An infected version of the Tor Browser has targeted Russian speakers, spied on them while the users were wandering on the dark web, ultimately stealing their Bitcoin funds as they were trying to buy with Bitcoin on dark web markets.
The compromised Tor Browser apparently switched the Bitcoin address to which the targeted users were expected to initially send funds with a malicious one under the control of hackers, and users eventually transferred the cryptocurrency funds into the account of the hackers.
The fake Tor Browser was being distributed via two websites, which imitated the anonymous browser’s real website, torproject.org, were “torproect[.]org” and “tor-browser[.]org” which were created in 2014.
To entice Tor users into downloading the fake version of the Tor Browser that includes malware, these phony websites will display a message that the visitors have to update their obsolete Tor Browser version, despite the fact that they already are using an up-to-date Tor Browser.
There are no clear indications that the malware has infected other operating systems such as macOS, Linux, and mobile versions.
Bitcoin and other well-known cryptocurrencies have had a long history of being linked to illicit activities such as ransomware attacks and purchasing/selling illegal substances on the dark web. Evidently, hackers and cybercriminals have consistently been looking for a method to steal and launder these digital assets effectively.
Presently, the unidentified hackers have compromised the widely-deployed, privacy-focused Tor Browser, to spy on users who utilize the Tor Browser to visit three of the biggest Russian-speaking dark web markets.
As reported by ESET, the total amount of received Bitcoin funds stolen by the hackers currently stands at 4.8 BTC, which is worth nearly $40,000 at current prices. Nevertheless, ESET considers that the amount may be significantly higher since the cybercriminals have been partaking in this illicit activity for quite some time.
Anton Cherepanov, who is a senior malware researcher at ESET Slovakia, stated:
“This malware lets the criminals behind this campaign see what website the victim is currently visiting. In theory, they can change the content of the visited page, grab the data the victim fills into forms and display fake messages, among other activities. However, we have seen only one particular functionality–changing the bitcoin and cryptocurrency wallets.”
In addition to Bitcoin, ESET stated that the hackers modified the Tor Browser in a way that it automatically changes the details of well-known Russian money transfer service QIWI or Bitcoin wallet addresses located on pages with their own wallet addresses. Hence, once the users heedlessly utilized deployed the compromised version fo the Tor Browser, paid with their QII wallets or Bitcoin wallets, the funds were directly transferred to the wallets of the unknown hackers instead.
Anton Cherepanov stated:
“It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets.”
While Bitcoin and altcoins have been deployed by more individuals, companies and markets across the world, the transgressions associated with them have also been increasing consequently and quickly, while cybercriminals are approaching with new refined methods to commit even more illicit crimes on the internet.