‘Poisoned’ Tor Browser tracks Chinese users’ online history, location

Attackers modified the popular anonymity-enabling Tor browser to track users in China and record browsing history, researchers said.
Jackie Niam/Getty Images

A modified version of the Tor Browser collected sensitive data on Chinese users since at least March, maybe as early as January, that included browsing history, form data, computer name and location, user name and MAC addresses of network adapters, researchers with the cybersecurity firm Kaspersky said Tuesday.

A video posted on a Chinese-language YouTube channel included a link to the malicious version of the Tor Browser installer. The channel has more than 180,000 subscribers, and the video has been viewed more than 64,000 times, Kaspersky researchers Leonid Bezvershenko and Georgy Kucherin said in findings published Tuesday.

A YouTube account uploaded the video in January 2022 and Kaspersky researchers began seeing victims in their data in March after noticing clusters of malicious Tor installer downloads.

The researchers dubbed the campaign “OnionPoison,” a reference to the multi-step onion routing that gives the legitimate Tor Browser, originally developed by the U.S. Naval Research Lab, both its name (“The Onion Router”) and its typical degree of anonymity.


The malicious installer loads a version of Tor that includes a spyware library designed to collect the personal data and sends it to the attacker-controlled server, the researchers said, and can also give attackers the ability to execute shell commands on victims’ machines.

Isabela Fernandes, executive director of the nonprofit Tor Project, told CyberScoop that the organization deployed a patch on Tuesday.

“Basically this ‘poisoned’ Tor Browser modifies the update URL so it cannot be updated normally,” she said. “What we did was to add a redirect so we are responding to the modified URL, this way people will update. Now their URL is a working update URL.”

It’s not clear who was behind the campaign, the researchers said, but it clearly targeted at Chinese users. The command and control server checks IP addresses and will only send malware to Chinese IPs, they said. Additionally, the video description includes a valid Tor Browser link, but since the Tor website is blocked in China, users are more likely to click on the link that directs them to a downloadable file hosted on a third-party Chinese cloud sharing site.

Screenshot of the video that includes the malicious Tor Browser download link (Kaspersky)

Interestingly, the modified browser does not automatically collect user passwords, cookies, or wallets, the researchers said, instead focusing on browsing history, social network account IDs and Wi-Fi networks.

“The attackers can search the exfiltrated browser histories for traces of illegal activity, contact the victims via social networks and threaten to report them to the authorities,” the researchers wrote.

Modified Tor versions have been deployed in past by cybercriminals and nation-state hackers. In 2019, researchers with the Slovakian-based cybersecurity company ESET reported a version designed to steal cryptocurrency from Russian-speaking people. In another instance, nearly 10 years ago, hackers linked to Russia deployed malware known as OnionDuke using Tor exit nodes.

The FBI has also been accused of working with contractors and potentially university students to modify or unmask Tor users (the latter claim the FBI ambiguously denied at the time).

The researchers said the best way to avoid OnionPoison is to download Tor from the official website or, if that’s not possible, to check digital the digital signature if it’s from a third-party site.

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts