CryptoMode Tor Exit Nodes Bitcoin Rewrite

Over the years, there have been numerous incidents involving Bitcoin and cybercriminals. One recent attack, however, could have had far more serious consequences. Nearly a quarter of all Tor exit nodes were under cybercriminals’ control.

Tor Remains a Target

It is not the first time cybercriminals go after Tor exit nodes. In most cases, they aim to redirect users to a different website and commit phishing. Other times, they will try to get users to download malicious software. In this particular case, the objective was to perform SSL stripping attacks on Bitcoin users. Generating a profit from cryptocurrency has always been alluring for criminals. 

To put this in perspective, a security report surfaced last weekend. In the report, researcher Nusenu confirms Tor exit nodes are being controlled by a malicious entity. At one point, they managed 380 of these nodes. Thankfully, the Tor team quickly intervened, although the threat is far from over. It is expected that nearly 10% of all Tor exit nodes are still controlled by this group. 

What makes this incident interesting is how the criminals go after cryptocurrency websites. Their objective is to perform a man-in-the-middle attack and use “SSL stripping”. A downgrade in web traffic from HTTPS to HTTP should not be underestimated. It is very nefarious, and can yield many unfavorable outcomes. 

Surprisingly, the group is not interested in exchanges or online wallet services. Instead, they go after Bitcoin mixing services. Through the SSL stripping attack, they can replace the Bitcoin deposit address. This results in a loss of funds for the user, and a tarnished reputation for the mixing service. 

Succeeding Remains Difficult

While this method of attack seems ingenious, it’s a risky endeavor. Rewriting a Bitcoin address on a website has been done before. In fact, it has proven to be incredibly successful during the early years. Today, however, most people are aware of how important SSL security is. Experienced users will immediately leave the downgraded site. 

That being said, the scope of this attack is staggering. Controlling, at the peak, over 23% of all Tor exit nodes is incredibly worrisome. While this is no longer the case today, roughly 10% of all nodes remain compromised. It is unclear if this is done by node owners themselves, or achieved through other means. 

Thwarting this attack in full won’t be easy either. Tor’s protocol is not designed to “screen” new users joining the network. Changing this narrative, at least for exit nodes, has almost become a necessity. Otherwise, criminals will keep abusing this privacy solution. 


Looking to advertise? We will gladly help spread the word about your project, company, or service. CryptoMode produces high quality content for cryptocurrency companies. We have provided brand exposure for dozens of companies to date, and you can be one of them. All of our clients appreciate our value/pricing ratio. Contact us if you have any questions: [email protected]