Trojanized Tor Browser Scam Stole Funds From Bitcoin Wallets Of Dark Web Users


A dark web scam which targeted the crypto wallets of dark web users have been uncovered but not after many users fell victim to it.  The scam, which involved a malicious version of the Tor browser, designed to spy and steal bitcoin from the wallets of users on many dark web marketplaces, has now been exposed by a team of researchers, scorching the dark web for malicious activities.

The Tor browser is the required browser needed to be able to access the dark web or onion sites which are websites, existing only on the dark web. The scam, which was orchestrated by a group of cybercriminals , involved a created trojanized version of the regular or legitimate Tor browser, which notifies users that that version is outdated and needs to be updated and then redirects them to two websites. This notification even went to users who had the most recent update of the original Tor browser. When users finally proceed to fake URL’s,, and, a message is then displayed in Russian on the sites, urging users to click on a link provided on the page, which was for downloading the latest update of the Tor browser.

Upon clicking on the click, another site or page appears, containing another download link. When the trojanized Tor browser is finally downloaded, the scammers then start to spy all your activities and movement of the dark web. The scam, however, was also designed to steal funds from the crypto wallets of the fallen victims. Whenever a dark web user with the infected Tor browser makes a transaction or receives funds into their crypto wallet, the Tor browser then redirects the funds by changing the intended target address, to a crypto wallet, owned and controlled by scammers.


Image source:

The fake Tor browser was designed on the surface, to perform the exact functions of the original or legitimate Tor browser. What the victims of the scam didn’t know was that the malicious version, had many changes in its settings and extensions, secretly programmed to disable all updates. These settings included renaming the updater tool and changing the normal client-agent to a new model, which can detect the program’s use server-side.

Additional changes were made to the XP install. signatures (digital signature check), created in the original Tor browser, which prevents the safety and anonymity of its users from being targeted by malicious scams and programs. This option was totally disabled, giving room for cyber attackers to change or load, or modify add-ons in the browser. Dark web users with the intention of making a transaction would eventually come to realize that their funds for their intended purchases ended up elsewhere, thanks to their newly installed Tor browser.

According to ESET, the research firm that uncovered this dark web scam, the trojanized Tor browser was first executed on many Russian dark web sites, back in 2017 and early 2018, during the hay days of cryptocurrencies. Additional reports revealed that the malicious Tor browser was labelled as the Official Russian version of the Tor browser.


Image source:

In a public blog post, Anton Cherepanov, the senior malware researcher at ESET, stated that any actions or activities undertaken on the dark web are being tracked by the scammers behind this malicious Tor browser.  “This malware lets the criminals behind this operation see what website the victim is currently visiting. In theory, they can alter the content of the visited page, grab the data the victim fills into forms, and display fake messages, among other activities. However, we have seen only one particular functionality, thus changing the bitcoin and cryptocurrency wallets,” he said.

The trojanized Tor browser was also promoted by the scammers on many forums, using their Pastebin accounts. The scammers even stated in their numerous adverts that, their version of the Tor browser, was the best and safest software, to completely avoid government surveillance. Reports showed that the Pastebin accounts used in promoting the malicious software of the scam had been viewed over a million times.

Reports from the research firm revealed that the scammers used three different Bitcoin wallets in the operation. The wallets were reported to have received 4.8 BTC, equivalent to almost $40,000.  The researchers also noted that the actual amount of funds that were stolen by the scammers was likely to be more than what was found, and this was due to the compromised additional QIWI wallets found in the process. QIWI is a publicly-traded Russian payment service, based in Cyprus.

ESET also revealed that there was no version of the malicious Tor browser on Linux, macOS, or a mobile version. The scam was only orchestrated on Windows installers.

Source: Hackread

Disclaimer: does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.

Tags: #.onion_Links #Dark_net_Links #Dark_net_Sites_Links #.onion_Hidden_Links #Hidden_Wiki


Please enter your comment!
Please enter your name here