Since Jan 2020, a mysterious group of cybercriminals has succeeded in adding hundreds of servers to the Tor network, in order to perform SSL stripping attacks on the cryptocurrency community.

According to a report from an independent security researcher Nusenu, who has been monitoring this situation for a number of years.

The mysterious group is so prodigious and persistent in performing their attacks, that by May 2020 the attacks were at their peak. They managed to operate 380malicious Tor exit relays (the servers through which user traffic leaves the Tor network and then accesses the public internet), and which means every single user has a 1 out of 4 chance of being attacked from those dangerous servers.

Tor browser

After all this when alarms were raised by Tor directory authorities, the group still reportedly controls more than 10% of Tor exit relays by now.

SSL Stripping Attacks on BitCoin Community

The researcher Nusenu says the group is performing “person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays” and that they are specifically targeting those users who are accessing cryptocurrency-related websites while using Tor software or Tor Browser. And the goal of the person-in-the-middle attack is to execute “SSL stripping” attacks by downgrading the user’s web traffic from HTTPS URLs to less secure HTTP alternatives without causing TLS certificate warnings.

Simply the SSL STRIPPING ATTACK is replacing your web traffic from HTTPS-TO-HTTP without causing TLS certificate warnings. Through which the group replaces Bitcoin addresses inside HTTP traffic going to Bitcoin mixing services and funnels all your cryptocurrency payments into their own wallets.


Bitcoin mixers services are websites which allow users to send Bitcoin from one address to another by breaking the funds into small sums and transferring them through thousands of intermediary addresses before re-joining the funds at its destination address. By replacing the destination address at the HTTP traffic level, the attackers are effectively hijacking the user’s funds without the users or the Bitcoin mixer’s knowledge.

Solution to This Whole Situation

“The full extent of their operations is still unknown, but one motivation appears to be plain and simple: profit,” Nusenu wrote over the weekend. Tor Browser reportedly lacks ability to verify new relay operators at a sufficient scale, which means there is no immediate resolution right now. However, Nusenu says some countermeasures could be implemented at this point (such as HSTS Preloading or HTTPS Everywhere).


Please enter your comment!
Please enter your name here