As per the latest research, someone has been running hundreds of malicious servers on the Tor network. These servers have been running for quite a while, possibly to de-anonymize users and reveal their identity. Above all, the particular user appears to be operating all these servers for years.
As first reported by The Record, the culprit user is quite determined and has the resources to keep these many high-bandwidth servers running for several years. These malicious servers ran in the entry, middle, and exit positions of the Tor network to de-anonymize the users.
Invading the Tor network
Tor is the world’s most renowned online privacy platform, and it has experienced attacks before. Although, this unusual attack seems to be running for quite a while. A security researcher, known as “nusenu” initially spotted the attack and gave it the name “KAX17” in 2019.
It appears that the KAX17 threat has been active on the network ever since 2017. To clarify, KAX17 has been running large parts of Tor’s network in hope of being able to track user activity. To have a better understanding, this requires a refresher on how Tor works.
Tor anonymizes users’ activity by encrypting outgoing traffic and then routing it via a series of relays or nodes. These node providers should not be able to inspect the traffic since Tor encrypts it. However, anyone can run these nodes and become a node provider as there’s no risk in being one on paper. The individual or group behind KAX17 has approximately 900 servers running on the Tor network in an attempt to unmask user identity.
With that many servers running, they surely would get a significant amount of activity and might be possible for them to intercept it. According to nusenu’s research, if you logged into Tor, there was a 16% chance that you used their first relay (or node), 35% chance of using their middle relay, and a 5% chance of using their exit relay.
Despite this, the Tor administration tried to kick KAX17 off of the network various times and succeeded to an extent in 2019. Although, the threat bounced back almost instantly. Whoever is behind the attack to de-anonymize the Tor network surely has access to quite a lot of resources.