Since Jan 2020, a mysterious group of cybercriminals has succeeded in adding hundreds of servers to the Tor network, in order to perform SSL stripping attacks on the cryptocurrency community.

According to a report from an independent security researcher Nusenu, who has been monitoring this situation for a number of years.

The mysterious group is so prodigious and persistent in performing their attacks, that by May 2020 the attacks were at their peak. They managed to operate 380malicious Tor exit relays (the servers through which user traffic leaves the Tor network and then accesses the public internet), and which means every single user has a 1 out of 4 chance of being attacked from those dangerous servers.

Tor browser

After all this when alarms were raised by Tor directory authorities, the group still reportedly controls more than 10% of Tor exit relays by now.

SSL Stripping Attacks on BitCoin Community

The researcher Nusenu says the group is performing “person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays” and that they are specifically targeting those users who are accessing cryptocurrency-related websites while using Tor software or Tor Browser. And the goal of the person-in-the-middle attack is to execute “SSL stripping” attacks by downgrading the user’s web traffic from HTTPS URLs to less secure HTTP alternatives without causing TLS certificate warnings.

Simply the SSL STRIPPING ATTACK is replacing your web traffic from HTTPS-TO-HTTP without causing TLS certificate warnings. Through which the group replaces Bitcoin addresses inside HTTP traffic going to Bitcoin mixing services and funnels all your cryptocurrency payments into their own wallets.


Bitcoin mixers services are websites which allow users to send Bitcoin from one address to another by breaking the funds into small sums and transferring them through thousands of intermediary addresses before re-joining the funds at its destination address. By replacing the destination address at the HTTP traffic level, the attackers are effectively hijacking the user’s funds without the users or the Bitcoin mixer’s knowledge.

Solution to This Whole Situation

“The full extent of their operations is still unknown, but one motivation appears to be plain and simple: profit,” Nusenu wrote over the weekend. Tor Browser reportedly lacks ability to verify new relay operators at a sufficient scale, which means there is no immediate resolution right now. However, Nusenu says some countermeasures could be implemented at this point (such as HSTS Preloading or HTTPS Everywhere).

Previous articleNvidia announces the 1st of September GeForce event with RTX 3080 rumors abound
Next articleHow Video games can teach children Data science
The heavy Sniper, Kshitij is the marksman of the team Craffic. He joined the team in 2018 and his continuous hard work and dedication to the work has made his precision in work unmatched. Kshitij has experience in editing the work of others to foster stronger bonds with fellow authors and working together to improve each other's work.


Please enter your comment!
Please enter your name here