Bitcoin’s recent surge in value appears to have ramped up hackers’ interest in the digital currency more than ever, with some even resorting to steal from each other. Security experts have observed a new campaign, which involves hackers using a Tor proxy site to steal Bitcoin payments from various ransomware operators.

While ransomware operators often demand victims to pay using bitcoins that require them to visit a Tor site, most users often do not have a Tor browser installed. In some cases, ransomware victims choose to use Tor proxy sites to make ransom Bitcoin payments.

Some hackers operating various different strains of ransomware also suggest that victims use Tor proxy sites to make payments. However, using such sites provides the operators of the site “unlimited power” to replace content, acting as a man-in-the-middle.

Security researchers at Proofpoint discovered that operators of the Tor proxy domain – “onion[.]top” – have been secretly diverting bitcoin payments made by ransomware victims. The hackers surreptitiously changed the bitcoin address controlled by the ransomware operators and replaced it with an address of their own. This allowed the hackers to steal from both the victims as well as the operators of the ransomware.

“The proxy operators are not only preventing ransomware victims from decrypting their files by paying a ransom but are also in effect stealing from the threat actors distributing ransomware. This appears to be the first scheme of this type affecting both ransomware victims and operators,” Proofpoint researchers said in a blog. Read more from…

thumbnail courtesy of