5 billion. Moreover, over two-thirds (67.8%) was misappropriated by fraud and scams.
As you understand, to hack such systems, threat actors need using anonymous networks. But if some people use anonymity networks to safeguard their online privacy, others use it for quite different purposes. Among many similar approaches, Tor is currently the most popular anonymity network because it provides anonymity to both users and services.
But there are two sides to the coin. Many use anonymity provided by Tor for hosting illegal sites for selling drugs, hosting command and control servers for botnets, and distributing censored content. As you can guess, this is an ideal method for attacking cryptocurrency servers.
How Are Tor Networks Used In Crypto Crime?
Using Tor networks, a threat actor has been adding various malicious servers to intercept traffic and perform SSL stripping attacks on users accessing cryptocurrency-related sites. SSL stripping means a traffic downgrade from an encrypted HTTPS connection to plaintext HTTP.
Using this approach allowed them to replace cryptocurrency addresses with their own and hijack transactions for their own profit.
However, this is not anything new. But as The Record explains “despite having their operations publicly exposed, the threat actor continued their attacks, which are still ongoing.” Though all attacks (seems there were two) were removed from the Tor network, but threat actor managed to intercept Tor traffic for a long time.
In order not to be discovered by radars, they added malicious exit relays in small increments. This allowed them to amass infrastructure with time. Earlier this month, the hackers diverted from this method. We guess it’s related with the fact that their infrastructure was taken down. However, quite recently, researchers found an attack spotted again. It increased the Tor network’s exit capacity from around its daily 1,500 exit relays to more than 2,500. So it couldn’t be ignored or remain unnoticed.
Of course, there were corresponding security measures and they took down more than 1,000 servers. But the attacker is still controlling between 4% and 6% of the entire Tor network’s exit capacity.
Interestingly, in 2020, Tor Project released a set of recommendations providing instruction on how website operations and Tor Browser users could protect themselves against these types of attacks. But it turns out not many users follow the instructions.