January 23, 2022


Thinking Security ! Always

Malicious Tor Servers De- Anonymize Users

New research shows that someone has been running hundreds of malicious servers on the Tor network, potentially in an attempt to de-anonymize users and unmask their web activity.


Also referred to as the “Onion router,” Tor is perhaps the world’s best known online privacy platform, and its software and related network are supposed to protect your web browsing activity from scrutiny by hiding your IP address and encrypting your traffic. The network, which was initially launched in 2002, has experienced attacks and malicious activity before, though this recent activity appears to reveal a craftier, less obvious actor than your typical cybercriminal.

The malicious servers dubbed “KAX17” back in 2019. After doing further research into KAX17, they discovered that they had been active on the network as far back as 2017. KAX appears to be running large segments of Tor’s network potentially in the hopes of being able to track the path of specific web users and unmask them.

Tor anonymizes users’ web activity by encrypting their traffic and then routing it through a series of different nodes also called “relays” before it reaches its final destination and is unencrypted. Node providers are not supposed to be able to view your traffic, since Tor provides encryption and they are only assisting with one of several parts of your traffic’s journey


Since the nodes within Tor’s network are volunteer-run, you don’t have to pass any sort of background check to run one or several of them, and it’s not unheard of for bad actors to set up nodes in the hopes of attacking users for one reason or another.

The threat actor appears to be substantially better resourced than your average dark web malcontent: they have been running literally hundreds of malicious servers all over the world activity that amounts to “running large fractions of the tor network,”. With that amount of activity, the chances that a Tor user’s circuit could be traced by KAX is relatively high.

Despite this, Tor authorities have apparently tried to kick KAX17 off the network multiple times. Many of the threat actor’s servers were removed by the Tor directory authorities in October 2019. Last month, authorities again removed a large number of relays that seemed suspicious and were tied to the threat actor.


It’s unclear who might be behind all this, but it seems that, whoever they are, they have a lot of resources.

%d bloggers like this: