Bitcoin Forum

Please be vigilant, always verify what you’re downloading & from where.


@coindesk
Hackers have been distributing a compromised version of the official Tor Browser that's packed with malware designed to steal bitcoin and spy on users. Security firm @ESET says it's been going on for "many years."

https://twitter.com/coindesk/status/1185165299450028033?s=21

@torproject

https://www.coindesk.com/fake-tor-browser-has-been-spying-stealing-bitcoin-for-years

Thanks for sharing this op I don't know anything about that tor malware injected issue. I've been using tor browser for some times now and now I quickly uninstalled and update all my onlin accounts passwords.
This is dangerous and tor developers should fix and release a patch to kill it because most of tor users are bitcoin users and we are all at risk.

Seems to of been mainly targeted towards 'Russian' Tor users on MS Windows ...

Fleecing the onion: Darknet shoppers swindled out of bitcoins via trojanized Tor Browser
- https://hackernews.blog/fleecing-the-onion-darknet-shoppers-swindled-out-of-bitcoins-via-trojanized-tor-browser/

"... On clicking the “Update Tor Browser” button, the visitor is redirected to a second website with the possibility of downloading a Windows installer. There are no signs that the same website has distributed Linux, macOS or mobile versions. ..."

ESET Week in security: Research into The Dukes and Winnti Group, Echo bug; trojanized Tor browser
- https://youtu.be/wQ4l8ZT9DdU?t=113

...

Always check the URL.
Avoid using MS Windows.
Always use official sources.
Learn to use Linux and/or use Tails.
Always check the BTC payment address.
Don't do 'illegal' things on the internet.

...

Whilst I'm here, if anyone wants to help me fight the good fight for Bitcoin related Tor things ... go here:
- https://bitcointalk.org/index.php?topic=5177001.0

That's a much useful information, and these days the hacking tricks can't be found easily. Most of the big hacks were done through creating phising sites resembling same as the original. Through this lot of private data were stolen. Russia is a big market where hackers are very common, and this time through tor the targeting is a complete focus on the darkweb and related platforms. Let's safeguard ourselves.

This problem has been going on for years and it is only now that it has been exposed to the light? Wow, that can be a big testament to the genius of the people behind the distribution of the fake TOR browser. People usually associate the TOR browser with privacy, anonymity and of course safety. So it makes sense for the perpetrators to fake the whole thing and lead people to believe that they are downloading the real, genuine TOR when in fact they are not and they are now victimized. How  many people and how much cryptocurrencies have been stolen by this malware remains to be seen. I am not using TOR but I am quite thankful that this infection has been brought to the open. We should really be careful with anything we are downloading.

Thanks for sharing I think Hackers have entered an all new world of hacking now and without regulations these things are much more prone when it comes to Cryptocurrencies. But as far as I think a little vigilance on our part can really save us from most of the scams.
I think before the phase of 2017 which was the phase when bitcoin came to popular light most of the users used tor to maintain anonymity to ensure they are hidden from authorities and hackers but they never thought that this is making them much more prone.

I think to download the most common stuff from the internet is the easiest way to get someone an infected file. As technological advances sprout everywhere and continuous, new methods are being developed to hack cryptocurrency funds. I want to say that thank you for giving a reminder because sometimes we become so relaxed with what we currently have, and we will never know once we have been attacked.

Being tracked with search engines could also be a thing. Make sure you are utilizing a good engine. Like duckduckgo perhaps.

This is a very sensitive issue and I thank you for sharing it. Hackers are very desperate just to access and stole our hard earned bitcoins and other cryptocurrency. Aside from sending phishing link, cryptojacking virus, keylogger, Bitcoin address switcher, ransomware now we have this distributed fake TOR app. What was alarming is that the ESET anti-virus company  have verified that it was operating for years already. We can just wish that all cryptousers be vigilant and I advise that we use a different pc or mobile for cryptocurrency and for other apps, this way we can be more secured that if our pc or mobile will be infiltrated the pc and mobile with our crypto logins will not be infected/infiltrated.

As always I think cybersecurity is a subject that is highly underconsidered by the general users. Informational campaigns should be promoted more in the crypto communities as we're  the sole responsibles for our software/hardware wallets unless we keep them within a custodian.

Remember that hackers are always working in the background and they become smarter and sneakier by the day. Precaution is law in this game.

