The operators of at least one Tor proxy service was recently caught replacing Bitcoin addresses on ransomware ransom payment sites, diverting funds meant to pay for ransomware decrypters to the site's operators.

A "Tor proxy service" is a website that allows users to access .onion domains hosted on the Tor network without needing to install the Tor Browser.

Users can append a domain extension like .top, .cab, .to at the end of any Tor URL and access it inside their regular browsers such as Firefox, Chrome, Vivaldi, Edge, and others.

For example, users can type in and access the New York Times' Dark Web portal without installing the Tor Browser.

During the past two years, such services have become extremely popular, and especially popular with ransomware authors.

Ransomware often includes ransom notes that list the payment portal's Tor URL, but also alternative URLs for various Tor-to-web proxies, in case non-technical users found it hard to install the Tor Browser. proxy service caught replacing wallet addresses

But researchers from US cyber-security firm Proofpoint say that they've caught one of these Tor proxies stealing from both ransomware authors and ransomware victims alike.

According to researchers, the operators of the Tor-to-web proxy service are secretly parsing Dark Web pages loaded via their portal for strings that look like Bitcoin wallet addresses and replacing them with one of their own.

Proofpoint says it noticed the Bitcoin address swap behavior on the ransom payment portals for three ransomware families —LockeR, Sigma, and GlobeImposter.

In fact, researchers say they've noticed the behavior because of a warning message posted on the LockeR payment site by the LockeR authors.

"Do NOT use, they are replacing the bitcoin address with their own and stealing bitcoins," the message reads. "To be sure you're paying to the correct address, use Tor Browser."

LockeR ransom payment site warning against URLs

An older image of the ransom payment portal from October 2017 does not include this message, meaning even the LockeR crew only recently became aware of the issue. stole $22K from ransomware authors & victims

During experiments carried out by Proofpoint, researchers spotted different Bitcoin wallet address "replacement rules" based on the page the user was accessing, suggesting operators are configuring these swaps manually, on a per-site basis.

Proofpoint identified two Bitcoin wallet addresses operated by the team, both holding no more than 2 Bitcoin ($22,000), suggesting proxy operators weren't that successful in their attacks, the replacement rules aren't always active, or the service isn't that popular to begin with.

Ransomware authors are fighting back

Either way, Proofpoint says ransomware operators took notice of's actions and have started taking precautionary measures against all Tor-to-web proxy services.

The most obvious change is that many have stopped providing Tor proxy links and are now listing only the pure Tor .onion URL in their ransom notes, recommending that users access the payment site only via the Tor Browser alone.

Other ransomware authors have altered their Dark Web-hosted ransom payment sites. For example, the operators of the MagniBer ransomware now split the Bitcoin address shown to each victim on their payment site across different HTML tags.

Magnibear splitting Bitcoin wallet addresses

This makes it harder malicious Tor proxies to detect the Bitcoin address pattern, but it's not a reliable protection measure. In case users reach the desperate conclusion that they need to pay the ransom, to avoid losing their funds to malicious Tor-to-web proxies, it is recommended they access the link directly in the Tor Browser.

But the best way to avoid ransomware infections is to avoid opening suspicious files received from unknown persons, or keeping regular backups of important (or all) files.

An earlier version of this article referenced instead of (in three sentences) as the Tor proxy that is replacing Bitcoin addresses. Bleeping Computer regrets the error and confusion it caused among some readers.

Related Articles:

The Week in Ransomware - December 14th 2018 - Slow Week

Save the Children Charity Org Scammed for Almost $1 Million

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Botnet of 20,000 WordPress Sites Infecting Other WordPress Sites