Fake Tor Browser Has Been Spying, Stealing Bitcoin 'For Years'

Hackers have been distributing a compromised version of the official Tor Browser that's packed with malware designed to steal bitcoin.

Oct 18, 2019 at 12:03 p.m. UTC
Updated Sep 13, 2021 at 11:35 a.m. UTC

Hackers have been distributing a compromised version of the official Tor Browser that's packed with malicious tools used to both spy on users and steal their bitcoin.

Discovered by researchers at IT security firm ESET, the trojanized Tor has apparently resulted in a relatively small amount of bitcoin being lost to date, with funds taken by address swapping when users try to pay on dark net markets.

In an announcement emailed to CoinDesk on Friday, ESET's senior malware researcher, Anton Cherepanov, said the research had identified three bitcoin wallets used by the hackers since 2017.

"Each such wallet contains relatively large numbers of small transactions; we consider this a confirmation that these wallets indeed were used by the trojanized Tor Browser,” Cherepanov explained.

At the time the research was completed, the three wallets had received 4.8 bitcoin (worth $38,700 at press time), though ESET said the actual amount stolen would be higher as wallets for the Russian payments service QIWI are also targeted.

The hacking campaign has been targeting Russian-speaking users of Tor – a network designed to keep identities hidden to avoid tracking and surveillance.

The cybercriminals behind the fake Tor browser have been using forums and pastebin.com to distribute their offering as the official Russian language version of the app.

"Their goal was to lure language-specific targets to a pair of malicious – yet legitimate-looking – websites," said ESET.

On first website, the user receives an alert that their Tor Browser is out of date, even if not true. Visitors who are duped by the message are then redirected to a second website with an installer for the fake app.

Once installed, the malware-laden browser enables its creators to know what websites a user visits, to change the data on visited pages and grab the content of data forms. While the hackers could potentially display false information to users, the browser has only been observed to change the wallet addresses for the purposes of stealing bitcoin, Cherepanov said.

Tor image via Shutterstock


Read more about
The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Trending

1
CoinDesk - Unknown
5 Key Takeaways From a16z's State of Crypto Report

The venture firm is extremely bullish on Web 3.

The venture firm is extremely bullish on Web 3.

CoinDesk - Unknown
2
CoinDesk - Unknown
Regulators Are Paying Attention to UST

The collapse of terraUSD (UST) is algorithmic stablecoins’ Libra moment.

The collapse of terraUSD (UST) is algorithmic stablecoins’ Libra moment.

CoinDesk - Unknown
3
CoinDesk - Unknown
San Francisco NFL Player Alex Barrett Taking His Salary in Bitcoin

The most valuable crypto stories for Thursday, May 20, 2022.

The most valuable crypto stories for Thursday, May 20, 2022.

CoinDesk - Unknown
4
CoinDesk - Unknown
Justin Sun Still Thinks Algorithmic Stablecoins Are a Good Idea

The crypto mogul also said LUNA and UST might make good "meme coins," he said on CoinDesk TV’s “First Mover.”

The crypto mogul also said LUNA and UST might make good "meme coins," he said on CoinDesk TV’s “First Mover.”

CoinDesk - Unknown