Someone Is Running Hundreds of Malicious Servers on Tor Network

New research shows that someone has been running hundreds of malicious servers on the Tor network, potentially in an attempt to de-anonymize users and unmask their web activity. As first reported by The Record, the activity would appear to be emanating from one particular user who is persistent, sophisticated, and somehow has the resources to run droves of high-bandwidth servers for years on end.


The malicious servers were initially spotted by a security researcher who goes by the pseudonym “nusenu” and who operates their own node on the Tor network. On their Medium, nusenu writes that they first uncovered evidence of the threat actor—which they have dubbed “KAX17”—back in 2019. After doing further research into KAX17, they discovered that they had been active on the network as far back as 2017.

In essence, KAX appears to be running large segments of Tor’s network—potentially in the hopes of being able to track the path of specific web users and unmask them.


in the case of KAX17, the threat actor appears to be substantially better resourced than your average dark web malcontent: they have been running literally hundreds of malicious servers all over the world—activity that amounts to “running large fractions of the tor network,” nusenu writes. With that amount of activity, the chances that a Tor user’s circuit could be traced by KAX is relatively high, the researcher shows.

Indeed, according to nusenu’s research, KAX at one point had so many servers—some 900—that you had a 16 percent likelihood of using their relay as a first “hop” (i.e., node in your circuit) when you logged onto Tor. You had a 35 percent chance of using one of their relays during your 2nd “hop,” and a 5 percent chance of using them as an exit relay, nusenu writes.

There’s also evidence that the threat actor engaged in Tor forum discussions, during which they seem to have lobbied against administrative actions that would have removed their servers from the network.


Many of the threat actor’s servers were removed by the Tor directory authorities in October 2019. Then, just last month, authorities again removed a large number of relays that seemed suspicious and were tied to the threat actor. However, in both cases, the actor seems to have immediately bounced back and begun reconstituting, nusenu writes.

It’s unclear who might be behind all this, but it seems that, whoever they are, they have a lot of resources. “We have no evidence, that they are actually performing de-anonymization attacks, but they are in a position to do so,” nusenu writes. “The fact that someone runs such a large network fraction of relays…is enough to ring all kinds of alarm bells.”

“Their actions and motives are not well understood,” nusenu added.

Source: Someone Is Running Hundreds of Malicious Servers on Tor Network

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft