A security researcher studying the Tor network has found that over 27 percent of all exit nodes are under the control of a single entity, which could spell danger for those using the anonymous communication network.

The biggest issue this presents to Tor network users is privacy and the threat of malware. With a single entity controlling so much of the network traffic re-entering the regular internet, a large volume of Tor users could be exposed, compromising the integrity of the Tor network.

Exit Nodes Under Control of Single User

Security researcher, Nusenu, updated their Tor Exit Relay Activities blog, building on research first released in 2020. The 2020 version found that a single operator controlled around one in four exit node connections on the Tor network, with many of those users experiencing dangerous man-in-the-middle attacks as a result.

Related: What Is a Man-in-the-Middle Attack?

Nusenu's updated research shows that the number of exit nodes under the control of the single entity has risen to around 27.5 percent, further increasing the chance that a Tor user may leave the Tor network through a potentially malicious node.

Furthermore, "there are likely additional malicious exit relays by this actor . . . I expect their actual fraction to be slightly higher (+1-3%)" than the previously given percentages.

According to Nusenu, the goal of the malicious actors hasn't changed.

The full extend [sic] of their operations is unknown, but one motivation appears to be plain and simple: profit.

The man-in-the-middle attacks are used to remove encryption from web traffic where possible, known as SSL stripping, primarily targeting cryptocurrency-based traffic, especially those visiting Bitcoin and cryptocurrency tumbling services.

For example, with access to unprotected HTTP traffic (rather than secure HTTPS traffic), the attacker can redirect the user to cryptocurrency sites featuring the attacker's Bitcoin wallet address in the hope that the user won't notice the difference. If the user doesn't pay attention, they'll send the attacker their cryptocurrency rather than the website or service, losing them in the process.

Staying Safe on Tor

The Tor network is a potentially dangerous place for any user, not least newcomers.

There are many scams in operation, ready to part willing users from their hard-earned cash or cryptocurrency. Spotting scams isn't always easy, and the SSL strip attack outlined above is a prime example. Thankfully, there are several ways you can attempt to protect against malicious exit nodes.

Related: How to Stay Safe From Compromised Tor Exit Nodes

However, none of these methods are completely foolproof, perhaps bar staying within the Tor network. If your traffic doesn't leave the network, it never passes through an exit node, therefore avoiding a potentially malicious node.