An unknown threat actor has been discovered running thousands of malicious Tor relay servers to unmask Tor users. The group, tracked as KAX17, is believed to be active since 2017.

What has happened?

KAX17 was found running relay servers in different positions, such as entry, middle, and exit nodes, within the Tor network.
  • Researchers have recently removed at least 900 servers used by the group between October and November to hover around a daily total of up to 9,000-10,000.
  • Controlling these relays allows its operators to find out which website the user is connected to. Further, if a user is using an insecure connection, the traffic may be manipulated.
  • Most of the Tor relay servers used by the KAX17 group were located in data centers worldwide and were configured as entry and middle points.

Additional insights

  • In August 2020, a security researcher (who uses the moniker Nusenu) had revealed that for the first time a threat actor managed to control 23% of the entire Tor network’s exit nodes.
  • The same researcher has discovered a recurrence of the event and grouped these targeted servers under KAX17.
  • The group has regularly added servers with no contact details to the Tor network in industrial quantities.
  • The chance to connect a guard relay (entry node) operated by KAX17 was around 16% but it increases up to 35% probability when passing through one of the middle relays set up by the threat group. The group, however, operates with a small number of exit points.

Ending notes

The recent findings show how anonymous networks meant to be private can be attacked as well. However, the findings were shared with the Tor Project and all the exit relays set up in October 2020 were removed. Additionally, malicious relays set up between October and November were also deleted.
Cyware Publisher