Share this article
Fake Tor Browser Has Been Spying, Stealing Bitcoin 'For Years'
Hackers have been distributing a compromised version of the official Tor Browser that's packed with malware designed to steal bitcoin.
Updated Sep 13, 2021, 11:35 a.m. Published Oct 18, 2019, 12:03 p.m.
Hackers have been distributing a compromised version of the official Tor Browser that's packed with malicious tools used to both spy on users and steal their bitcoin.
Discovered by researchers at IT security firm ESET, the trojanized Tor has apparently resulted in a relatively small amount of bitcoin being lost to date, with funds taken by address swapping when users try to pay on dark net markets.
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
In an announcement emailed to CoinDesk on Friday, ESET's senior malware researcher, Anton Cherepanov, said the research had identified three bitcoin wallets used by the hackers since 2017.
"Each such wallet contains relatively large numbers of small transactions; we consider this a confirmation that these wallets indeed were used by the trojanized Tor Browser,” Cherepanov explained.
At the time the research was completed, the three wallets had received 4.8 bitcoin (worth $38,700 at press time), though ESET said the actual amount stolen would be higher as wallets for the Russian payments service QIWI are also targeted.
The hacking campaign has been targeting Russian-speaking users of Tor – a network designed to keep identities hidden to avoid tracking and surveillance.
The cybercriminals behind the fake Tor browser have been using forums and pastebin.com to distribute their offering as the official Russian language version of the app.
"Their goal was to lure language-specific targets to a pair of malicious – yet legitimate-looking – websites," said ESET.
On first website, the user receives an alert that their Tor Browser is out of date, even if not true. Visitors who are duped by the message are then redirected to a second website with an installer for the fake app.
Once installed, the malware-laden browser enables its creators to know what websites a user visits, to change the data on visited pages and grab the content of data forms. While the hackers could potentially display false information to users, the browser has only been observed to change the wallet addresses for the purposes of stealing bitcoin, Cherepanov said.
Tor image via Shutterstock
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
XRP Faces Downside Risk as Social Sentiment Turns Wildly Negative
The turn in crowd mood comes after a two-month slide of roughly 31%, leaving the token vulnerable to further downside if risk appetite weakens across majors.
What to know:
- XRP's price approached the $2 mark as social sentiment around the token turned sharply negative, according to Santiment data.
- The token has experienced a 31% decline over two months, making it vulnerable to further losses if market risk appetite weakens.
- Santiment's sentiment model indicates XRP is in a 'fear zone,' where negative commentary significantly outweighs positive talk, potentially influencing market positioning.
Top Stories
