How Bitcoins are taken away in Darknet: scammers used a modified Tor browser, stealing tens of thousands of dollars

This instructive story is actually not even about the dark side of the Internet, known as

Darknet is a haven of online trafficking(here they sell drugs, stolen credit card numbers and malware), and how the lack of basic information hygiene and skills to work with the primary sources of information leads to money losses as a result of not very tricky actions by scammers.

Prelude: How are Darknet and the Tor Browser Connected

Tor browser (by the way, this is an abbreviation for The OnionRouter - an onion router, which is reflected in its logo) is a completely legal and never malicious application created for onion routing using a network of routers, due to which (and also data encryption) anonymity of the user on the Internet is ensured. Formally, it can be used to access the Internet in countries with a totalitarian approach to the Internet, where some social networks or some sites are prohibited. Everyone knows about the blocking of social networks in China, Russia and Ukraine, but in general there are more than a dozen countries in the world where some of the social networks are banned in one form or another: in addition to the obvious North Korea, they also include, for example, Iran and Turkmenistan. In a number of countries, social networks may be temporarily blocked during social upheavals and emergencies (this distinguished Egypt and Turkey). Oddly enough, the Department of Defense and the US Department of State had a hand in developing the Tor browser. The development started back in 1995, at one time DARPA participated in the project, but the source code of the browser was published under an open license, which disarms the arguments of conspiracy theorists, because anyone can check the code for bookmarks of the US special services (and any other countries too )

The Tor browser allows you to bypass locks and (whichno less important) to encrypt all user data, so that his activities cannot be made available to special services. Of course, it is precisely for this opportunity that Tor and his network are loved by criminals selling drugs, weapons and malware, or stolen databases of various companies on forums and websites of Darknet (most often). This can be user data and / or credit card numbers. Not that an ordinary “honest person” has nothing to do on such sites (for example, information security specialists can go there because of their professional activities or secret services for the same reason), but most often Darknet buyers get something illegal. In fact, you will not begin to create an online clothing store and hide it from search engines? A feature of Darknet sites is their long, indigestible and difficult to remember address, including a random set of characters. What, in fact, is used by cybercriminals, easily replacing one with another without any suspicion on the part of the user.

Exposition: wash your hands before eating and use the original sources on the net

At the first stage, attackers create a fakeTor browser site in Russian. The paradox of the situation is that it does not even copy the original site, located at But it allows you to convincingly talk about the benefits of anonymity on the Internet thanks to its capabilities. The official website of the project looks like this:

</ img>

The site of the attackers looks very different, butIt is designed for an audience that, if you heard about the browser itself, you have never been to it, and you are not accustomed to using the primary sources of information (this is in the era of the existence of numerous fakes).

</ img>

The simplest does not teach usersa security indicator, next to the address of the site that all modern browsers have (and all the developers of these browsers spend effort on training and informing users, but apparently not in horse feed). This is what the security icon for the original site looks like:

</ img>

And here's a fake:

</ img>

It’s clear that if mom was talking aboutthe fact that you need to wash your hands before eating, she did not mention about installing applications from sites that have the words “unreliable” in Russian (which, in principle, corresponds to unwashed fruits). Therefore, people sincerely believe that you can install a browser from such a site, and then also spend your money with it, without thinking about the consequences.

Setting: Trojan horse (timeless classic)

What is the difference between a browser that a userdownloads at your own risk from the allegedly official Tor site? Thanks to the open source code, this is a real Tor browser, with only two important differences: firstly, all updates are disabled in it (since a clean version would have been downloaded from the official site) and malicious code has been written in its extensions to allow users to steal money. The screenshots below will be of interest only to software developers, for the rest they are given more for a general understanding of the situation.

The following changes appeared in the settings of the infected browser (highlighted in color), they relate to blocking updates.

</ img>

Differences between the extension code of the original and modified (trojanized) Tor browser:

</ img>

Example of requesting a malicious code when opening a specific Darknet store:

</ img>

Spoiler: there is such a profession - to find threats and protect users

</ img>

Anton Cherepanov, Senior Malware Researcher, ESET

The real hero of this story, who discovered allThis scheme, and those investigating the threats associated with it, is Anton Cherepanov, ESET's chief malware researcher. It was he who discovered in the process of his work both a fake site and an infected browser, and also investigated the whole chain of events - from the distribution schemes of the Trojan version of the Tor browser to the damage caused by scammers who received bitcoin transactions to their wallet. According to Anton, because of his professional need, he visits the forums of Darknet, where malware is sold, to always be aware of the latest trends in their development. ESET registers about 300,000 software threats per day, examines them and analyzes the emergence of new malware and their relationship with activities on such forums. All threats that enter the system are checked by automatic systems, if the system finds it difficult to detect malware or not, then people who study the threat in “manual” mode are included in the process.

This is how the threat monitoring center at ESET headquarters in Bratislava looks like (something similar, only on a larger scale can be seen in the Turkcell network control center in Turkey):

</ img>

The ups and downs: the path to infection (cheese in a mousetrap)

To promote the trojanized version of the browserTor attackers used popular search queries related to drug search, blocking bypass and Russian opposition politicians:

</ img>

On pages created with search engine optimization in mind, there were links to a site where a Trojan version of the Tor browser could be downloaded:

</ img>

Anton Cherepanov counted about half a millionviews of such pages, and the browser’s malicious code used the three largest Russian markets in Darknet, three bitcoin-wallets and several KIWI wallets (although this payment system requires authorization, it’s impossible to track wallets in reality - they lead to unsuspecting people people, for example, who have lost their documents).

Climax: moment of truth

On the transaction page in the Darknet Marketinstead of the customer’s wallet, a malicious script substituted code for the attacker’s wallet instead of the customer’s wallet. Thus, unsuspecting users made a payment in favor of scammers, whose software product they used.

</ img>

Ending: $ 40,000 in bitcoins and, presumably, several times more on KIWI wallets

Since all bitcoin transactions cantracked thanks to the blockchain, ESET employees were able to assess the size of the fraud. In total, 4.8 bitcoins were transferred to three wallets (about $ 40,000 at the time of the study). It is impossible to assess the damage from fraudulent transactions on KIWI wallets without access to payment system billing. Although it is obvious that there should be even more amounts, since the procedure for creating a wallet is much easier and more affordable than working with bitcoins. Anton Cherepanov says that he and his colleagues found three bitcoin-wallets in the code of a Trojan browser, and there may be hundreds of KIWI accounts there.

</ img>

Epilogue: a fool does not need a knife

Of course, Darknet users buyingdrugs, weapons, or war viruses are themselves at risk, despite all the anonymity that accompanies Darknet. But everyone who lost their money in this story could have avoided this if they had followed the simplest rules of information hygiene on the Internet. I used the primary sources of information - this is a gold rule that can facilitate modern life on the Web, not only related to installing software, but also to news with their flashy headlines.

Special project

Test: true or myth? Test your smartphone payment knowledge

The "proven source" is becoming todayas necessary as washing your hands after using the toilet or brushing your teeth. And until we learn how to monitor the browser icons ourselves, which testify to the security of the site with which we plan to perform some action (and do not teach our children the same thing), we will always get into unpleasant situations.