In 2020, the onset of the pandemic and work-from-home initiatives helped make cyber-attacks the fifth top-rated risk globally. While that might sound like only a tiny part of the internet, it's enormous when you consider the internet as a whole. This subset of the deep web that's hidden can't be accessed through a standard web browser like Firefox or a Chrome browser.ĭark websites only accessible through a Tor browser are estimated to be around 5% of the entire internet. It does this by connecting randomly to publicly listed entry nodes, bouncing web traffic through a randomly selected middle ray, and then splitting the traffic via a third and final exit node.īut no one really knows how big the dark web is. The Tor browser works by routing all your web traffic through the Tor network, anonymizing it. For example, getting around China's great firewall.
#Mysterious actor is running malicious tor free#
Instead, the project aims to advance freedoms and human rights with its free and open-source anonymity and privacy browser.
However, anyone familiar with the Tor project will tell you that the deep web is also an anonymous realm where cybercriminals congregate to engage in illegal activities like arms dealing, illicit drug smuggling, human trafficking, engaging in child pornography and even hiring hitmen.īut the people behind the Tor Project didn't develop the browser to enable crime. Whenever you start trawling through the web pages, it's not uncommon to find a whole universe of odd interests, dead websites, and miscellaneous data that make up most of the world wide web. While all signs point to a nation-level and well-resourced threat actor who is behind this group, neither Nusenu nor the Tor Project wanted to speculate.Dark web horror stories are quickly becoming the norm. In research published this week and shared with The Record, Nusenu said that at one point, there was a 16% chance that a Tor user would connect to the Tor network through one of KAX17's servers, a 35% chance they would pass through one of its middle relays, and up to 5% chance to exit through one. KAX17's focus on Tor entry and middle relays led Nusenu to believe that the group, which he described as "non-amateur level and persistent," is trying to collect information on users connecting to the Tor network and attempting to map their routes inside it. Nusenu said this is strange as most threat actors operating malicious Tor relays tend to focus on running exit points, which allows them to modify the user's traffic. The actor's servers are typically located in data centers spread all over the world and are typically configured as entry and middle points primarily, although KAX17 also operates a small number of exit points. Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point. However, despite this rule, servers with no contact information are often added to the Tor network, which is not strictly policed, mainly to ensure there's always a sufficiently large number of nodes to bounce and hide user traffic.īut a security researcher and Tor node operator going by Nusenu told The Record this week that it observed a pattern in some of these Tor relays with no contact information, which he first noticed in 2019 and has eventually traced back as far as 2017. Servers added to the Tor network typically must have contact information included in their setup, such as an email address, so Tor network administrators and law enforcement can contact server operators in the case of a misconfiguration or file an abuse report. Their role is to encrypt and anonymize user traffic as it enters and leaves the Tor network, creating a giant mesh of proxy servers that bounce connections between each other and provide the much-needed privacy that Tor users come for. Some of these servers work as entry points (guards), others as middle relays, and others as exit points from the Tor network. The Record reports: Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000.
Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users.