BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

How Hackers Abused Tor To Rob Blockchain, Steal Bitcoin, Target Private Email And Get Away With It

Following
This article is more than 9 years old.

Across October and November of last year, some unlucky users of the world’s most popular Bitcoin wallet, Blockchain.info, and one of the better-known exchanges, LocalBitcoins, had their usernames and passwords silently pilfered. They were robbed of significant sums, probably tens of thousands of dollars worth of the virtual currency, possibly more. Security-focused email services, Riseup and Safe-mail were also targeted by the same crew. And according to the man who witnessed the attacks go off last year, Digital Assurance director Greg Jones, it looks like buyers and sellers of dark markets were the targets. 

The attackers used a tried-and-tested method to begin with, setting up a number of malicious exit relays on Tor. Legitimate exit relays act as the final jump from the anonymising Tor network, which loops users through a number of randomly-chosen servers across the world to protect their identity, onto the clear web. But any nefarious type who runs a malicious relay can use an encryption removal technique known as SSL stripping, where connections are no longer protected through the Secure Sockets Layer, which usually shows users are protected with the HTTPS section of a web address. With this they can start to intercept and alter the traffic coming through. Or they can create their own fake SSL certificate for the site to make it seem like the connection is normal, though the attacker would have to rely on a gullible user who'd ignore a Tor browser warning.

Though the Tor Project, the non-profit tasked with maintaining Tor, and the network's users are all too familiar with and continually try to block these evil relays, it's a game of whack-a-mole knocking them out of action. That's partly why the attackers were able to carry out theft over a two-month period.

There's some contention over what Jones claims the criminals did to optimise their attacks. According to Jones, as Blockchain.info and LocalBitcoins rely on the hugely popular CloudFlare service to blacklist and whitelist bad exit nodes, the hackers decided to have the sites block legitimate ones. They did this by flooding the Tor network with malicious-looking traffic and then pumping up the bandwidth on their own servers, he says. As Tor gives preference to the best-performing nodes, and because many were now out of action, the attackers' servers saw more connections supposed to go through good relays to CloudFlare-protected sites routed through their own machines, Jones added.

"For periods during late October and much of November it was very difficult if not impossible to get to Blockchain through Tor without hitting 'New Identity' in Tor several times," he said. “Of the 1000 or so exit relays , the biggest 100 probably carry 90 per cent of the traffic. The attackers managed to blacklist most of the top 100 exit relays - thus most of the Tor exit capacity - with regard to Blockchain and CloudFlare. Because they were running pretty fast bad exit relays they were able to become the only sizeable exit nodes that weren't blacklisted.”

Both Blockchain and LocalBitcoins believe this is likely what happened. "We did notice it quite soon after it started. It was rather easy to identify that Tor was involved since the users who got their accounts hacked were using Tor. We rather quickly started to discourage using of Tor due to these caveats (CloudFlare, etc.)," said Nikolaus Kangas, vice president at LocalBitcoins.

Blockchain security engineer and founder of the Open Bitcoin Privacy Project Kristov Atlas told Forbes that during his own independent research last year he had seen a jump in malicious activity on Tor across October and November. He also noticed a rise in bad traffic hitting exit nodes, chiming with Jones' claims of abuse of CloudFlare security. “[It] seemed to be a period where SSL strip attacks against the blockchain.info domain were heating up. As an independent researcher, I received a few reports from Blockchain users who claimed to lose funds during this period and it seemed likely based on their habits that SSL strip attacks via Tor were used as a method of credential theft,” he added.

Yet CloudFlare was unable to say whether or not this occurred. The company doesn't maintain a log of blacklisted Tor relays and there are no records that prove CloudFlare was abused in such a way, even if Jones is "100 per cent certain" it happened. Either way, this kind of Denial of Service attack is a legitimate way to increase the chance of intercepting Tor connections. "It's definitely possible to trigger a DDoS [Distributed Denial of Service] condition on Tor for websites that use CloudFlare protections," added Atlas.

Jones was able to monitor what was happening thanks to scripts his team created to monitor access to the Bitcoin and email services, “and a dozen other related sites” commonly used by dark market operators, through all the top 250 exit relays (there are just over 1,000 exit nodes currently operating, out of around 6,500 Tor relays - the servers used to divert users’ traffic to hide their original IP address). “We have been running that for quite a while so get to see pretty quickly when a bad relay comes up, which is how we saw the significant uptick in activity October and November. We determined that most of the exit relays were hosted in Benelux countries and Russia, probably operated by the same group,” said Jones.

It’s impossible to pin a precise number on just how much the attackers pilfered. Throughout their operating period, there were scores of complaints about epic Blockchain account thefts. One forum post indicated a hacker had made off with 106 BTC, the equivalent of $25,261, in just six days by hitting a Blockchain wallet. One in November pointed to a 63 Bitcoin theft. If another forum members’ assertions were right about one of the Bitcoin addresses used by an attacker, they acquired at least 210 Bitcoin, roughly $50,000.  Other reports of Blockchain thefts pointed to a Bitcoin address that was only active in October. Whoever owned that address brought in 775 Bitcoin, worth $183,104 today, in just 11 transactions over four days.

There’s no proof those addresses were used by the hackers whom Jones saw abusing Tor. They may relate to separate attacks. They may be totally legitimate transactions. But the timings and the forum posts match up with the attacks detailed, and some suspiciously short-lived Bitcoin addresses appear to have received significant funds from unhappy Blockchain users.

Kangas, of LocalBitcoins, said the number of affected users who suffered losses was somewhere between 10 and 20 (again, no records were kept on losses and this is from Kangas' memory). "I guess the amount of users who got credentials stolen but did not suffer financial losses were much bigger... The total amount of losses in Bitcoin were quite modest, since usually users who have bigger amounts of Bitcoins are using our provided security features, which can prevent this kind of attacks."

