With many major DarkNet sites being taken down, several DDoS Tor based decloaking exploits being

disclosed, tools like Tortilla being released, along with reports of APT Tor Nodes modifying downloaded
binaries by replacing them with a malware wrappers ie binding trojan backdoors(OnionDuke). I can
confirms Tor is becoming increasingly unsafe, especially for DarkMarket users! My grey hat friend,
Bastien ands me did an experiment to see how malicious tor nodes are becoming... and it not good :/

We setup fresh clean Windows 7 VirualMachine, updated & patched it completely, installed latest
versions of our favorite Anti-Virus/Malware software and downloaded the latest version of the Tor
Browser. Then we collected and setup many fake accounts on different sites like Facebook,
Twitter,Paypal, BoA, Wells Fargo and especially DarkMarket sites Agora & Evolution. We then allowed
scripts globally on Tor as a user might do to watch a Youtube video or anything requiring javascript,
sometimes solving captchas.
(Note we didnt use a VPN with Tor so all Tor Exit Node traffic is plain text, using VPN would encrypt all
traffic.)
(Also note we werent using strict tor nodes in our torrc, so our exit nodes were completely random.)

We then began to log into teh various fake and old hacked accounts to see if anything weird would
happen.
At first everything seemed normal for the first 15-18 logins and new identity IPs, UNTIL... we started
trying the DarkMarket logins
We started to notice a pattern of Nodes we were being redirected thru everytime we loaded one of the
two major DarkMarket sites...
not only that buts one of the Agora accounts user/passwd was sniffed and changed!! (prolly a
javasniffer) Also since the Agora servers are being heavily stressed now(govt DDoS to find servers like
they dids to SR2, not just wave of new customers) and no new accounts are allowed on Agora seems US
Govt with Europol are trying anything to get into these sites.

Once we started focusing the normal login sites like Facebook, Twitter, Paypal and WellsFargo the weird
redirects to some large USA Tor Nodes stopped happening. Eventually after around 36-38 logins and
new indentity IPs is when we had our first Bank of America user/passwd sniffed and changed! We
looked into the Tor Node and it wasnt very big and seemed pretty normal but was obviously malicious!
While on the Node we logged into several other bank sites which were also all sniffed and has creds
changed. However the social media accounts were still untouched. This malicious node's javasniffer was
prolly only capturing financial banking info for sites with keywords instead of social media accounts!

Eventually around the 67-69 logins and new identity IPs is when we started to hit some nodes that were
sniffing social media accounts and changing their passwords. And i mean it was sniffing and changing
passwords to every social media account we tried but none of the bank creds which i thought was weird.
Bastien theorizes they are spammers running a Tor Node and are specifically interested social media
accounts. Probably for mass collecting e-whore pictures and for selling likes/followers etc...

So basically in our little experiment we find that just using Tor without additional security like a VPN or
proxy and also not editing the torrc file to use specific Exit Nodes can be extremely dangerous for
sensative banking, social media and DarkMarket credentials, so we do not suggest it anymore. In our
experiment we encountered 3 types of Nodes; clean, malicious blackhat and malicious government. It
was most likely the Government nodes redirecting traffic and sniffing for DarkMarket site info like
usr/passwd login and different Blackhat Nodes were for sniffing banking&social media accounts logins.
We recommend using at least one off-shore VPN or VPNchain/Proxychain that doesnt log in
combination with the Tor Browser to completely encrypt all traffic. Also edit your torrc file to strict Tor
Nodes that you trust! Tor is still a great tool as long as you know how to use it safely, however i suggest
looking into alternatives like i2p and OpenBazaar for the future :)

(Note: Dont allow scripts globally unless you haves editted torrc to use trusted Exit Nodes or using VPN)

[+] Sources [+]

http://torstatus.blutmagie.de/
http://www.crowdstrike.com/community-tools/
https://www.f-secure.com/weblog/archives/00002764.html
http://thehackernews.com/2014/11/81-of-tor-users-can-be-easily-unmasked_18.html
http://arstechnica.com/security/2014/11/silk-road-other-tor-darknet-sites-may-have-been-decloakedthrough-ddos/