A mysterious individual or group, christened ‘KAX17’, wears the latest four years connecting malicious servers to the Tor network, turning them into nodes (input, media and output) of it, at a time when this network is running out of bridges (‘bridges’) to bypass censorship.
And according to cybersecurity experts, all the indications so far point towards KAX17’s mission being to deanonymize Tor users.
At its peak, KAX17 kept a total of up to 900 nodes active and connected to the Tor network, a quite considerable figure if we take into account that the daily average of online nodes in Tor is around 9,000-10,000.
That is to say, up to 10% of Tor nodes were in the hands of a malicious actor and not yet identified; at the time, there was a 16% chance that a Tor user would connect to the network through one of the KAX17 servers… and 35% chance that your traffic will go through one of your middle nodes.
In the words of expert Neal Krawetz to The Record, this high presence of servers can be used
“to identify hidden services, also to reveal the identity of the users, especially if there is a means to trace the middle node, such as the monitoring of common public services.”
And, even so, after having proclaimed the suppression of all exit nodes in October 2020, it has been a month now that those responsible for the Tor project claimed to have removed ‘hundreds of servers’ linked to KAX17 from the network, as a result of the cybersecurity researcher ‘Nusenu’ denouncing the reappearance of KAX17 on his blog.
How to improve INTERNET SECURITY: VPN, DNS and pages with HTTPS
What do we know about KAX17?
Neither Nusenu nor the Tor Project want speculate on identity of whoever is behind KAX17: “We are still investigating,” a spokesperson for the Tor Project clarified yesterday. The Record medium, however, maintains that
“All signs point to a well-resourced, national-level threat actor who can afford to rent hundreds of high-bandwidth servers around the world with no financial return“.
Nevertheless, Nusenu maintains that KAX17 made at least one operational security error, repeating the e-mail address both in the configuration of the nodes and when signing up for the Tor mailing list: in the debates he came to position himself in favor of the suppression of his own servers.
Nusenu too has ruled out that behind this malicious individual or actor there is nothing but a mere academic investigationa from ‘Sybil attacks’, a technique known to be able to de-anonymize Tor traffic under certain conditions.
As he argues, academic researchers often plan your work as limited in time (but KAX17 has been active since 2017), they don’t immediately replace the deleted nodes with new ones… and, in general, they don’t need to resort to tactics like these, because Project Tor and the research community are usually pretty well connected to each other.
Image | Anonymous Illustration by WOOBRO LTD on Iconscout