Malicious Tor Nodes Spying On Darknet Sites

Updated on:

The Tor Project, developed since 2006, has made the open network fully featured Tor browser available on virtually every platform for anyone wanting utmost privacy protection.

However, the entire Tor network cannot be deemed safe just like the internet in general.

Snooping attempts on Tor nodes are actually not surprising occurrences with bad exit nodes discovered now and then, as presented by constant updates from security researchers.

Nosy Nodes

Last year, an experiment done by researcher Chloe unraveled that bad guys were trying to take advantage of Tor users by sniffing traffic through exit nodes.

Early 2014, Karlstad University researchers Stefan Lindskog and Philipp Winter, revealed results of a 4-month study they conducted.

Your TOR usage is being watched

25 Tor nodes were identified and found to have been tampering with web traffic and decrypting it.

The traced sneaky behavior to an unspecified Russian entity eavesdropping nodes in the Tor network.

The latest update pertained to relays of the Tor network which allows people to visit dark web sites anonymously.

These were not exit nodes, but ordinary nodes that sorted through the traffic that passes through it.

Over 100 of these malicious hidden service directories or HSDirs have been discovered by researchers.

A Tor user typically reaches out to HSDirs, which function to store descriptors for various hidden services for the purpose of getting to the dark web site they intend to visit.

There are approximately more than 3,1000 nodes bearing the HSDir flag, in accordance with figures given by the non-profit Tor Project who maintains the Tor software.

If properly set, these directories do not record or log addresses of the services themselves, thus allowing Tor-hidden sites to remain undiscovered.

Now, this has become something they could only hope for because people can sometimes intentionally modify their HSDir to track all the dark web sites it spots.

Snoop Tor HSDir Nodes Spotted

Guevara Noubir, College of Computer and Information Science professor, and Ph.D. candidate Amirali Sanatinia, both from Northeastern University, discovered a fleet of Tor hidden service directories spying on dark web sites.

The two security experts conducted the study wherein they setup honeypots in the Tor network.

They created what they called “honey onions” or “honions” unknown to anyone, and someone visiting the site was a good indication that their service was picked up by a malicious node.

These modified nodes allowed the people running them to find the addresses of websites which are supposedly hidden.

Noubir stated that those who want to hunt dark web sites would basically go through the code, perform the modifications in order to log the .onions prior to visiting them in the Tor browser.

Sanatinia said that the hunters look for web server vulnerabilities such as cross-site scripting attacks, SQL-injection opportunities, or search for the server’s status page which may contain interesting, potentially identifying site information.

For a period of 72 days, the pair ran 4,500 honions and not only did they uncover 110 nosy nodes spying on dark web sites, but found out that some actors were not merely sniffing traffic as passive observers, but mostly reemerged to aggressively probe the Tor-hidden services.

They tried common exploits and sought to compromise the server-software to eventually take over.

In August, their research that ultimately led them to spot the armada of more than a hundred malicious HSDirs will be presented at the Def Con Hacking Conference.

Who’s Playing Spy?

No one can tell who exactly is running the spy nodes. They could be run by criminals or hackers who have just gotten themselves an exceptional tool for hunting new targets.

They would then attack and penetrate servers once they are discovered.

Perhaps it is the authorities and law enforcement officials, or the government’s “infowar” weapons private suppliers. Cops can make use of it to track down new child exploitation sites.

It could even be other independent researchers themselves or those doing scholarly research which doesn’t normally include hacking attempts on servers.

A majority of the dodgy HSDirs were hosted in the US, Germany, France, and other European countries.

But of course, this doesn’t necessarily mean the operators are based on the same countries since anyone can whip up a remote server from almost anywhere in the globe.

Moreover, over half of the 110 malicious nodes were hosted on the cloud, which makes it even challenging to pin down whose prying eyes are running them.

The people behind the modified HSDirs are a theoretical problem for the Tor project.

The non-profit’s co-founder Roger Dingledine expressed that the key thing to understand is that the relays are in fact not in the Tor network altogether at the same time.

Few or none at all can be existing at the moment he spoke.

He further added that the Tor Project has likewise recently uncovered malicious nodes.

They successfully kicked the modified HSDirs out of the Tor network, and that the recent research mirrored some of the work they’ve already been doing internally.

The team had also just undertaken a rearchitecturing of their hidden service system to prevent such attacks from taking place.

For now, Tor is still the best option in terms of privacy and anonymity as Dingledine has defended the network in 2015, where he acknowledged as well that there’s always room for improvement.

The ultimate fix? It’s their plan to re-do onion services, which Tor users are yet to see and experience.

Write for us


The articles and content found on Dark Web News are for general information purposes only and are not intended to solicit illegal activity or constitute legal advice. Using drugs is harmful to your health and can cause serious problems including death and imprisonment, and any treatment should not be undertaken without medical supervision.


  1. Anonymous

    While I view this predatory act as an invasion of my privacy I cant help but think of the good it is doing if in fact it is a legal agency. I for one think anyone that is into illegal activity to include women, children or any immoral sex act should be shot on sight. I think those that are trying to make TOR more secure need to also constantly remind themselves just what sort of lowlife scum they are protecting in the process! Not considering the acts of some of the trash that use this network and providing a means to help put them behind bars makes them just as guilty as the scum doing the act!

  2. Anonymous

    I agree that the government needs to have ways to police pedo porn and other extreme examples but I worry they willuse it for anything such as nabbing users or any dark drugs site or those who would post text and info they have fought hard to surpress. I think the free information aspect of darknet as a public good surpasses whatever harms are done by those using it to look at extreme pornography. We must have a safe place for the trailblazers or the whistleblowers or we will become the hunted amd Tor will only jave the content three letter agencies deem appropriate.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.