Submitted by f064fb5ddb9041bc8a4cb0024 in Privacy (edited )

Yesterday I found this post on /r/privacy, it has really little upvotes and there's no mention of it neither on /r/privacytoolsio nor /r/tor. From my point of view, this is a real threat when it comes to the de-anonymization of Tor's network users.

If you are using Tor network for any kind of logging of any kind of important account I would recommend against it. Maybe I'm not understanding the full-scope of this but this could create correlation and phising attacks, hurting not only the anonymity of its users, but also its privacy and security.

Here are some extracts of the article:*w-G1Yx5wJ375m9lzMXLBQw.png

The graph ends at the beginning of Oct 2019 (it intentionally lacks X and Y axis).

At their peak they reached >10% of the Tor network’s guard capacity. A guard relay is the first relay in the chain of 3 Tor relays forming a circuit and the only relay seeing the Tor user’s real IP address, but not seeing the destination accessed by the user. To give you a feeling about their size in relation to other known operators: The biggest known guard relay operator as of 2019–12–08 is bellow 2% guard capacity.

After reporting them to the Tor Project they got removed (the once I knew about initially), but it did not take them long to setup new relays soon after.

Until this day (2019–12–08) they are actively running high bandwidth relays on the Tor network. Due to the sheer size of this particular adversary I had some hope that this discovery would act as a wake-up call and finally spark some improvements, unfortunately it did not so far.

Why didn’t we detect them earlier?

Initially their capacity was somewhat limited and most of their capacity got added in the course of the past year but a year is still a very long time for detection. To avoid detection they spread their relays across multiple hosting providers and added them relatively slowly over a long period of time. They make use of the biggest Tor hosters (OVH and Hetzner) to blend in with the rest, but they also make use of hosters rarely seen before they joined (i.e. AS20860). In fact their relays made the autonomous system “Iomart Cloud Services” (AS20860) so big, it is now the 6th biggest ASN by guard capacity on the Tor network:

Top 10 ASNs by Guard Capacity: Iomart Cloud Services on position 6. (Data Source:

It’s not the first time that something similar happens.

In April 2015, a number of user accounts were compromised in what was speculated at the time to be a government-sponsored de-anonymization attack from 70 different exit nodes. A SIGAINT administrator said that the hidden service was not hacked but malicious exit nodes had modified their clearnet page so that its link to the hidden service pointed to an imposter hidden service, effectively tricking users with a phishing attack that harvested login credentials. SIGAINT has since added SSL to their gateway to protect against such attacks.



You must log in or register to comment.

celebratedrecluse wrote

This is an ongoing issue, and probably is a secret reason why some of the darknet markets and the pedo sites got busted despite being "hidden services"


videl wrote

privacy online is hopeless


MHC wrote

Yes, I think that's about right.