Who is Running Hundreds of Malicious Tor Relays?

A threat actor is running hundreds of malicious Tor relays as part of what researchers suspect is an attempt to deanonymize Tor users.

Nusenu, a Tor relay operator, first identified “KAX17” as a sophisticated threat actor in 2019. At the time, Nusenu had identified a “long-running suspicious relay group” that was active since 2017, if not earlier. “At their peak, they reached >10% of the Tor network’s guard capacity,” Nusenu wrote in 2019.

In nusenu’s most recent blog post about KAX17, they provided the following summary of the actor’s behavior:

  • active since at least 2017
  • sophistication: non-amateur level and persistent
  • uses large amounts of servers across many (>50) autonomous systems (including non-cheap cloud hosters like Microsoft)
  • operated relay types: mainly non-exits relays (entry guards and middle relays) and to a lesser extend tor exit relays
  • (known) concurrently running relays peak: >900 relays
  • (known) advertised bandwidth capacity peak: 155 Gbit/s
  • (known) probability to use KAX17 as first hop (guard) peak: 16%
  • (known) probability to use KAX17 as second hop (middle) peak: 35%
  • motivation: unknown; plausible: Sybil attack; a collection of tor client and/or onion service IP addresses; deanonymization of tor users and/or onion services

In October 2020, nusenu reported KAX17’s exit relays to the Tor Project which resulted in their removal from the network. Before the removal of the actor’s exit relays, a Tor user had up to a 16% chance of connecting to one of KAX17’s guard relays, up to a 35% chance of using KAX17’s middle relays, and up to a 5% chance of using one of the actor’s exit relays. The worst-case scenario on 2020, 09, 08, nusenu wrote, KAX17 could de-anonymize tor users with the following probabilities:

  • first hop probability (guard) : 10.34%
  • second hop probability (middle): 24.33%
  • last hop probability (exit): 4.6%'

A picture of Guard, middle and exit probability between 2019–01–01 and the removal event on 2021–11–08 | nusenu

Guard, middle and exit probability between 2019–01–01 and the removal event on 2021–11–08 | nusenu

The day after the Tor Project had removed the exit relays reported by nusenu, a new “large no-name exit relay group” appeared. Nusenu has not attributed the new group to KAX17 yet but also does not believe KAX17 “halted their exit operations completely.”

While investigating this threat actor’s relays, nusenu discovered an email address that had initially appeared in the ContactInfo descriptor field of KAX17’s relays. The actor later removed the email address. When looking into the email address, nusenu found it on the tor-relays mailing list.

“Interestingly it became almost exclusively involved on the mailing list when policy proposals with regards to malicious relays were discussed or when large malicious relay groups got removed. They apparently disliked the proposals to make their activities less effective.”

(Nusenu noted that any relay operator could have used the particular email address for their relay’s ContactInfo. However, the email address appeared on KAX17’s relays long before appearing on the tor-relays mailing list.)

Nusenu outlines some potential solutions in their blog post. It is worth reading if tor’s weaknesses are of interest to you: Is “KAX17” performing de-anonymization Attacks against Tor Users?

Cimpanu, reporting for The Record, asked nusenu about the chances of KAX17 being part of a research project. Nusenu provided the following response:

  • Academic research is usually limited in time. KAX17 has been active since 2017.
  • Researchers do not get involved in weakening anti-bad-relays policies on the Tor mailing list.
  • Researchers do not fight against their removal and do not replace removed relays with new relays.
  • Research-based relays usually run within 1-2 autonomous systems, not >50 ASes.
  • Research relays usually run <100 relays, not >500.
  • Research relays usually do have a relay ContactInfo.
  • The Tor Project is quite well connected to the research community.

via The Record “A mysterious threat actor is running hundreds of malicious Tor relays

It is hard to imagine this being part of a research project. Then again, Carnegie Mellon researchers conducted a traffic confirmation attack and a Sybil attack as part of some form of research. The FBI discovered this research and used it to arrest at least two people, one of whom is likely known to readers of this site: Brian Farrell, aka DoctorClu, who was involved in the administration of Silk Road 2.0.

KAX17 certainly seems like a state-backed actor.

Do you really want to comment here? not rules
6e255ac0 Thu, Dec 9, 2021

Westernized government, probably the US… good luck sucking all of the water out of the ocean boys, spend those tax dollars wisely and get the good cocaine ;) what kind of “kingpin” uses the same email address to link themself to various occurrences, separate and under heavy scrutiny. Smart on the pixel level dumb as shit on the big picture level = dumb as shit

fea95e80 Thu, Dec 9, 2021

Well now hot shot, when we compromise you, you best hope you paid cash for that 4G hot spot. Unlike Ricky Ross who got caught at the public library, Billion dollar man who was so greedy or stupid not to invest $100 in a prepaid hot spot, you can legally wear a mask now forever… and people still get caught… the world is a nigger

e8589530 Thu, Dec 9, 2021

Why do people in these places always raise good points and then say something racist? smh …

4dcbe980 Thu, Dec 9, 2021

Is using that word racist? If I am reading this correctly, the individual refers to the entire world as the n word, of which we can be sure that this individual also resides in. Can a person be prejudice against oneself? Certainly a provocative use of the no-no word!

4a1c5bc0 Thu, Dec 9, 2021

Hi-tech without proper lo-tech opsec gets you busted and not a lot of people will even find it out when it happens cuz of proper LEA

1a1a9480 Thu, Dec 9, 2021

It’s most likely some government entity from the US, North Korea, China or Russia. They would have every incentive to de-anonymize tor so they can spy, collect information, do other glowie things, and they all have the resources to operate on such a scale.
Best way to counteract this until KAX17 is stopped is for people to start running their own tor relays and nodes

d4d9e580 Fri, Dec 10, 2021

I want to start taking commissions to run tor relays ngl, would be a cool idea

99c978e0 Fri, Dec 10, 2021

If this is what they have to resort to in order to attack Tor they probably can’t break the encryption.

5e9b8d50 Fri, Dec 10, 2021

Of course they can’t? 256 elliptical curve cryptography isn’t exactly easy to crack XP

351a5820 Fri, Dec 10, 2021

they will definitely use the information of users they got from running guard relays and keep them in the watchlist. Tor project should make some strict regulation on who can run guard relays

7894cac0 Fri, Dec 10, 2021

Feds can’t even do OPSC for their attacks on human rights xp

ce063fc0 Mon, Dec 13, 2021

Team LaRoux/Kim.Tor.Relays?

b853be50 Wed, Dec 15, 2021

100% US gov

d03c9710 Thu, Dec 16, 2021



b2f1e2c0 Tue, Dec 21, 2021

You guys are using tor atm when FB does not lol

18b19ed0 Fri, Dec 24, 2021

how much you wanna bet after all these tax dollars are wasted on chasing innovators (not criminals), the big boys and girls on Capitol Hill will shift to integrating it into our own doom. Sounds like Web 2.0. Web 3.0 needs to die like yesterday!

bbf11af0 Thu, Dec 23, 2021

Please god let it be China

New comments are disabled after ten days in an attempt to limit spam.