Good thing they also share it on Facebook.

https://www.facebook.com/404460532994922/posts/2509439352497019/


Geez, we are all clueless that ToR had already been attacked by hackers for years. What else could be next then?

Fortunately I've never use Tor but this is a very alarming issue for everyone inside or outside of crypto space, given that the compromised version is the official Tor browser itself which make hard for a regular user to notice and it's been running for many years  :o :o No wonder why the case of stolen Bitcoin is increasing.

How could you be so clueless. This is tiresome, really.

Ever heard of people losing coins for downloading "compromised" wallets? Guess what, those were "official" too. Duh. They take the official thing, and add their malware, as it has been for decades. This used to be called Trojan, but could also be labeled phishing, as it usually involves a legit looking website (tho it could be simply infected files at a popular "downloads" site).

Tell you what, this means "hackers" are NOT attacking Bitcoin, not even the wallet. The ones attacked are the clueless people that download those dubious things in the first place. Its more social than technical...

Do you get it now or i have to spell it for you? This is NOT an "attack" to Tor, and is not "alarming" AT ALL, more like "duh, the usual windows trojan".


For starters don't use windows/osx/android/ios if you value security. Then we can go on with the important stuff, but at least that gets rid of 80% of the problem.

Tor is safe, Bitcoin is safe. Humans are not safe, humans fooled by other humans into downloading fake or tainted software, are not safe. Infamous layer 8...

In fact, I often use the Tor browser until now to surf the internet, I have to delete the Tor browser so I don't want it to happen that way before hackers spread the malware virus.

the OS I use does that automatically every time you open a Tor Browser: https://qubes-os.org


It keeps a master copy of the Debian linux OS safely that's never used directly. Then when you want to use Tor Browser, it makes a temporary copy of Debian, and opens Tor Browser inside that. When you quit, the whole temporary copy is deleted, including any malware that it might have got infected with :D


been running this way for years now, no problems at all 8)

I am so glad I am with ESET, they really good and make me feel protected. This is why you do not download anything that is not from the original site. Sometimes it is difficult not to if you are not paying attention. How often do people actually check the site they are on is the right one? This is why you always bookmark your sites to be sure.

I prefer Qubes + Tails, that assures me the correct TOR version.

Also, Tails route all network traffic travels through TOR, ensuring my anonymity and making it more difficult for hackers to target me.

This is the same thing as running Tails alone from a DVD. You can install anything to the running live session (as long as ram permits) then just turn off the PC and all you added is gone.

I have the TOR browser installed on my PC but used it for few times. Thanks for this, I have uninstalled it already and deleted all the necessary folders related to it.

I might test this sometime, thanks for sharing this too.

you need:

• 8GB RAM minimum (really 12GB is the comfortable minimum)
• Intel VT-d or the AMD equivalent (forgot the name)
• Intel SLAT or the AMD equivalent (ditto)

There's a LiveDVD version, so that would test your pc's ability to run Qubes. You can also check the list of compatible computer models (the HCL) on https://qubes-os.org before trying.



Qubes can do this selectively though.

You can run Tor Browser (or any app) in a volatile ("disposable" in Qubes jargon) way, but if you want to run a different browser with cookies stored in it at the same time, that's also possible. Qubes uses Xen to sandbox different apps into separate virtual machines.

And every separate hardware device can be sandboxed to it's own virtual machine. So, attacks that target e.g. your network device cannot be used to compromise the overall OS, just the virtual machine the device runs in. All USB devices are similarly segregated to a VM, that can temporarily re-assign control of any specific USB port to another VM (which could be a disposable VM :) )

there are alot of different ways to use Qubes OS, as well as alot of new plans to enhance it. It's made for a pretty stable system since I've been a user, and I think the security benefits are what Bitcoin users need (you can keep e.g. hardware wallet very tightly controlled as to what websites are running when it's attached to your pc, or as I do, never attach the hardware wallet to an OS running any browser).

The standard VMs are Debian, Arch and Fedora, in case you're wondering (but any OS can be run in a more limited mode).

Security awareness is a better protection than relying on what ESET said. Even if they didn't publish this, but you always verify the file signature then you should be fine.

Though I find this a little bit ironic, this incident only shows the importance of downloading apps from official sites only and not be enticed easily by supposedly trusted fellow netizens with their app recommendations!

I think netizens should also exercise more vigilance and always be cautious to prevent these types of incident from happening again but I think this will never change until there are people who are gullible - the reason why this kind of intrusions will never stop! Imho.

