How Bitcoins are taken away in Darknet: scammers used a modified Tor browser, stealing tens of thousands of dollars

This cautionary tale isn't actually about the dark side of the Internet known as

The Darknet is a haven for illegal online trading.(here they sell drugs, stolen credit card numbers and malicious software), but about how the lack of basic information hygiene and skills in working with primary sources of information leads to losses of money as a result of not the most cunning actions on the part of scammers.

Prelude: How are Darknet and the Tor Browser Connected

Tor Browser (by the way, this is short for The OnionRouter - an onion router, which is reflected in its logo) is a completely legal and never malicious application created for onion routing using a network of routers, thanks to which (and also data encryption) the user's anonymity on the Internet is ensured. Formally, it can be used to access the Internet in countries with a totalitarian approach to the Internet, where some social networks or some sites are prohibited. Everyone knows about the blocking of social networks in China, Russia and Ukraine, but in general there are more than a dozen countries in the world where some social networks are banned in one form or another: in addition to the obvious North Korea, these also include, for example, Iran and Turkmenistan. In a number of countries, social networks can be temporarily blocked during periods of social upheaval and emergencies (Egypt and Turkey have distinguished themselves in this regard). The development of the Tor browser had a hand (oddly enough) in the US Department of Defense and the US State Department. Development began back in 1995, at one time DARPA participated in the project, but the source code of the browser was published under an open license, which disarms the arguments of lovers of conspiracy theories, because anyone can check the code for the presence of bookmarks from the US intelligence services (and any other countries too ).

The Tor browser allows you to bypass blocking and (whichno less important) to encrypt all user data, so that his activities cannot become available to intelligence services. Of course, it is precisely for this opportunity that Tor and its network are loved by criminals who sell (most often) drugs, weapons and malware or stolen databases of various companies on forums and Darknet sites. This may be user data and/or credit card numbers. It’s not that an ordinary “honest person” has nothing to do on such sites (for example, information security specialists may go there due to their professional activities or intelligence officers for the same reason), but most often Darknet buyers purchase something illegal. In fact, you wouldn’t create an online clothing store and hide it from search engines, would you? The peculiarity of Darknet sites is their long, indigestible and difficult to remember addresses, which include a random set of characters. Which, in fact, is what attackers take advantage of, easily replacing one with another without any suspicion on the part of the user.

Exposition: wash your hands before eating and use the original sources on the net

At the first stage, attackers create a fakeTor browser website in Russian. The paradox of the situation is that it does not even copy the original site located at But it allows you to convincingly talk about the benefits of anonymity on the Internet thanks to its capabilities. The official website of the project looks like this:

</ img>

The site of the attackers looks very different, butIt is designed for an audience that, if you heard about the browser itself, you have never been to it, and you are not accustomed to using the primary sources of information (this is in the era of the existence of numerous fakes).

</ img>

The simplest does not teach usersa security indicator, next to the address of the site that all modern browsers have (and all the developers of these browsers spend effort on training and informing users, but apparently not in horse feed). This is what the security icon for the original site looks like:

</ img>

And here's a fake:

</ img>

It is clear that if my mother in childhood talked aboutthat you need to wash your hands before eating, she did not mention installing applications from sites that have the inscription in Russian “unreliable” (which, in principle, corresponds to unwashed fruit). Therefore, people sincerely believe that they can install a browser from such a site, and then spend their money with it, without thinking about the consequences.

Plot: Trojan Horse (timeless classic)

What is the difference between the browser that the userdownloads at your own risk from the supposedly official Tor site? Thanks to the open source, this is a real Tor browser, with only two important differences: firstly, all updates are disabled in it (since then the clean version would have been downloaded from the official website) and its extensions contain malicious code that allows you to steal users’ money. The screenshots below will be of interest only to software developers; for others, they are provided rather for a general understanding of the situation.

The following changes appeared in the settings of the infected browser (highlighted in color), they relate to blocking updates.

</ img>

Differences between the extension code of the original and modified (trojanized) Tor browser:

</ img>

Example of requesting a malicious code when opening a specific Darknet store:

</ img>


Spoiler: there is such a profession - to find threats and protect users

</ img>

Anton Cherepanov, Senior Malware Researcher, ESET

The real hero of this story, who discovered allthis scheme and investigating the threats associated with it is Anton Cherepanov, ESET's chief malware researcher. It was he who discovered in the course of his work both a fake website and an infected browser, and also investigated the entire chain of events - from schemes for distributing a Trojanized version of the Tor browser to the damage caused by scammers who received Bitcoin transactions into their wallets. According to Anton, out of professional necessity, he visits Darknet forums where malicious software is sold in order to always be aware of the latest trends in their development. ESET registers about 300,000 software threats per day, studies them and analyzes the emergence of new malware and their connection with activities on such forums. All threats entering the system are checked by automatic systems; if the system finds it difficult to determine whether it is malware or not, then people are involved in the process, studying the threat in a “manual” mode.

This is how the threat monitoring center at ESET headquarters in Bratislava looks like (something similar, only on a larger scale can be seen in the Turkcell network control center in Turkey):

</ img>

The ups and downs: the path to infection (cheese in a mousetrap)

To promote the trojanized version of the browserTor attackers used popular search queries related to drug search, blocking bypass and Russian opposition politicians:

</ img>

On pages created with search engine optimization in mind, links were left to a site where you could download a Trojanized version of the Tor browser:

</ img>

Anton Cherepanov counted about half a millionviews of such pages, and the malicious browser code used three of the largest Russian markets on the Darknet, three Bitcoin wallets and several KIWI wallets (this payment system, although it requires authorization, is actually impossible to track the wallets - they lead to unsuspecting people, for example, who have lost their documents).

Climax: moment of truth

On the transaction page in the Darknet marketinstead of the buyer's wallet, the malicious script substituted a code containing the attackers' wallet for the user. Thus, unsuspecting users made payments in favor of the scammers whose software they were using.

</ img>

Ending: $ 40,000 in bitcoins and, presumably, several times more on KIWI wallets

Since all Bitcoin transactions can betracked thanks to blockchain, ESET employees were able to estimate the size of the fraud. In total, 4.8 bitcoins were transferred to three wallets (about $40,000 at the time of the study). It is impossible to assess the damage from fraudulent transactions to KIWI wallets without access to the payment system billing. Although it is obvious that the amounts there should be even larger, since the procedure for creating a wallet is much simpler and more accessible than working with bitcoins. Anton Cherepanov says that he and his colleagues found three Bitcoin wallets in the Trojanized browser code, and there could be hundreds of KIWI accounts there.

</ img>

Epilogue: a fool does not need a knife

Of course, Darknet users buyingdrugs, weapons, or war viruses are themselves at risk, despite all the anonymity that accompanies Darknet. But everyone who lost their money in this story could have avoided this if they had followed the simplest rules of information hygiene on the Internet. I used the primary sources of information - this is a gold rule that can facilitate modern life on the Web, not only related to installing software, but also to news with their flashy headlines.

Special project

Test: true or myth? Test your smartphone payment knowledge

The "proven source" is becoming todayas necessary as washing your hands after using the toilet or brushing your teeth. And until we learn how to monitor the browser icons ourselves, which testify to the security of the site with which we plan to perform some action (and do not teach our children the same thing), we will always get into unpleasant situations.