The operators of at least one Tor proxy service was recently caught replacing Bitcoin addresses on ransomware ransom payment sites, diverting funds meant to pay for ransomware decrypters to the site’s operators.
A “Tor proxy service” is a website that allows users to access .onion domains hosted on the Tor network without needing to install the Tor Browser.
Users can append a domain extension like .top, .cab, .to at the end of any Tor URL and access it inside their regular browsers such as Firefox, Chrome, Vivaldi, Edge, and others.
For example, users can type in nytimes3xbfgragh.onion.to and access the New York Times’ Dark Web portal without installing the Tor Browser.
During the past two years, such services have become extremely popular, and especially popular with ransomware authors.
Ransomware often includes ransom notes that list the payment portal’s Tor URL, but also alternative URLs for various Tor-to-web proxies, in case non-technical users found it hard to install the Tor Browser.
Onion.to proxy service caught replacing wallet addresses
But researchers from US cyber-security firm Proofpoint say that they’ve caught one of these Tor proxies stealing from both ransomware authors and ransomware victims alike.
According to researchers, the operators of the Onion.top Tor-to-web proxy service are secretly parsing Dark Web pages loaded via their portal for strings that look like Bitcoin wallet addresses and replacing them with one of their own.
Proofpoint says it noticed the Bitcoin address swap behavior on the ransom payment portals for three ransomware families —LockeR, Sigma, and GlobeImposter.
In fact, researchers say they’ve noticed the behavior because of a warning message posted on the LockeR payment site by the LockeR authors.
“Do NOT use onion.top, they are replacing the bitcoin address with their own and stealing bitcoins,” the message reads. “To be sure you’re paying to the correct address, use Tor Browser.”
To read the origial article: