Servers of anonymous browsing network Tor designed to hack sites

The internet anonymity service Tor has some bad actors among its volunteer servers set to hack dark net websites.  

Northeastern University professor Guevara Noubir and his graduate student Amirali Sanatinia found the many of the volunteer-run servers making up the Tor network are designed to hack the anonymous sites that connect to it.

More than 95 percent of Tor traffic is used to browse websites such as Facebook and Twitter, and the anonymity it provides allows citizens of oppressive regimes visit sites that would otherwise be tracked, lets abuse victims use the internet without revealing their location and helps privacy-minded individuals feel more secure. The Department of State, the Defense Advanced Research Projects Agency (DARPA) and the governments of Germany and Sweden have all funded Tor for such reasons.

But the other 5 percent of traffic on Tor goes to hidden sites that are not accessible from normal web browsers. Hidden sites enjoy the same anonymity as Tor browsers and can range from news outlets in countries not supportive of an open press to criminal enterprises, including child pornography, drug sales and hackers for hire.

Noubir and Sanatinia found more than 100 of the network’s “exit nodes” were designed to not only store data but to contact the server again to either scan it for vulnerabilities or attack it.  

The Tor network is composed of 10,000 volunteer servers that bounce data off of each other in ways that make it difficult to track. Around 3,500 are exit nodes, serving as the last link in the chain and connecting directly with the website. 

None of these volunteers are supposed to retain any identifying information on the sites contacted or data transmitted, though Noubir’s and Sanatinia findings prove otherwise. 

They set up thousands of fake hidden sites on Tor that were never accessed by any users. Only the two researchers and the exit nodes they connected to knew the internet addresses of the fake sites. But they found those sites were either scanned for vulnerabilities or attacked outright soon after connecting to the exit nodes.

The timing of the attacks ranged from immediate to a two-week delay – long enough to try and divert suspicion away from the exit nodes, but quick enough to guarantee the site would still be there.

“Many dark net sites go away quickly. There is an incentive to attack as soon as possible,” Noubir said. 

It is unclear who operates the corrupt exit nodes. It could be hackers looking for victims, governments looking to quash activists or law enforcement looking to crack down on criminal markets. The FBI, for example, recently hacked a wide assortment of computers using Tor to break up a child pornography ring.

Hidden sites make ideal targets for any kind of attack, Noubir said. 

“If someone set up a hidden server, they cannot report a hacker because if they did, it would reveal the location and existence of the hidden server,” he said.

Noubir also said such attacks might be a sign of other bad activity the Northeastern group was not checking for.

“To do this, they needed to modify the code for exit nodes. They are familiar with the code and sophisticated enough to modify it – they could be doing something worse,” he warned.

But it is hard to tell who the attackers are, Nourbir said, because so many Tor nodes are set up on cloud accounts. Thus, anyone who has an account with Amazon or Alibaba’s cloud services might be behind the attacks. 

Noubir and Santinia will present the details at the hacker research conference DEF CON next month.


The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.

See all Hill.TV See all Video

Most Popular

Load more


See all Video