What is the issue?
Researchers from ESET have observed a trojanized version of the Tor Browser that steals bitcoins from darknet market users. Using this malicious Tor Browser, attackers have stolen 4.8 bitcoin from three darknet markets, which is worth over US$ 40,000.
The big picture
This malicious Tor Browser has been distributed via two fake websites that claim to distribute the official Russian language version of the Tor Browser.
“Your anonymity is in danger!
WARNING: Your Tor Browser is outdated
Click the button “Update”,” the English translation of the message read.
Researchers noted that both the websites– tor-browser[.]org and torproect[.]org – were created in 2014.
More details about the Tor Browser
Researchers stated that this fully-functional trojanized Tor Browser is based on Tor Browser 7.5, which was released in January 2018.
This campaign has targeted the three largest Russian-speaking darknet markets by modifying QIWI (a popular Russian money transfer service) or bitcoin wallets located on the pages of these markets.
Therefore, once a victim visits the any of these darknet market pages to add funds to the account directly using bitcoin payment, the trojanized Tor Browser automatically swaps the original address to the address controlled by the attackers.
The total amount of received funds for all three wallets is 4.8 bitcoin, which is worth over US$40,000.
“This trojanized Tor Browser is a non-typical form of malware, designed to steal digital currency from visitors to darknet markets. Criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This has allowed them to steal digital money, unnoticed, for years,” researchers concluded.