The operators of at least one Tor proxy service was recently caught replacing Bitcoin addresses on ransomware ransom payment sites, diverting funds meant to pay for ransomware decrypters to the site's operators.
A "Tor proxy service" is a website that allows users to access .onion domains hosted on the Tor network without needing to install the Tor Browser.
Users can append a domain extension like .top, .cab, .to at the end of any Tor URL and access it inside their regular browsers such as Firefox, Chrome, Vivaldi, Edge, and others.
For example, users can type in nytimes3xbfgragh.onion.to and access the New York Times' Dark Web portal without installing the Tor Browser.
During the past two years, such services have become extremely popular, and especially popular with ransomware authors.
Ransomware often includes ransom notes that list the payment portal's Tor URL, but also alternative URLs for various Tor-to-web proxies, in case non-technical users found it hard to install the Tor Browser.
But researchers from US cyber-security firm Proofpoint say that they've caught one of these Tor proxies stealing from both ransomware authors and ransomware victims alike.
According to researchers, the operators of the Onion.top Tor-to-web proxy service are secretly parsing Dark Web pages loaded via their portal for strings that look like Bitcoin wallet addresses and replacing them with one of their own.
Proofpoint says it noticed the Bitcoin address swap behavior on the ransom payment portals for three ransomware families —LockeR, Sigma, and GlobeImposter.
In fact, researchers say they've noticed the behavior because of a warning message posted on the LockeR payment site by the LockeR authors.
"Do NOT use onion.top, they are replacing the bitcoin address with their own and stealing bitcoins," the message reads. "To be sure you're paying to the correct address, use Tor Browser."
An older image of the ransom payment portal from October 2017 does not include this message, meaning even the LockeR crew only recently became aware of the issue.
During experiments carried out by Proofpoint, researchers spotted different Bitcoin wallet address "replacement rules" based on the page the user was accessing, suggesting Onion.top operators are configuring these swaps manually, on a per-site basis.
Proofpoint identified two Bitcoin wallet addresses operated by the Onion.top team, both holding no more than 2 Bitcoin ($22,000), suggesting proxy operators weren't that successful in their attacks, the replacement rules aren't always active, or the service isn't that popular to begin with.
Either way, Proofpoint says ransomware operators took notice of Onion.to's actions and have started taking precautionary measures against all Tor-to-web proxy services.
The most obvious change is that many have stopped providing Tor proxy links and are now listing only the pure Tor .onion URL in their ransom notes, recommending that users access the payment site only via the Tor Browser alone.
Other ransomware authors have altered their Dark Web-hosted ransom payment sites. For example, the operators of the MagniBer ransomware now split the Bitcoin address shown to each victim on their payment site across different HTML tags.
This makes it harder malicious Tor proxies to detect the Bitcoin address pattern, but it's not a reliable protection measure. In case users reach the desperate conclusion that they need to pay the ransom, to avoid losing their funds to malicious Tor-to-web proxies, it is recommended they access the link directly in the Tor Browser.
But the best way to avoid ransomware infections is to avoid opening suspicious files received from unknown persons, or keeping regular backups of important (or all) files.
An earlier version of this article referenced Onion.to instead of Onion.top (in three sentences) as the Tor proxy that is replacing Bitcoin addresses. Bleeping Computer regrets the error and confusion it caused among some readers.