Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

I sometimes think that God, in creating man, somewhat overestimated his ability. -- Oscar Wilde

rocksolid / News / Tor-to-Web Proxy Caught Replacing Bitcoin Addresses

* Tor-to-Web Proxy Caught Replacing Bitcoin AddressesAnonUser
`- Re: Tor-to-Web Proxy Caught Replacing Bitcoin Addressestrw

Subject: Tor-to-Web Proxy Caught Replacing Bitcoin Addresses
From: AnonUser
Organization: Rocksolid Light
Date: Sun, 19 Aug 2018 12:31 UTC
Path: rocksolid2!.POSTED.local_inn!not-for-mail
From: (AnonUser)
Subject: Tor-to-Web Proxy Caught Replacing Bitcoin Addresses
Date: Sun, 19 Aug 2018 12:31:54 -0000 (UTC)
Organization: Rocksolid Light
Message-ID: <4b228147d2132bd7748fcc262a613648$>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 19 Aug 2018 12:31:54 -0000 (UTC)
Injection-Info:; posting-host="local_inn:";
logging-data="12704"; mail-complaints-to=""
View all headers
Never trust a proxy to i2p or tor. It's too easy to modify content and you're not in any way anonymous. You're no more anonymous than on the plain old internet.

The article talks about stealing from criminals, but the idea is the same. Why trust a mitm with your data at all?

Tor-to-Web Proxy Caught Replacing Bitcoin Addresses on Ransomware Payment Sites

By Catalin Cimpanu

The operators of at least one Tor proxy service was recently caught replacing Bitcoin addresses on ransomware ransom payment sites, diverting funds meant to pay for ransomware decrypters to the site's operators.

A "Tor proxy service" is a website that allows users to access .onion domains hosted on the Tor network without needing to install the Tor Browser.

Users can append a domain extension like .top, .cab, .to at the end of any Tor URL and access it inside their regular browsers such as Firefox, Chrome, Vivaldi, Edge, and others.

For example, users can type in and access the New York Times' Dark Web portal without installing the Tor Browser.

During the past two years, such services have become extremely popular, and especially popular with ransomware authors.

Ransomware often includes ransom notes that list the payment portal's Tor URL, but also alternative URLs for various Tor-to-web proxies, in case non-technical users found it hard to install the Tor Browser. proxy service caught replacing wallet addresses

But researchers from US cyber-security firm Proofpoint say that they've caught one of these Tor proxies stealing from both ransomware authors and ransomware victims alike.

According to researchers, the operators of the Tor-to-web proxy service are secretly parsing Dark Web pages loaded via their portal for strings that look like Bitcoin wallet addresses and replacing them with one of their own.

Proofpoint says it noticed the Bitcoin address swap behavior on the ransom payment portals for three ransomware families —LockeR, Sigma, and GlobeImposter.

In fact, researchers say they've noticed the behavior because of a warning message posted on the LockeR payment site by the LockeR authors.

"Do NOT use, they are replacing the bitcoin address with their own and stealing bitcoins," the message reads. "To be sure you're paying to the correct address, use Tor Browser."

LockeR ransom payment site warning against URLs

An older image of the ransom payment portal from October 2017 does not include this message, meaning even the LockeR crew only recently became aware of the issue. stole $22K from ransomware authors & victims

During experiments carried out by Proofpoint, researchers spotted different Bitcoin wallet address "replacement rules" based on the page the user was accessing, suggesting operators are configuring these swaps manually, on a per-site basis.

Proofpoint identified two Bitcoin wallet addresses operated by the team, both holding no more than 2 Bitcoin ($22,000), suggesting proxy operators weren't that successful in their attacks, the replacement rules aren't always active, or the service isn't that popular to begin with.
Ransomware authors are fighting back

Either way, Proofpoint says ransomware operators took notice of's actions and have started taking precautionary measures against all Tor-to-web proxy services.

The most obvious change is that many have stopped providing Tor proxy links and are now listing only the pure Tor .onion URL in their ransom notes, recommending that users access the payment site only via the Tor Browser alone.

Other ransomware authors have altered their Dark Web-hosted ransom payment sites. For example, the operators of the MagniBer ransomware now split the Bitcoin address shown to each victim on their payment site across different HTML tags.

Magnibear splitting Bitcoin wallet addresses

This makes it harder malicious Tor proxies to detect the Bitcoin address pattern, but it's not a reliable protection measure. In case users reach the desperate conclusion that they need to pay the ransom, to avoid losing their funds to malicious Tor-to-web proxies, it is recommended they access the link directly in the Tor Browser.

But the best way to avoid ransomware infections is to avoid opening suspicious files received from unknown persons, or keeping regular backups of important (or all) files.

An earlier version of this article referenced instead of (in three sentences) as the Tor proxy that is replacing Bitcoin addresses. Bleeping Computer regrets the error and confusion it caused among some readers.
Related Articles:

Posted on Rocksolid Light.

Subject: Re: Tor-to-Web Proxy Caught Replacing Bitcoin Addresses
From: trw
Organization: Dancing elephants
Date: Sun, 19 Aug 2018 13:10 UTC
References: 1
Path: rocksolid2!def3!.POSTED!not-for-mail
From: (trw)
Subject: Re: Tor-to-Web Proxy Caught Replacing Bitcoin Addresses
Date: Sun, 19 Aug 2018 09:10:04 -0400
Organization: Dancing elephants
Lines: 5
Message-ID: <plbof1$p39$>
References: <4b228147d2132bd7748fcc262a613648$>
Reply-To: trw <>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Trace: 1534682401 25705 (19 Aug 2018 12:40:01 GMT)
NNTP-Posting-Date: Sun, 19 Aug 2018 12:40:01 +0000 (UTC)
User-Agent: FUDforum 3.0.7
X-FUDforum: e4062714e2d275bd0cc7c3ee636428b0 <3392>
View all headers
i like that approach, has real potential...
but seriously, it is a clear warning against any proxy to the darknets. who knows what other information they grab
and/or alter in between ?
thanks for posting this.
Posted on: def3.i2p

rocksolid light 0.7.2