A fake version of the popular Tor Browser, used to access the deep web, has been found to be stealing the bitcoin of users looking to shop on darknet markets.
According to researchers, the malicious version of the browser has been promoted as its Russian version on posts published on Pastebin, optimized to rank on search engines for queries related to cryptocurrencies, drugs, censorship, and politicians.
The malicious browser is distributed through two domains, created in 2014, to Russian users as it if were an official version. The website’s pages mimic those of the Tor project’s official website, but add a warning to the user telling them their privacy is at risk because their browser is supposedly outdated.
A translated version of the message reads:
Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button “Update”
On the Pastebin and forum posts, the cybercriminals advertise various features the Tor browser doesn’t actually have, such as an anti-captcha system that allows them to bypass checks. In reality, users download a compromised version of the official Tor browser’s 7.5 version, released in January of last year.
Cybersecurity researchers at ESET further discovered the altered Tor version stops the browser from asking users for an update, as this would update them to a non-compromised version of the official Tor browser.
To get to users’ bitcoins, the browser includes a script that detects when users are about to fund their BTC wallets on darknet markets, and replaces thee destination wallets with their own.
The criminals’ three identified bitcoin wallets made a total of 863 transactions, and currently have 4.8 BTC (around $38,000) in them. The wallets have been active since 2017. Back in July, Chainalysis found that darknet markets were on pace to see $1 billion worth of bitcoin transactions this year.
As reported U.S. authorities recently took down one of the largest child porn websites on the darknet after tracing bitcoin transactions.