New research shows that someone has been running hundreds of malicious servers on the Tor network, potentially in an attempt to de-anonymize users and unmask their web activity. As first reported by The Record, the activity would appear to be emanating from one sophisticated and persistent user, who somehow has the resources to run droves of high-bandwidth servers for years on end.
Also referred to as the “Onion router,” Tor is perhaps the world’s best known online privacy platform, and its software and related network are supposed to protect your web browsing activity from scrutiny by hiding your IP address and encrypting your traffic. The network, which was initially launched in 2002, has experienced attacks and malicious activity before, though this recent activity appears to reveal a craftier, less obvious actor than your typical cybercriminal.
The malicious servers were initially spotted by a security researcher who goes by the pseudonym “nusenu” and who operates their own node on the Tor network. On their Medium, nusenu writes that they first uncovered evidence of the threat actor—which they have dubbed “KAX17”—back in 2019. After doing further research into KAX17, they discovered that they had been active on the network as far back as 2017.
In essence, KAX appears to be running large segments of Tor’s network—potentially in the hopes of being able to track the path of specific web users and unmask them.
Understanding this requires a quick refresher on how Tor works. Tor anonymizes users’ web activity by encrypting their traffic and then routing it through a series of different nodes—also called “relays”—before it reaches its final destination and is unencrypted. Node-providers are not supposed to be able to view your traffic, since Tor provides encryption and they are only assisting with one of several parts of your traffic’s journey (also called a “circuit”).
However, since the nodes within Tor’s network are volunteer-run, you don’t have to pass any sort of background check to run one—or several—of them, and it’s not unheard of for bad actors to set up nodes in the hopes of attacking users for one reason or another.
However, in the case of KAX17, the threat actor appears to be substantially better resourced than your average dark web malcontent: they have been running literally hundreds of malicious servers all over the world—activity that amounts to “running large fractions of the tor network,” nusenu writes. With that amount of activity, the chances that a Tor user’s circuit could be traced by KAX is relatively high, the researcher shows.
Indeed, according to nusenu’s research, KAX at one point had so many servers—some 900—that you had a 16 percent likelihood of using their relay as a first “hop” (i.e., node in your circuit) when you logged onto Tor. You had a 35 percent chance of using one of their relays during your 2nd “hop,” and a 5 percent chance of using them as an exit relay, nusenu writes.
There’s also evidence that the threat actor engaged in Tor forum discussions, during which they seem to have lobbied against administrative actions that would have removed their servers from the network.
Despite this, Tor authorities have apparently tried to kick KAX17 off the network multiple times. Many of the threat actor’s servers were removed by the Tor directory authorities in October 2019. Then, just last month, authorities again removed a large number of relays that seemed suspicious and were tied to the threat actor. However, in both cases, the actor seems to have immediately bounced back and begun reconstituting, nusenu writes.
It’s unclear who might be behind all this, but it seems that, whoever they are, they have a lot of resources. “We have no evidence, that they are actually performing de-anonymization attacks, but they are in a position to do so,” nusenu writes. “The fact that someone runs such a large network fraction of relays...is enough to ring all kinds of alarm bells.”
“Their actions and motives are not well understood,” nusenu added.
We reached out to the Tor Project for comment on this story and will update it if they respond.