An unknown threat actor managed to control more than 27% of the entire Tor network exit capacity in early February 2021, a study revealed .The entity attacking Tor users is actively exploiting tor users since over a year and expanded the scale of their attacks to a new record level.

Tor is open-source software for enabling anonymous communication on the Internet. It obfuscates the source and destination of a web request by directing network traffic through a series of relays in order to mask a user’s IP address and location and usage from surveillance or traffic analysis. While middle relays typically take care of receiving traffic on the Tor network and pass it along, an exit relay is the final node that Tor traffic passes through before it reaches its destination.

Exit nodes on the Tor network have been subverted in the past to inject malware such as OnionDuke, but this is the first time a single unidentified actor has managed to control such a large fraction of Tor exit nodes.

The main purpose of the attack, is to carry “person-in-the-middle” attacks on Tor users by manipulating traffic as it flows through its network of exit relays. The attacker appears to perform what’s called SSL stripping to downgrade traffic heading to Bitcoin mixer services from HTTPS to HTTP in an attempt to replace bitcoin addresses and redirect transactions to their wallets instead of the user-provided bitcoin address.

If a user visited the HTTP version of one of these sites, they would prevent the site from redirecting the user to the HTTPS version of the site.If the user didn’t notice that they hadn’t ended up on the HTTPS version of the site and proceeded to send or receive sensitive information, this information could be intercepted by the attacker.

To mitigate such attacks, the Tor Project outlined a number of recommendations, including urging website administrators to enable HTTPS by default and deploy .onion sites to avoid exit nodes, adding it’s working on a “comprehensive fix” to disable plain HTTP in Tor Browser.

An organization should determine its individual risk by assessing the likelihood that a threat actor will target its systems or data and the probability of the threat actor’s success given current mitigations and controls.