Was threat actor KAX17 de-anonymizing the Tor network?

Was threat actor KAX17 de-anonymizing the Tor network?

A mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network. Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000.

Tor nodes

The Tor network, as defined by the official website is a group of volunteer operated servers that improve the privacy and security of one’s data. Tor nodes are also referred to as routers or relays. They receive traffic on the Tor network and pass it along. A series of virtual tunnels are created between all nodes of the Tor network, and for each data transmission a random path of tunnels, known as the relay path, is chosen.

Some of these servers work as entry-guards, others as middle-relays, and yet others as exit-nodes from the Tor network. All Tor traffic passes through at least three relays before it reaches its destination.

Servers without contact information

Servers added to the Tor network typically must have contact information included in their setup, such as an email address, so Tor network administrators and law enforcement can contact server operators in the case of a misconfiguration or file an abuse report.

This policy, however, is not policed very strictly, mainly to ensure there’s always a sufficiently large number of nodes. But a security researcher and Tor node operator going by Nusenu told The Record this week that they observed a pattern in some of these Tor relays with no contact information, which they first noticed in 2019 and have traced back as far as 2017.

Grouping the servers by similarities, the researcher arrived at a threat actor they named KAX17. This threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point. These servers are typically located in data centers spread all over the world and are typically configured as entry and middle points primarily, although KAX17 also operates a small number of exit points.

The purpose

Given the number of servers run by KAX17 the calculated probability of a Tor user connecting to the Tor network through one of KAX17’s servers was 16%, there was a 35% chance they would pass through one of its middle relays, and up to 5% chance to exit through one.

This would give the threat actor ample opportunity to perform a Sybil attack. A Sybil attack is a type of attack on a computer network service where an attacker subverts the service’s reputation system by creating a large number of pseudonymous identities and uses them to gain a disproportionately large influence. This could lead to the deanonymization of Tor users and/or onion services.

Given the cost and effort put into this and the fact that actors performing attacks in non-exit positions are considered more advanced adversaries because these attacks require a higher sophistication level and are less trivial to pull off, it is highly likely this is the work of a high-level (state-sponsored?) threat actor. As for who is behind this group, neither Nusenu nor the Tor Project wanted to speculate.

A spokesperson for the Tor Project confirmed Nusenu’s latest findings and said it had also removed a batch of KAX17 malicious relays.

“Once we got contacted, we looked through all the relays in the network and identified several hundred relays that are very likely belonging to the same group and removed them on November 8.”

Exit nodes

Other malicious actors have been known to control a great percentage of the exit nodes. These exit nodes were used in man-in-the-middle attacks to remove encryption from web traffic where possible, known as SSL stripping, primarily targeting cryptocurrency-based traffic, especially those visiting Bitcoin and cryptocurrency tumbling services. For example, the attacker can redirect the user to cryptocurrency sites featuring the attacker’s Bitcoin wallet address in the hope that the user won’t notice the difference. If the user doesn’t pay attention, they’ll send the attacker their cryptocurrency rather than the website or service, losing them in the process.

How to stay safe

Especially traffic that runs through Tor exit nodes, using the standard HTTP protocol is unencrypted and will give a malicious exit node complete access to the content.

How you can prevent this:

  • The easiest way to stay safe from bad exit nodes is not to use them. If you stay within Tor hidden services (the Dark Web), you can keep all your communications encrypted. This works well when possible, but it isn’t always practical.
  • Use end-to-end encryption. More sites than ever are using HTTPS to secure your communications, rather than the old, insecure HTTP standard.
  • Use websites and services that don’t report on your activities as a matter of course. As an example, switching from Google search to DuckDuckGo reduces your trackable data footprint.
  • Do not use any personally identifiable information. Again, not always practical, but worth limiting it as much as you can.
  • Avoid sites and services that require you to log in. After all, sending your login credentials through a malicious Tor exit node would compromise the login.
  • Use a VPN. A Virtual Private Network (VPN) keeps you safe from malicious exit nodes by continuing to encrypt your data once it leaves the Tor Network.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.