Tor proxy service Onion.top has been allegedly caught stealing ransomware bitcoin payments by replacing the ransomware’s bitcoin payment address with its own.
This came to light after operators of ransomware strain dubbed LockeR warned users not to use the service as it was stealing its bitcoin. According to the warning put up by the ranswomare operators, Onion.top shouldn’t be used and instead victims should use TOR browser to send out the payments.
According to cybersecurity firm Proofpoint Onion.top is altering bitcoin wallet addresses of at least three different ransomware strains: LockeR, Sigma, and GlobeImposter. Per the researchers, the service was secretly doing this, and has seemingly netted over $22,000 from the move.
According to reports, the authors behind affected ransomware strains are countering onion.top’s move in a variety of ways. Most are simply trying to get users to skip Tor proxy services altogether, and just pay using the Tor browser. Others, such as MagniBer, decided to split the bitcoin payment address shown to the victim across different HTML tags, to avoid automatic replacement.
Victims who decide to pay the ransom and end up sending their funds to the Tor proxy service aren’t paying the ransomware extortionists, and won’t likely see their files decrypted as, in the extortionist’s eyes, the ransom was never paid.
Proofpoint’s researchers stated: “While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims.”