KAX17 threat actor is attempting to deanonymize Tor users running thousands of rogue relays

guest · Dec 6, 2021

December 3, 2021

A mysterious threat actor, tracked as KAX17, has run thousands of malicious Tor relay servers since 2017 in an attempt to deanonymize Tor users.

KAX17 ran relay servers in various positions within the Tor network, including entry and exit nodes, researchers at the Tor Project have removed hundreds of servers set up by the threat actor in October and November 2021.
Click to expand...

In August 2020, the security researcher that goes online with the moniker Nusenu revealed that in May 2020 a threat actor managed to control roughly 23% of the entire Tor network’s exit nodes. Experts warned that this was the first time that a single actor controlled such a large number of Tor exit nodes.

Nusenu told The Record that it has observed a recrudescence of the phenomenon associated to the same attacker.

“But a security researcher and Tor node operator going by Nusenu told The Record this week that it observed a pattern in some of these Tor relays with no contact information, which he first noticed in 2019 and has eventually traced back as far as 2017.” reads the post published by The Record.
“Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point.”
Click to expand...

This circumstance suggests that the group is operating to track Tor users within the anonymizing network, Nusenu also believes that the KAX17 is an APT group.

Below are some insights on the KAX17 profile provided by the researcher in a post:
Click to expand...

Is “KAX17” performing de-anonymization Attacks against Tor Users?

Two years ago in December 2019, I first wrote about a particular and unusual malicious actor on the tor network. This blog post is about how that actor expanded their visibility into the tor network during the last two years after their removal by the tor directory authorities in October 2019 and why this particular actor is more concerning than the usual malicious tor relay group.

Actor “BTCMITM20” Profile
• active since at least 2020
• sophistication: amateur level but persistent and large scale [...]
Actor “KAX17” Profile
• active since at least 2017
• sophistication: non-amateur level and persistent [...]
Click to expand...

Palancar · Dec 5, 2021

I use two VPN's before joining TOR and this thread gives me some justification! Also, many don't understand TOR and don't realize just how much more secure running 100% onion is. Avoid exiting to clearnet whenever possible.

Socio · Dec 6, 2021

I connect with one VPN but try to make it from different locations each time, I also sandbox the browser to make sure all accrued data is gone on close.

I am thinking that one could even slightly alter the browser fingerprint each connection to create a little fog so to speak in front of those trying to perform de-anonymization.

Log in or Sign up

KAX17 threat actor is attempting to deanonymize Tor users running thousands of rogue relays

guest Guest

Palancar Registered Member

Socio Registered Member

Log in or Sign up

KAX17 threat actor is attempting to deanonymize Tor users running thousands of rogue relays

guest Guest

Palancar Registered Member

Socio Registered Member

Useful Searches