Tor proxy service caught stealing ransomware bitcoin payments


Tor proxy service has been allegedly caught stealing ransomware bitcoin payments by replacing the ransomware’s bitcoin payment address with its own.

This came to light after operators of ransomware strain dubbed LockeR warned users not to use the service as it was stealing its bitcoin. According to the warning put up by the ranswomare operators, shouldn’t be used and instead victims should use TOR browser to send out the payments.

According to cybersecurity firm Proofpoint is altering bitcoin wallet addresses of at least three different ransomware strains: LockeR, Sigma, and GlobeImposter. Per the researchers, the service was secretly doing this, and has seemingly netted over $22,000 from the move.

According to reports, the authors behind affected ransomware strains are countering’s move in a variety of ways. Most are simply trying to get users to skip Tor proxy services altogether, and just pay using the Tor browser. Others, such as MagniBer, decided to split the bitcoin payment address shown to the victim across different HTML tags, to avoid automatic replacement.

Victims who decide to pay the ransom and end up sending their funds to the Tor proxy service aren’t paying the ransomware extortionists, and won’t likely see their files decrypted as, in the extortionist’s eyes, the ransom was never paid.

Proofpoint’s researchers stated: “While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims.”

About the author

Beryl Jones

Beryl is a journalism graduate with keen interest in technology. Beryl has been attracted to Bitcoin and other digital currencies from 2009 while she was still pursuing her graduation. She loves writing articles and covering news on cryptography, digital currencies and related subjects.