A malicious Tor browser is helping scammers steal bitcoin, researchers say

The attacks comes as the Tor Project is trying to enhance trust in the anonymity browser.
Tor Browser, dark web, onion router
(Tor logo wia Wikicommons/Image by Greg Otto)

Thieves are using malware that masquerades as Tor, the anonymizing internet browser, to steal money from Russian-speaking people on the dark web, researchers said Friday.

The operation uncovered by researchers at Slovakian cybersecurity company ESET has netted the unidentified attackers some $40,000 in bitcoin so far, but the amount could be larger.

“They likely stole more in Qiwi,” said Robert Lipovsky, a senior malware researcher at ESET, referring to a Russian payment service.

The insidious attack is a reminder that hackers can upend the privacy and security users expect from software by tricking them into downloading malicious code. Tor is used by everyone from human rights defenders and journalists to criminals trying to hide activities like drug sales and child pornography from law enforcement. This effort, only the latest malicious operation exploiting users who rely on the software, comes as the Tor Project is seeking to spread awareness about Tor, and increase trust in the notoriously unreliable technology.


In this case, the attackers were after a number of Russian-speaking users.

“It was not targeted against known, specific people,” Lipovsky said. “It was opportunistic, but targeted dark net shoppers, people searching for keywords regarding drugs, cryptocurrencies [and] also censorship bypass or Russian opposition politicians.”

The hackers are duping victims by using two websites. The first claims a user’s version of Tor is outdated. Upon clicking, the user is redirected to a second site that triggers a Windows installer to download the malware.

Instead of altering the Tor browser’s binary components, attackers are changing settings to the browser and its HTTPS Everywhere extension. That bit of stealth has let them go unnoticed for years, according to ESET. The domains first appeared in 2014.

“Non-technically-savvy people probably won’t notice any difference between the original version and the trojanized one,” said Anton Cherepanov, another senior malware researcher at ESET.


ESET said it couldn’t determine who was responsible.

“We will send trademark takedown notices to the domains, and we will be adding information to our user support site about identifying these types of scams,” a spokesperson for the Tor Project said in a statement. “As always, it is important for everyone downloading our software, or any software, to ensure it comes from official sources.”

Silas Cutler, reverse engineering lead at Chronicle, said the activity was unusual in that most attacks involving Tor he has studied are focused on the actual Tor infrastructure, with the goal of de-anonymizing the user.

“There’s something unique about attacks where operators are able to exploit a trusted tool — simply by making distinct changes, without heavy-handedly adding malware or backdoors that could be detected by antivirus or [endpoint detection and response] software,” Cutler told CyberScoop.

The criminals are attracting attention. Their accounts on Pastebin, a text-storage site, have been viewed more than a half million times, according to ESET.


One measure of the attackers’ ambition: the JavaScript payload they are using has been spotted on three of the biggest Russian-speaking dark web forums, researchers said.

This story has been updated to include a comment from the Tor Project.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts