Investigators have uncovered a huge and mysterious dark web surveillance network capable of exposing the true identities of Tor users.
An anonymous “threat actor” with the codename KAX17 has created a gigantic array of malicious relays which can “de-anonymize” traffic on the Tor network. A relay is also called a "router" or "node” and is responsible for receiving traffic and sending it through the Tor network.
The unnamed lurker’s shadowy web is so extensive that Tor users had a 16% of connecting to the network using one of the boobytrapped relays - as well as a 35% chance they would pass through one of its middle relays whilst travelling through the dark web and a 5% chance they would exit through one.
This network has withstood many attempts to shut it down, prompting researchers to warn that it’s run by “powerful adversaries with a lot of resources at its hands”.
It is thought to have been operating since at least 2017. At the peak of its activity, KAX17 was running 900 malicious servers on the Tor network - a large proportion of the 10,000 servers operating on an average day. The relays operated from data centres around the world.
The identity and motivation of KAX17 is not known. We do know that FBI has previously deanonymize Tor traffic and also built malware to uncover the identities of Tormail, a dark web messaging service.
However, there is no way of telling whether KAX17 is being operated by spies, criminals, law enforcement agents or members of some other clandestine group - although the scale and level of sophistication suggest that it was built by a nation-state.
An anonymous researcher called Nusenu has been monitoring KAX17 since December 2019 and released new findings in a blog published on Medium.
He wrote: “A mysterious actor which we gave the code-name KAX17 has been running large fractions of the Tor network since 2017, despite multiple attempts to remove them from the network during the past years.
“KAX17 has been running relays in all positions of a tor circuit (guard, middle and exit) across many autonomous systems putting them in a position to de-anonymize some tor users.
Their actions and motives are not well understood.”
The implications of Nusenu’s research are wide-reaching. If KAX17 really was de-anonymizing Tor users, it could mean that anyone who visited a dark web marketplace has already had their identity exposed.
Nusenu added: ”It is apparent that Tor users have powerful adversaries with a lot of resources at their hands. It is a particularly uncomfortable situation to be in, knowing some actor has been running large fractions of the tor network for years and will continue to do so.”
The only clue to the identity of KAX17 came when it appeared to contribute to a Tor relay mailing group when it argued against proposals to remove malicious relays and “disliked the proposals to make their activities less effective”.
Nusenu said that attempts to shut down the relay network had not succeeded, because it kept springing back to life.
“It is also clear that we can not detect— let alone get removed — even such large scale relay groups in a timely manner,” Nusenu wrote. “KAX17’s operations likely got severely degraded when the tor directory authorities took actions against them in November 2021, but they already started to restore their foothold, like they did after their first removal in October 2019, so we will need some more sustainable solutions when dealing with malicious relays.”
The Tor Project has now removed hundreds of relays that appear to belong to KAX17.
“We are still investigating this attacker and can’t provide links to any attribution so far,” a Tor Project spokesperson said.
“We looked through all the relays in the network and identified several hundred relays that are very likely belonging to the same group and removed them on November 8.”