Though I am not using TOR browser, but I think hackers can't penetrate if you only update your browser. Because the hacker's version of the official TOR browser is a totally different app with the same content but with additional spyware. People who are security-wise wont get easily attacked by this kind of malware.

I Might as well research for the same kind of attack using different browser.

people seriously have to get into the habit of either compiling from sources or verify the things they download and it goes for everything. Tor also uses PGP signatures to sign their releases and they have a help page explaining how to do it here: https://support.torproject.org/tbb/how-to-verify-signature/
that simple move can easily solve a great number of issues (such as malware infections, losing data, losing bitcoin,...).

The issue targets people that go on bad links and download exploited versions of the TOR browser which opens them up to exploits.

Download eveything off official websites. And make sure you verify everything from the offical tor website, and don't click bad links that might possibly include malware.

This is not quite surprising. Bitcoin is widely used as a medium of payment and transactions in the deep web, and the tor browser is one of the vulnerable part of connecting to onion sites. That's why when dealing with large funds, we must always be alert and wary of the softwares we use. One way to avoid these is just avoid browsing in the deep web or avoid engaging in transactions which are illegal.

There are many methods a hacker could employ to steal the contents, the recent event is because they downloaded all the software from non official sources and they had a backdoor and they never identified until they lost their contents or coins. Everyone who is using the computer need to understand how to protect their content and that should be the basic.

Here is an example of how hackers could mislead you with another update from the software you are using if there is any vulnerability and here is the prime example. Electrum vulnerability (https://bitcointalk.org/index.php?topic=5090097.0)
 

I think this is a good post for us because it reminds us that the Tor browser hacker may be due to statements like this, I think it is no longer using the tor browser to access the bitcoin wallet because this is very detrimental to us if accessing the bitcoin wallet through a browser is most likely the browser can stole our bitcoin without realizing it.

Well it is common knowledge that hackers and governments infiltrate exit nodes to reveal people's hidden identity in the Tor network. They also run "exploited" nodes on the network and "sniff" the IP addresses of people using those nodes.  ::)

I run a bootable version of Tails that contains Tor as the built-in browser, so you do not have to download anything and when you reboot, everything is gone, so you start with a fresh OS after each reboot. <It even contains a built-in Bitcoin wallet, but you will have to run a persistent volume to use that.>  ::)

Agree, a check should always be made as to whether the downloads are signed by developers, but the trouble is majority of users don't have even a shred of knowledge what pgp signature is and how to determine the authenticity thereof. That said, one should always check the fingerprint of any public pgp key  before certificating  it in Kleopatra.

I might upgrade my PC first to 16GB although I'm eligible and have 8GB ram but it would be a better choice to have that comfortability minimum requirements.

And don't download suspicious apps too.

That was quite shocking for a lot of people. One doesn't expect that the legitimate application they downloaded from the main source forwards popups indicating that people should install an update which later turns out to make them lose all their funds. I truly hope that it made people so paranoid, that they will never have to go through that ever again.

I was already aware of similar tricks with other software applications, so I never click links or follow instructions as indicated by the popup, but visit the site myself and if needed download the actual software from there. I have to admit myself that being so paranoid is quite exhausting because every application needs to be verified and whatnot, but it's all worth it in the end.

It's also a reminder that crypto as a whole in no shape is even remotely close to mass adoption of common joe type of people.  :-\

compiling from source is great habit to get into, but Tor Browser (or really, Firefox).... I've never tried that, but I get the feeling it takes alot of care. Of course, OS's that compile everything locally in their package manager must do this, so it can't be too hard. Not going to try it any time soon myself, however



I find it embarrassing, and am myself feeling increasingly embarrassed as time goes on.

Most people use computers at the same level a child can teach itself to do, simply by watching and imitating. While these people watch their cat videos, I'm trying to learn basic computer science that (at it's core) hasn't changed much since the 1970's, and people are still using the crappy 1980's sub-par clone (i.e. windows) of the 1970's model.

Meanwhile, others apparently still haven't learned the basic rule number zero of the internet; if it's a popup, don't fucking click anywhere except on the close button, especially if it tells you 'click here or you'll die'. I learned that in the first month or so when the internet was still new. seriously ffs

And yet, they are trying to to these things to the most safest browser I've known. Well, be cautious about this, as we all know, Tor has their own browser wherein we can download the tor browser. But when it comes to the point that they will target the site as well, it is mainly impossible, since phishing the website tor isn't easy as it doesn't contain any repetitive letters that might confuse the users.

