This has been revealed by himself Tor Project, which states that a person or group is controlling a significant number of exit nodes. It is estimated that around 23% of the entire network Tor exit nodes is under the control of a single person or group. He traffic on the Tor network it normally goes through several nodes until it reaches the exit node, whose IP is the one seen by the final web and which is operated by volunteers. Thanks to this, they can never know what the origin of the traffic is because they cannot know the original IP.
Any HTTP traffic on Tor can be intercepted by the attacker
Anyone managing an exit node can spy on the traffic passing through it. Therefore, it is very important that the connections are encrypted with HTTPS or SSH, since, if the traffic is HTTP and passes in plane text, this attacker could access all data. In this case, it is clear that there is a malicious attempt to spy on much of the traffic.
Although the first thing that occurs to us is that it may be the FBI that is behind this, in reality it is someone who is trying to carry out an attack by SSL Stripping to spy on visitors from cryptocurrency web pages. If the traffic passing through the node detects a address of a Bitcoin wallet, the addresses are rewritten in real time by a wallet controlled by the attacker to receive the transactions.
The attack takes advantage of the fact that when you type a URL, it first tries to connect to the unencrypted HTTP .com domain and then redirects it from the port 80 to 443 with HTTPS. The malicious node intercepts part of these HTTP requests and tries to prevent them from going over to HTTPS and encrypting the traffic, thus trying to alter the data of the Bitcoin addresses in real time.
Use HTTPS to avoid it
Luckily, we can protect ourselves from the attack using plugins like HTTPS Everywhere to force the browser to use encryption, although it has drawbacks such as not establishing connections to HTTP pages. Websites can also use HSTS Preloading, but there are many that do not. Therefore, if we are not careful, our traffic may end up passing unencrypted through the nodes of these attackers.
The attack began to occur in early 2020, where someone happened to control the 25% of nodes. The attack was detected in May, and the nodes were removed from the Tor directory. However, in June they returned to the attack with 22% of the nodes and they crashed again. Days later, they returned with the 20% of nodes.
The Tor Project has confirmed that they have been fighting these attacks for months, and despite having blocked them twice, they are overwhelmed by the situation due to lack of staff after having laid off a third of their staff due to the coronavirus and financing problems. Thus, there are not enough people guaranteeing that the network is totally secure.
The group is currently thinking about solutions such as block all HTTP traffic. In the longer term, they are working on a system that minimizes the use of untrusted nodes. In the meantime, it is recommended that you use HTTPS Everywhere to avoid being spied on.