Attacks on dark market dealers

In tracking the hackers' bad exit nodes, Jones also claimed he saw attempts to pilfer login credentials to Riseup and Safe-mail, email services popular amongst those keen to protect their privacy. A member of the Riseup collective (they like to maintain their anonymity) told Forbes the organisation hadn't noticed anything particularly egregious over October and November. Attacks on Riseup users are fairly frequent, they added.

In October, there were at least four malicious relays detected by Riseup, which acts as a directory authority - a body that tells Tor users' PCs or phones which nodes make up the Tor network. Two of those malicious servers were attempting to intercept traffic by stripping SSL encryption, another injecting Javascript code into people's website visits, likely forming part of another attack, and one more replacing files. Such attacks are common across Tor, the Riseup member said over Jabber messaging.

Jones believes the hacker crew went after those email and Bitcoin services to rob users of dark markets selling drugs, weapons and other items that are illegal to sell in many countries. Silk Road was the most infamous until its demise, but many have filled the void, the Evolution market being the most profitable. "My opinion is that they were targeting market users, buyers and sellers," Jones added.

Safe-mail, which is believed to be the main email service used by dark market dealers, had not responded to a request for comment.

The bad relay problem

Outside of highlighting a potential issue with CloudFlare protection, the attackers tracked by Jones have also shone a light on the persistent problem of malicious exit relays. CloudFlare head of security research Marc Rogers said his company sees a lot of malicious traffic coming from Tor exit nodes, while Roger Dingledine, one of the original developers of Tor and Tor Project director, noted the "BadExit" flag was placed on 24 relays in early January because they were carrying out so-called "man-in-the-middle" attacks on Blockchain.info users. It's evidently a continuing issue, one without an apparent solution other than blocking nodes as soon as they're deemed malicious. It's a cat and mouse game. Jones said the number of malicious relays frequently goes up and down; sometimes there are over 30, at other times none at all.

One problem with the current strategy is that Tor's maintainers tend to look at connections to big sites like Google or Facebook protected with SSL, not ones heading to standard HTTP websites. Where encryption is stripped, there is no SSL connection, meaning such snooping can go undetected. "Of course those were not the first relays to be doing this attack. I guess the first lesson there is that the attackers are actually still at it and the second lesson is that while as of December we've started checking HTTP versions of some destinations too, that is a much messier arms race to play," Dingledine told Forbes.

Addressing the architecture of Tor might not be the best way to protect users from such attacks anyway. Blockchain.info and Riseup have added various forms of security that users could avail themselves of to protect their accounts. Two-factor authentication is one of the obvious options, as the hacker could never be able to see the one-time secret code used as a second login credential. Atlas said many of those robbed of Bitcoin in October and November did not take advantage of such security services.

The Blockchain has also deployed various updates to prevent similar attacks occurring in the future, the most significant being the establishment of a Tor-based, .onion website in early December (that's something Facebook has done too). That has nullified the potential for SSL stripping as there is no exit relay, no point to remove encryption. Atlas noted the attackers from the fall were increasing the amount of bad traffic around Tor until Blockchain released its .onion site. Blockchain.info also deployed HSTS, which forces connections to come in over the encrypted HTTPS tunnel rather than the unprotected HTTP line.

LocalBitcoins hasn't decided to deploy a .onion domain, though like the Blockchain recommends customers use two-factor authentication.

Tor's "war zone"

The hits on Blockchain, LocalBitcoins, Riseup and Safe-mail represent just a fraction of the innumerable attacks launched across Tor every day, which Jones will detail in an upcoming talk at the final Syscan conference in Singapore next month. Over recent months and years Jones said he’s seen a hacker “war zone” emerge on Tor, one involving a significant number of “hidden services” - sites based on Tor that have the same protections as people’s connections (when users connect to a hidden service, they get three hops in, as does the site, and they find a server on the Tor network where they meet and interact; everything is encrypted too).

A range of dark markets have fallen as a result of hacks over the last two years. TorMarket, a competitor to the now-defunct Silk Road online drugs bazaar, was breached thanks to an exploit of a Ruby vulnerability in one of the site’s web forms, according to Jones. This exploit led to the retrieval of much of the site’s database, chunks of which were then released by Dread Pirate Roberts 2 on the Silk Road 2 forums. That led to the closure of TorMarket.

Another store for illicit goods, FloMarket was supposedly deanonymised via a remarkably simple exploit, where the attacker tinkered with HTTP headers, which contain information on request and response messages for every website visit, to cause the site’s IP address and the online identity of the operator of the site to be revealed.

Sheep, which was once one of the major competitors to Silk Road and was, according to Jones, running on a US-based content delivery network, was allegedly hacked and the IP address leaked. Reports indicated a vendor had exploited a bug and made off with at least 5500 Bitcoin. Others suggested the owners simply shut the service down and walked away with around $60 million in crypto coins.

No arrests have been made for any of these crimes and there hasn't been much recourse for victims. Neither Blockchain nor LocalBitcoins have defined policies on compensation, though they have reimbursed users in exceptional circumstances when the company has been at fault.

Though Tor has many benefits for any individual or business who wants to keep their identity secret and to express their right to freedom of speech, it’s architecture provides fertile ground for criminal activity and snooping on legitimate users. Meanwhile, crooks are making vast sums of money with apparent impunity. It might be time for a technical assault on those abusing Tor at others’ expense through measures resembling those Blockchain.info introduced. Law enforcement might want to take note of the growing number of attacks taking place over Tor too, rather than simply shutting down marketplaces, prosecuting their owners and claim its winning the war on the "dark web".