Ransomware Business is in Danger: Tor Proxy was Used to Steal Money from Ransomware Developers

Ransomware infections are nasty threats that are developed and then used by cyber criminals to obtain money from users. Since these threats are related to great profits, their number is growing every day. It would be too naive to expect that these infections will disappear completely and will no longer bother users anytime soon, but it seems that cyber criminals need to update their means of money collection ASAP. Researchers at Proofpoint have discovered new undocumented man-in-the-middle attacks launched by third parties to steal paid ransoms from cyber crooks utilizing ransomware infections to extract money from computer users. As a consequence, it might be impossible to purchase the decryption tool from them and unlock the affected personal data, which is another reason why users should not send a cent to cyber criminals. It is especially true if the infection asks users to make a payment using a Tor Proxy because it is where all the problems begin.


Many ransomware infections demanding money from victims ask them to visit a Tor .onion site to make a payment to the provided Bitcoin address in exchange for decrypted personal files; however, since many users do not have a Tor browser installed on their computers, they use a Tor Proxy to access the payment page instead. Actually, some threats even encourage them to do so. Tor proxies are websites that turn Tor traffic into normal web traffic and thus allow users to open .onion links using normal web browsers (e.g. Mozilla Firefox and Google Chrome). These proxies are very easy to use too. Users just need to insert an extension (e.g. .to or .cab) in the .onion URL they have. For instance, hxxps://robusttldkxiuqc6.onion will become an ordinary website if .to is added to its end – hxxps://robusttldkxiuqc6.onion.to/. Even though this is quite convenient for those users who do not have a Tor browser and are not going to install it, it has been observed by specialists that some content users see when they open links left for them might be replaced. Speaking about ransomware infections, scammers might replace Bitcoin addresses controlled by ransomware developers with their own, meaning that crooks behind these infections will not get anything from users even if they send money to them. Because of this, they will not send special decryption software for victims either. In other words, these third parties might prevent victims from getting their files decrypted by paying the required ransom.


It seems that authors of LockerR Ransomware have become one of the first victims of this man-in-the-middle attack because the message telling users not to use onion.top can be found on its payment portal:

Do NOT use onion.top, they are replacing the bitcoin addresses with their own and stealing bitcoins. To be sure you’re paying to the correct address, use Tor Browser.

Previously, its payment page included direct onion.top links, but it is evident that developers of this threat have already come across this problem and fixed it by removing them all. Researchers say that LockerR Ransomware is not the only threat scammers have affected. It seems that Sigma Ransomware and Globeimposter Ransomware are among the main targets too. Therefore, if you ever encounter any of these ransomware infections and decide to send money to crooks, which is, of course, not recommended, use a Tor browser to access the payment page if you want to make sure cyber criminals get your ransom.

Specialists have two Bitcoin addresses that were used to replace original Bitcoin wallets that belong to cyber criminals behind ransomware infections in their hands: 13YFjj7WqWY5Un7Pgw1VdrpceHpn5BTZdp and 1Q64uWnKMUoZ6G7BSrH77xdrewMou2zGpU. Both of them were examined to find out how much money has already been stolen from crooks by third-party scammers. At the time of research, the first address contained 0.15 BTC (~ 1 252 USD), whereas the second one had 1.82 BTC (~ 15 192 USD). Theoretically, other Bitcoin addresses might be involved in the scheme too, so the amount of money stolen from ransomware developers might be considerably higher.

Scammers cannot replace original Bitcoin addresses with those addresses that belong to them in all the cases. It seems that they target only those ransomware infections that are less sophisticated and use bald .onion links. Evidently, some malicious software developers are already aware of the issue and took certain measures to make sure victims’ money reaches them. For example, authors of Magniber Ransomware protected transactions by splitting the Bitcoin address into four parts in the HTML source code, making it harder for proxies to detect it.


  1. Doevan, J. Scammers Steal Payments From Ransomware Developers. 2-spyware
  2. Proofpoint Staff. Double Dipping: Diverting Ransomware Bitcoin Payments Via .ONION Domains. Proofpoint
  3. Rashid, F. Y. 4 Reasons Not to Pay Up In a Ransomware Attack. InfoWorld
  4. Free images. Pixabay