A recent report by ESET claims that users of the darknet in Russia are getting the crypto holdings stolen via a fake version of the Tor Browser. The trojanized version of the Tor Browser targets holders of BTC. According to the report, the theft of BTC through this method has been taking place since 2017.
How it Works
The fake Tor Browser works by switching the real BTC addresses of users and has been around since 2017. According to the report by WeLiveSecurity, the fake browser has been around since 2017. To distribute the fake browser, the hackers used two sites that were created in 2014. The two sites which are torproect[.]org and tor-browser[.]org have been designed to look exactly like the real site for the Tor Browser.
When a user visits the sites, they get a message that claims their Tor Browser is outdated. This occurs even when they have updated their Tor Browser. They are then offered the opportunity to download an updated version of the browser. When they do, they get a version of the browser that has malware embedded into it.
An analysis shows that over $40,000 worth of BTC has been stolen via this method. Thus far, only Windows users have been targeted. There is no indication that macOS and Linux users have been affected.
Once the browser is installed, it will immediately swap any BTC addresses a user has with the addresses that are controlled by those behind the hack. Thus far, the amount of BTC stolen is estimated at 4.8 BTC with one of the hackers’ wallets having received 2.66 BTC. The last transaction to the BTC addresses owned by the hackers took place on September 2019. In the report, it is also claimed that in addition to BTC, the hackers had targeted QIWI wallets.
Other Warning from ESET
At the start of October, ESET had warned crypto users that there was a malware, which was robbing crypto from them. According to ESET, the malware was going by the name Metamorfo or Casbaneior. Their investigations concluded that 1.2 BTC had been stolen from banks and crypto services in Mexico and Brazil by the time they discovered.
ESET claimed that hackers using the malware used various social engineering techniques to trick their victims. They would use pop-ups that would convince users to take actions that they claimed were necessary or urgent. For instance, they would ask users to verify their credit card details or bank account details. Alternatively, users would be requested to update their software.
Once the users fell for the trick, the malware would start taking screenshots of the browsing activity as well as blocking access to various banking sites. Additionally, the malware would start to log keystrokes. To steal crypto, the malware would monitor the clipboard content of crypto wallet data, if they found such data, they would replace it with data from the hacker.
Tor Browser Users Get Alert
Tor Browser users globally have already been warned of the issue. LocalBitcoin, which is a P2P exchange based in Finland, had warned users that using Tor Browser was risky.
Image Source: ShutterStock
Notice: Information contained herein is not and should not be construed as an offer, solicitation, or recommendation to buy or sell securities. The information has been obtained from sources we believe to be reliable; however no guarantee is made or implied with respect to its accuracy, timeliness, or completeness. Authors may own the crypto currency they discuss. The information and content are subject to change without notice. Visionary Financial and its affiliates do not provide investment, tax, legal or accounting advice. This material has been prepared for informational purposes only and is the opinion of the author, and is not intended to provide, and should not be relied on for, investment, tax, legal, accounting advice. You should consult your own investment, tax, legal and accounting advisors before engaging in any transaction. All content published by Visionary Financial is not an endorsement whatsoever. Visionary Financial was not compensated to submit this article Please also visit our Privacy policy; disclaimer; and terms and conditions page for further information.