Popular Tor exit nodes look to be raided or hacked
Thomas White (@CthulhuSec) warned users to steer clear of his Tor servers after he lost control following what he’s called “unusual activity.” In a post on Tor mailing list Thomas said,”I have now lost control of all servers under the ISP and my account has been suspended.” The entire signed message is given below :
Many of you by now are probably aware than I run a large exit node
cluster for the Tor network and run a collection of mirrors (also ones
available over hidden services).
Tonight there has been some unusual activity taking place and I have
now lost control of all servers under the ISP and my account has been
suspended. Having reviewed the last available information of the
sensors, the chassis of the servers was opened and an unknown USB
device was plugged in only 30-60 seconds before the connection was
broken. From experience I know this trend of activity is similar to
the protocol of sophisticated law enforcement who carry out a search
and seizure of running servers.
Until I have had the time and information available to review the
situation, I am strongly recommending my mirrors are not used under
any circumstances. If they come back online without a PGP signed
message from myself to further explain the situation, exercise extreme
caution and treat even any items delivered over TLS to be potentially
The mirrors in concern are:
I will do my best to keep this list updated on the situation as it
develops. If any of the mirrors or IPs do come back online, I would
welcome anyone who is capable of doing so checking for any malicious
code to ensure they are not used to deploy any kind of state
malware/attacks against users should my theory prove to be the case.
At this moment in time I am under no gagging orders or influence from
external parties/agencies. If no update is provided within 48 hours
you may draw your own conclusions.
Soon after posting of the message by Thomas, tech and underground forums were agog with the rumours of raids by authorities. Tor has been in news for some time now since the revelation that FBI had exposed Tor users IP addresses to catch a criminal. However, at 23:54:32 UTC, Thomas posted another message to assuage the fears of Tor users of a possible raid by authorities and stop the rumour mongering going on in the forums and chats. The second message is given below :
Ok now the dust has settled a little, a few updates on the situation:
1. The likelihood of this being the work of law enforcement seems to
be lower than originally anticipated. This is good in many ways but
asks more questions than it solves right now. I am not going to
completely exclude the possibility of law enforcement involvement
though as there simply isn’t enough information.
2. A large portion of our logs seem to be non-existent right now, I am
not sure how or why they have been cleared as this has not happened
before. When a bit of time has passed and I can be sure of no imminent
raid on my property I will look into the logs in more detail and share
them with people more qualified than myself to judge on the matter. If
appropriate we will then also look to make them public assuming there
are no consequences for doing so. Furthermore as the time & date of
some of the servers seem to have been skewed, what remaining info
there is may be unreliable.
3. The servers have been blacklisted and pose no danger to the Tor
network or the users of it. I will refrain from putting these servers
back online until a proper vetting and analysis of events has happened.
4. Support staff at the ISP have not yet commented on whether a
warrant has been executed for the servers. At this stage it isn’t
possible to distinguish whether the person I talked to genuinely
doesn’t know or they are being told to refrain from commenting at this
moment in time. Therefore I won’t be drawing conclusions from that.
5. Support staff at the ISP have confirmed to me there has been
unauthorised access to my account. This could be down to the fact I
access the control panel often via Tor (yes, using TLS before anybody
asks), however it does raise the prospect of a non-LE person(s) being
behind this but does not explain why a chassis intrusion was detected
for example or anything else to do with on-board sensors.
6. No information was kept on the server in relation to users. We
follow the best practice guidelines on running a Tor server to reduce
any information stored on our hardware about the users of Tor. These
events in no way put users at risk who may have used our nodes in the
past or at the time the servers went offline.
7. Again, at this moment in time I am under no gagging orders or
unreasonably withholding information under orders.
8. Tor isn’t broken. Stop panicking. The strength of Tor is that no
single party has the power to critically damage the network or to put
users at risk. If I believe I come across any such vulnerability, this
will be forwarded to the core developers immediately and patched.
9. One or two media groups/reps have contacted me. I appreciate your
interest in Tor and these recent events but I am not a representative
of Tor and I don’t want to draw a conclusion right now as it would be
no more than mere speculation really. If anything significant develops
I am sure Tor Project will release the information in due course.
From these two messages by Thomas, one thing is clear that Thomas’s servers were under the control of a third party for a brief period. The third party had deleted the logs which would have given Thomas clues to who had the control of the servers during this period. Another thing that Thomas mentions is that he is not sure if this was a raid by the authorities. However he has not excluded the idea of a large scale raid by FBI on Tor exit nodes. The servers mentioned in the first message have been blacklisted by Thomas and will be put up only after proper vetting. He is in contact with the ISP providers for finding out the exact reasons behind this ‘unusual activity.
In the meantime Thomas as asked all Tor users to be patient and reiterated that Tor is stronger to be broken by outage in few exit nodes.
Resource : 1. Gmane
2. Tor Projects.