{
	"id": "2f5f41a2-0f08-4283-9877-cea1c9f30a4d",
	"created_at": "2026-04-06T00:15:45.478352Z",
	"updated_at": "2026-04-10T03:24:50.223809Z",
	"deleted_at": null,
	"sha1_hash": "d7ce3e3ee80d490c50224cba68209d1d781d049b",
	"title": "Who is Running Hundreds of Malicious Tor Relays? | Darknetlive",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80781,
	"plain_text": "Who is Running Hundreds of Malicious Tor Relays? | Darknetlive\r\nArchived: 2026-04-05 14:20:01 UTC\r\nA threat actor is running hundreds of malicious Tor relays as part of what researchers suspect is an attempt to\r\ndeanonymize Tor users.\r\nNusenu, a Tor relay operator, first identified “KAX17” as a sophisticated threat actor in 2019. At the time, Nusenu\r\nhad identified a “long-running suspicious relay group” that was active since 2017, if not earlier. “At their peak,\r\nthey reached \u003e10% of the Tor network’s guard capacity,” Nusenu wrote in 2019.\r\nIn nusenu’s most recent blog post about KAX17, they provided the following summary of the actor’s behavior:\r\nactive since at least 2017\r\nsophistication: non-amateur level and persistent\r\nuses large amounts of servers across many (\u003e50) autonomous systems (including non-cheap cloud hosters like\r\nMicrosoft)\r\noperated relay types: mainly non-exits relays (entry guards and middle relays) and to a lesser extend tor exit relays\r\n(known) concurrently running relays peak: \u003e900 relays\r\n(known) advertised bandwidth capacity peak: 155 Gbit/s\r\n(known) probability to use KAX17 as first hop (guard) peak: 16%\r\n(known) probability to use KAX17 as second hop (middle) peak: 35%\r\nmotivation: unknown; plausible: Sybil attack; a collection of tor client and/or onion service IP addresses;\r\ndeanonymization of tor users and/or onion services\r\nIn October 2020, nusenu reported KAX17’s exit relays to the Tor Project which resulted in their removal from the\r\nnetwork. Before the removal of the actor’s exit relays, a Tor user had up to a 16% chance of connecting to one of\r\nKAX17’s guard relays, up to a 35% chance of using KAX17’s middle relays, and up to a 5% chance of using one\r\nof the actor’s exit relays. The worst-case scenario on 2020, 09, 08, nusenu wrote, KAX17 could de-anonymize tor\r\nusers with the following probabilities:\r\nfirst hop probability (guard) : 10.34%\r\nsecond hop probability (middle): 24.33%\r\nlast hop probability (exit): 4.6%’\r\nhttps://darknetlive.com/post/who-is-responsible-for-running-hundreds-of-malicious-tor-relays/\r\nPage 1 of 3\n\nGuard, middle and exit probability between 2019–01–01 and the removal event on 2021–11–08 | nusenu\r\nThe day after the Tor Project had removed the exit relays reported by nusenu, a new “large no-name exit relay\r\ngroup” appeared. Nusenu has not attributed the new group to KAX17 yet but also does not believe KAX17\r\n“halted their exit operations completely.”\r\nWhile investigating this threat actor’s relays, nusenu discovered an email address that had initially appeared in the\r\nContactInfo descriptor field of KAX17’s relays. The actor later removed the email address. When looking into the\r\nemail address, nusenu found it on the tor-relays mailing list.\r\n“Interestingly it became almost exclusively involved on the mailing list when policy proposals with regards to\r\nmalicious relays were discussed or when large malicious relay groups got removed. They apparently disliked the\r\nproposals to make their activities less effective.”\r\n(Nusenu noted that any relay operator could have used the particular email address for their relay’s ContactInfo.\r\nHowever, the email address appeared on KAX17’s relays long before appearing on the tor-relays mailing list.)\r\nNusenu outlines some potential solutions in their blog post. It is worth reading if tor’s weaknesses are of interest\r\nto you: Is “KAX17” performing de-anonymization Attacks against Tor Users?\r\nCimpanu, reporting for The Record, asked nusenu about the chances of KAX17 being part of a research project.\r\nNusenu provided the following response:\r\nAcademic research is usually limited in time. KAX17 has been active since 2017.\r\nResearchers do not get involved in weakening anti-bad-relays policies on the Tor mailing list.\r\nResearchers do not fight against their removal and do not replace removed relays with new relays.\r\nResearch-based relays usually run within 1-2 autonomous systems, not \u003e50 ASes.\r\nResearch relays usually run \u003c100 relays, not \u003e500.\r\nResearch relays usually do have a relay ContactInfo.\r\nThe Tor Project is quite well connected to the research community.\r\nhttps://darknetlive.com/post/who-is-responsible-for-running-hundreds-of-malicious-tor-relays/\r\nPage 2 of 3\n\nvia The Record “A mysterious threat actor is running hundreds of malicious Tor relays”\r\nIt is hard to imagine this being part of a research project. Then again, Carnegie Mellon researchers conducted a\r\ntraffic confirmation attack and a Sybil attack as part of some form of research. The FBI discovered this research\r\nand used it to arrest at least two people, one of whom is likely known to readers of this site: Brian Farrell, aka\r\nDoctorClu, who was involved in the administration of Silk Road 2.0.\r\nKAX17 certainly seems like a state-backed actor.\r\nSource: https://darknetlive.com/post/who-is-responsible-for-running-hundreds-of-malicious-tor-relays/\r\nhttps://darknetlive.com/post/who-is-responsible-for-running-hundreds-of-malicious-tor-relays/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://darknetlive.com/post/who-is-responsible-for-running-hundreds-of-malicious-tor-relays/"
	],
	"report_names": [
		"who-is-responsible-for-running-hundreds-of-malicious-tor-relays"
	],
	"threat_actors": [
		{
			"id": "0ca8aa42-5713-4277-b265-456f1601eef4",
			"created_at": "2023-11-17T02:00:07.585347Z",
			"updated_at": "2026-04-10T02:00:03.452848Z",
			"deleted_at": null,
			"main_name": "KAX17",
			"aliases": [],
			"source_name": "MISPGALAXY:KAX17",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434545,
	"ts_updated_at": 1775791490,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d7ce3e3ee80d490c50224cba68209d1d781d049b.pdf",
		"text": "https://archive.orkl.eu/d7ce3e3ee80d490c50224cba68209d1d781d049b.txt",
		"img": "https://archive.orkl.eu/d7ce3e3ee80d490c50224cba68209d1d781d049b.jpg"
	}
}