Tor Hidden Services – a Safe Haven for Cybercriminals

Over the last few months I have been closely monitoring so-called Darknet resources, mostly the Tor network. And one thing that is immediately obvious is that the cybercriminal element is growing. Although, the Tor infrastructure and cybercriminal resources are not on the same scale as the conventional Internet, we managed to find approximately 900 hidden services online at the current time. There are also approximately 5,500 nodes in total and 1,000 exit nodes, but the possibility of creating an anonymous and abuse-free underground forum, market or malware C&C server is attracting more and more criminals to the Tor network.


Cybercriminals have started actively using Tor to host malicious infrastructure.  We found  Zeus with Tor capabilities, then we detected ChewBacca and finally we analyzed the first Tor Trojan for Android. A quick look at Tor network resources reveals lots of resources dedicated to malware – C&C servers, admin panels, etc.

Hosting C&C servers in Tor makes them harder to identify, denylist or eliminate.


Cythosia botnet webpanel

Although creating a Tor communication module within a malware sample means extra work from the malware developers, there will be a rise in new Tor-based malware, as well as Tor support for existing malware.


.Net SocksBot hardcoded C&C in Tor network

Cybercriminal forums and marketplaces are widely known on the Internet. Some of them are public, some are private and you need the approval or an invitation from an existing member or need to be a respected personality in underground scene. Now another layer has been added – Tor underground marketplaces. It all started from the notorious Silk Road market and evolved to dozens of specialist markets: drugs, arms and, of course, malware.


Botnet for sale

A simple registration procedure, trader ratings, guaranteed service and a user-friendly interface – these are standard features of a Tor underground marketplace. Some of the stores require sellers to deposit a pledge – a fixed sum of money – before starting to trade. This is to ensure that a trader is genuine and his services are not a scam or of poor quality.


Spyeye for sale

Financial fraud

Carding shops are firmly settled in the Darknet. Stolen personal info is for sale with a wide variety of search attributes such as country, bank etc. Tor credit card online shops that have been criticized by cybercriminals for bad quality or for being fake can find a second lease of life in the Darknet.


Online shop selling stolen credit card details

Offers are not limited to credit cards – dumps, skimmers and carding equipment are for sale too.


Shops with other carding goods

Money Laundering

Bitcoins play an important role in underground financial operations. Almost everything on the Tor network is bought and sold using bitcoins. Although iIt’s almost impossible to make a connection between a bitcoin wallet and real person, it is possible to: track bitcoin transactions as all of them are transparent and public, to build up a scheme of what’s going on, and find out the most valuable transactions made via bitcoin exchange services. That’s why money laundering services exist on Tor. Cybercriminals can create an account, deposit bitcoins and they will be broken up into various quantities, transferred through dozens of different wallets to make any investigation highly complicated.


Money laundering service


  • A growing number of Tor hidden services and the ease with which they are can be deployed attracts more and more cybercriminals in the Darknet.
  • Malware developers are using Tor more and more for a variety of malware-related tasks
  • Financial fraud and money laundering are important aspects of the Tor network.

Tor Hidden Services – a Safe Haven for Cybercriminals

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox