No honour among thieves: Hackers using Tor proxy site to steal ransomware operators' bitcoins

Bitcoin's recent surge in value appears to have ramped up hackers' interest in the digital currency more than ever, with some even resorting to steal from each other. Security experts have observed a new campaign, which involves hackers using a Tor proxy site to steal Bitcoin payments from various ransomware operators.

While ransomware operators often demand victims to pay using bitcoins that require them to visit a Tor site, most users often do not have a Tor browser installed. In some cases, ransomware victims choose to use Tor proxy sites to make ransom Bitcoin payments. Some hackers operating various different strains of ransomware also suggest that victims use Tor proxy sites to make payments. However, using such sites provides the operators of the site "unlimited power" to replace content, acting as a man-in-the-middle.

Security researchers at Proofpoint discovered that operators of the Tor proxy domain – "onion[.]top" – have been secretly diverting bitcoin payments made by ransomware victims. The hackers surreptitiously changed the bitcoin address controlled by the ransomware operators and replaced it with an address of their own. This allowed the hackers to steal from both the victims as well as the operators of the ransomware.

"The proxy operators are not only preventing ransomware victims from decrypting their files by paying a ransom but are also in effect stealing from the threat actors distributing ransomware. This appears to be the first scheme of this type affecting both ransomware victims and operators," Proofpoint researchers said in a blog.

According to Proofpoint researchers, the onion[.]top site for the LockerR ransomware, the GlobeImposter ransomware and Sigma ransomware, all had a different Bitcoin address to the one displayed on their Tor sites. The operators of the Tor proxy site have already stolen over $20,000 (£14,236) in bitcoins. However, sophisticated ransomware authors already appear to be aware of the new theft campaign and have begun warning their victims to not use the onion[.]top site to make payments.

For instance, LockerR ransomware operators, who were previously unaware of the campaign and even included onion[.]top site links in their ransomware note, have since deleted the links and added a warning in red text for the victims. The operators of the Magniber ransomware now split their Bitcoin address in four parts in the HTML source code, in efforts to stop hackers from replacing their Bitcoin address. Meanwhile, the authors of the GlobeImposter ransomware urge their victims to use the Tor browser while making payments.

"While it appears that operators of onion.top have not stolen a large number of bitcoins from ransomware victims yet, because many victims use Tor proxies instead of installing the Tor browser, the potential impact is high for victims attempting to pay the ransom and decrypt their files. Ultimately, this type of activity undermines the somewhat dubious trust relationship that underpins the ransomware business.

"While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims by further increasing the risk to victims who would resort to paying ransomware ransoms," Proofpoint researchers said. "This kind of scheme also reflects the broader trend of threat actors of all stripes targeting cryptocurrency theft. Continued volatility in cryptocurrency markets and increasing interest in the Tor network will likely drive further potential abuses of Tor proxies, creating additional risks for new users."