How ironic. Many people who want to improve performance and security on the internet by using the Tor browser, unfortunately even that is used as a weapon by hackers to steal other people's assets and break their hearts. From there we can take lessons to always be careful in installing applications and extensions on our devices, use the original, and do the download in an official place.
I know what it's like to be hacked, even though I've tried using a variety of multiple security, hopefully the hackers are aware of how painful it is to lose assets that have been sought and guarded desperately.

But they did it and we must be very careful on dealing with the fake sites. Tor is trying to be the safest browser/site but hackers are doin their best to scam people and we cannot blame Tor with this one. If you see suspicious sites or any phishing sites, you must not download anything from it or else, you time has come to an end and your money will gone.

Thank God I am not using Tor to send some Bitcoin but in my case, I only use Tor as my VPN for a restricted/banned websites to get access to them easily. Although I am very picky of clicking or looking at the sites legitimacy but I only go directly to the site that I've known before and no other else.

I totally get your frustration. To some extent we can blame governments for not triggering people to become more aware of proper internet etiquette, but on the other hand, it's in their best interest to not educate people to the point where they become smart enough to take proper security measures enough so that they don't fall victim to phishing, viruses, etc.

The more untaught people are, the easier it is for governments to exploit vulnerabilities in their operating systems or hardware to retain a certain level of surveillance, which hackers obviously will be able to exploit too. If you aren't curious enough to explore various fields of interests that play a big role in today's society, which the internet is a huge part of, then you're basically fucked.

This is a major reason why the mass adoption of Bitcoin will probably take decades. It also translates into wealth inequality because the dumb will end up being as poor as they have always been, where the smart money and those who are technically adapted will be the new elite.

I read this on a crypto web site, and unfortunately this is such a bad thing for cryptos, because people will think that it's risky to use cryptos
It's really important to learn this lesson, only download of official websites and always research before if an application is compromised

this



I have this sense that being at all inept using computers could be the difference between life and death. Robots and AI are soon going to be a part of daily life... fuck, really they already are in a nascent stage of it. Asimov and Philip K. Dick et al warned us about this stuff, and something like the bottom 90th percentile (and that's optimistic :-\) of the world haven't even caught up to Edmund Bernays and George Orwell. And the 20th century was such a thunderous bitch-slap of sophistication that it's no wonder, really.

so while I'm pretty disappointed in myself for being so slow to see some of this, when I think of these typical Facebook zombies... it's hard to have any sympathy for them, trying to impress this stuff on them out of a sense of humanity is more likely to cause problems than anything else :-\ The potential for the world to enter into an era that's actually worse than all of dystopic fiction rolled into one is a distinct possibility, and almost everyone is expendable drone fodder in such a scenario ::)

That is what it makes it so brilliant. It is like those fake antivirus software that causes confusion and makes you want to act quickly to get rid of these so-called viruses and the software is even built-in with a fake scanner
and virus detection. Now you get ones possing as browsers for protection. I wonder what sort of activities it spies on. What would they do with this info? Beisde  sell bitcoin privatekeys or crypto stolen through the browser.
Maybe the collect a database of users so they can keep track of how much they have stolen from each IP? I don't know. It would make sense for them to collect IP addresses which use crypto a lot to see if they can steal more later on. Or maybe you gamble and they later steal your account.

True, cyber criminals targeting other criminals? LOL. And come to think of it, the apps has been existing for 2 years and no one realized that they are using a fake TOR and for sure they have compromised a lot of Russians here. You can't blame them though, its carefully crafted and you won't really realized that you are using fake apps until one day you loss all your cryptos. So just be careful on apps that you downloaded in the net, simply as that.

Well this just shows how ironic things could fall into places. Sometimes being vigilant isn't enough, for there are lots of unexpected things that might happen in the most enexpected ways, it will be hard to manage safety. People should be taught not to take advantage of things so they won't be taken advantage of by other people ironically. They need to choose carefully what and where they are taking their applications from. To avoid this they should download it from the legitimate site and avoid piracy cause they are committing crime eventually being a victim of a crime, well ironically.

If you trust your distro official binary packages, you should know most distro sign their packages after compiling and the package manager verifies this in case they have been somehow tampered by a rogue mirror or such. This simple concept has somehow evaded the windows world, like forever, which is why they have to do it manually, which of course given the laziness of the average windows user, they never do.

