KAX17 ran relay servers in various positions within the Tor network, including entry and exit nodes, researchers at the Tor Project have removed hundreds of servers set up by the threat actor in October and November 2021.
In August 2020, the security researcher that goes online with the moniker Nusenu revealed that in May 2020 a threat actor managed to control roughly 23% of the entire Tor networkās exit nodes. Experts warned that this was the first time that a single actor controlled such a large number of Tor exit nodes. A Tor exit relay is the final relay that Tor traffic passes through before it reaches the intended destination. The Tor traffic exits through these relays, this means that the IP address of the exit relay is interpreted as the source of the traffic. Tor Exit relays advertise their presence to the entire Tor network, so they can be used by any Tor user.
Controlling these relays it is possible to see which website the user connects to and, if an insecure connection is used, it is also possible to manipulate traffic. In May 2020, the threat actor managed to control over 380 Tor exit nodes, with a peak on May 22, when he controlled the 23.95% of Tor exit relay.
NusenuĀ toldĀ The RecordĀ that it has observed a recrudescence of the phenomenon associated to the same attacker.
āBut a security researcher and Tor node operator going by Nusenu toldĀ The RecordĀ this week that it observed a pattern in some of these Tor relays with no contact information, which he firstĀ noticed in 2019Ā and has eventually traced back as far as 2017.āĀ reads the post published by The Record. āGrouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point.ā
KAX17 threat actor is attempting to deanonymize Tor users running thousands of rogue relays
