Project Author
At the peak of its activity, the malicious group consisted of about 380 nodes. By associating nodes based on the contact emails listed on the servers with malicious activity, the researchers were able to identify at least 9 different clusters of malicious exit nodes active for about 7 months. The Tor developers tried to block the malicious nodes, but the attackers quickly regained their activity. Currently, the number of malicious nodes has decreased, but more than 10% of traffic still passes through them.
Selective removal of redirects is noted from the activity recorded on malicious exit nodes
on HTTPS versions of sites when initially accessing a resource without encryption via HTTP, which allows attackers to intercept session content without replacing TLS certificates (“ssl stripping” attack). This approach works for users who type the site address without explicitly specifying "https://" in front of the domain and after opening the page do not focus on the name of the protocol in the address bar of Tor Browser. To protect against blocking redirects to HTTPS, sites are recommended to use
To make it difficult to detect malicious activity, substitution is carried out selectively on individual sites, mainly related to cryptocurrencies. If a bitcoin address is detected in unsecured traffic, then changes are made to the traffic to replace the bitcoin address and redirect the transaction to your wallet. Malicious nodes are hosted by providers that are popular for hosting normal Tor nodes, such as OVH, Frantech, ServerAstra, and Trabia Network.
Source: opennet.ru