A typical windows user is used to the idea that binaries are downloaded from random web pages, the concept of an official repository is alien to them. Microsoft attempted something with their software shop thing, but with little success. (Bad) habits are hard to break, especially when reinforced over decades of IT malpractice.

Do you still get pop ups? I'm surprised, none of my browsers are allowed to do it, and my Desktop Environment seldom does it, except the occasional Want to save? prompt if i forgot saving a document or such. In Windows i remember some malware faking the whole popup so even the "close" button triggers whatever it wanted to trigger, its just a lost cause, there is no salvation for that OS.

There is Tor, and there is Tor Browser, which is Firefox with Tor bundled and a bunch of preset settings. I don't particularly like Tor Browser, as you can point any browser to Tor anyway, but it was made for lazy people, especially in Windows where its harder to explain people how to configure things properly. It beats me how could people use Tor in Windows to begin with, kinda defeats the whole idea, but even Satoshi apparently made that mistake, ugh.

I don't mind the 70ies, it also brought us the C language and the Unix kiss principle. Microsoft and others actually got into shortcuts, and some other not very fair practices such purchasing companies to deliver products they never had in the first place (See historical IBM/Microsoft DOS deal).

Right, but it's difficult for me to forget how recently this was broken...

aptitude package manager (Debian, Ubuntu & derivatives thereof use aptitude) had an issue in springtime 2019 where an attacker could bypass the signature checking on packages. Combine that expolit with  subversion of DNS resolution for an aptitude repo and then an attacker could serve bogus software updates and packages to all Debian based boxes (not hard as aptitude was still recommending configuring http links because signing packages is infallible!)

fixed now of course, but does anyone really know whether a malicious actor knew this beforehand, and now every Debian based machine has the latest greatest rootkit installed? fixing aptitude doesn't matter in that worst case scenario.

That situation immediately got me looking for alternative models; source based package managers, such as those in Gentoo, FreeBSD, Crux, Nix, Guix etc are looking very attractive. Nothing stops bugs in these package managers either, but the situation with aptitude demonstrates that having a limited number of repo mirrors serving package binaries is a more fragile model than I'd previously considered. At least a similar such bug in source based package managers would also require a simultaneous attack against dozens of different source code repos too (although targeting e.g. gnu git servers would be simple but effective in those circumstances, all easier said than done of course)

And is the Tor Browser even available through Linux software repos? It's available through the torporject repo... but we're coming onto the topic of Tor Browser itself further down...



yeah, these people would be very easy to manipulate (hence the internal Electrum popup, which alot of people just assumed they could trust, because they didn't understand that popups could be coming from someone who is not the Electrum devs).



"unsolicited" popups literally haven't happened to me in years, it's possible I might be easier to trick because of that, provided the trick was clever enough.



Well, it's true that Tor Browser is little different than the regular Firefox browser. But even for users who don't use the tor network daemon from the Tor Browser Bundle (such as me), configuring Firefox to use Tor Browser's settings and plugins is not to be taken lightly... a large part of the Tor Browser set of presets is to make the browser difficult to fingerprint, which is a vast topic (which extends beyond the browser into the OS and the underlying hardware), so any small mistakes or oversights in a self-configured Firefox are guaranteed to weaken your anonymity.

As for satoshi... I get the feeling that maybe Windows was a way for satoshi to help obscure his/their identity further. It's pretty common for *nix users to also be proficient Windows users, or just capable of quickly learning the Windows way of doing something. What you're saying only underlines this point more: if satoshi really was using Windows the whole time while developing Bitcoin and communicating here on Bitcointalk.org, the chances that he was being surveilled by intelligence agencies are pretty high. It seems more likely that either being a Windows user was an elaborate smokescreen, or that satoshi was working with or for intelligence agencies all along. whether that's good or bad depends on what the objective of the Bitcoin project was ;)



Yep, the Unix fundamentals and the C language are still incredibly relevant today. Android phones, all Apple devices and your home router are running and relying on those Unix basic components, and are reliable and secure in a large part because of Unix. And it's fundamentally the same as it was in the 1970's.

Microsoft are (and always were) a bunch of lazy crooks that won initially because they were well-connected in business, not because they had good products. Even if they produced some decent software since then (and I emphasize the "some"), both the foundations of their OS and their basic business ethics are irreparably rotten.