Tor Network relays under SSL Stripping Attack

August 20, 2020
tor network relay ssl stripping attack dark web tor browser

A still unidentified hacker or group of hackers has and is always adding new relay servers to the Tor network as part of a cyber-attack campaign within the Dark Web that uses SSL Stripping that targets the users of the Tor browser and Tor relays.

This kind of technology being used is known as a Man in the Middle attack. For this scenario, the hackers will initially hijack parts of the network to take control of the internet traffic that uses the compromised exit relays. The transaction requests that use Secure Socket Layer protocol (HTTPS), which passes through the relays, will be stripped and downgraded to an HTTP request. The HTTP request will then allow them to replace the original destination address of a Bitcoin transaction with a cryptocurrency mixing service address.

This kind of attack was discovered to have started early this year as hackers actively try to exploit the Tor exit relays and Tor network vulnerabilities.

  • Whenever a user accesses a cryptocurrency website pages and if the online session happens to pass through one of the compromised Tor exit relays, the threat actors could control the network traffic to their advantage
  • If ever the user conducts a bitcoin or any other cryptocurrency transaction, the traffic is redirected to a cryptocurrency tumbler or mixing service which conceal the trail of the fund’s origin
  • By controlling the compromised exit relays, the hackers will be able to replace the destination address of the bitcoin or any other cryptocurrency transaction without the owner’s knowledge which makes this kind of Man in the Middle attack successful


This attack campaign had enabled hackers to take control of almost 25% of the total 380 Tor exit relays during May 2020. Therefore, one of four transactions that pass through the hijacked exit relay can be controlled by the hackers for SSL Stripping.

The Tor Network team made efforts to cut off the malicious servers upon discovery of this exploit. As of August 8, it is assumed that these unidentified hackers are still controlling 10% of the Tor network exit relays.


Until today, the Tor network lacks strict security requirements on what element can join.


Hence, these kinds of attacks are expected to continue going forward. We advise users to keep up to date to the latest and known vulnerabilities of the Tor network. Ensure that you use the latest patch of the Tor browser and up to date modules used by the Tor network and, finally, correctly configure your Firewalls and use the best anti-malware solutions.

About the author

Leave a Reply