Tor is a giant mesh network used for onion routing on the darkNet.[^1] There are thousands of routers called Tor Nodes.[^1] Tor allows users to route requests through multiple relay nodes.[^4] It is maintained by the non-profit Tor Project.[^4] These nodes bounce your data from an entry node, all over the place, and to the destination node to make it more difficult to determine where internet traffic goes.[^1] If you connect straight in, it is easy for people to figure out who you are.[^1] You should use a multi-hop VPN to connect in to Tor.[^1] The owner of a Tor Entry node can determine your IP address if you aren’t using any OPSEC like a VPN.[^1] The Tor network hosts hidden websites.[^2] When people connect through Tor, the Tor client acts as a socks proxy.[^2] The connection is then translated into Tor streams that are multiplexed into encrypted streams called ‘circuits’.[^2] The circuits are multiplexed over TLS nodes that are spread geographically around the world.[^2] Depending on the VPN provider, using a VPN with Tor can de-anonomize a criminal.[^2] TOR settings can be used to obfuscate the TOR usage.[^2] TOR only supports TCP, but not UDP.[^2] It is not illegal to use Tor, but it is suspicious. Any Tor traffic appears to originate from the IP address of a Tor exit node.[^4] Tor encrypts a user’s traffic through at least 3 nodes (aka relays).[^4] The Tor project maintains a list of Tor exit node IP addresses updated hourly.[^4] Internet ports associated with Tor include:
- 9001
- 9030
- 9040
- 9050
- 9150
Hosts that run Tor software also have DNS queries ending intorproject.org.[^4] Misconfigured Tor networks can expose the activity of its users.[^5] April 2025 saw an increase in direct Tor connections from 2 Million to 6 Million. This is the largest increase in direct connections since the beginning of 2024. There are around 750,000 unique Tor .onion addresses in use. Thetor.linksite can be used to check if a onion service is active. Tor is a free and open-source software.[^6] Tor was developed with the support of the US Naval Research laboratory.[^6] It then became a project of the Electronic Frontier Foundation. It is an anonymity tool that uses a multi-hop proxy and multiple layers of encryption to hide web traffic. Tor can be used to circumvent firewalls for individuals that live in oppressive countries and allow them to communicate. It can also be used to launch cyberattacks while making it difficult to attribute to the attacker. If a single entity controls enough nodes in the network, then it guarantees that they are able to de-anonymize a certain percentage of web traffic. Tor can be de-anonymized with timing correlations.[^7] There also have been successful deanonymizatoin attacks against Tor itself.[^7] Tor built TLS using the Diffie-Hellman protocol with a non-standard prime.[^8] This allowed Iran to identify and block Tor access.[^8] Tor is essential for individuals that are living in very oppressive countries.[^8]
[[Whonix]] – is pre-configured for Tor
[[Tails]] – uses the TOR browser
[[Medusa Ransomware]] – requires victims to contact attackers via Tor
[[Tor Project]] – non-profit that maintains Tor software.[^4]
[[Detecting WebShells]] – IP addresses coming from a Tor exit node may indicate an attack
[[Darkside Ransomware Attack]] – uses Tor for c2 servers
[[Hive Leak Site]] – hosted on Tor
[[Threat Actor]] – threat actors use Tor to provide anonymity for their webservers
[[Equation Group]] – has used exploits against Firefox 17 as used in the Tor browser
[[CryptoLocker]] – uses Tor for ransomware anonymity
[[OnionDuke]] – spread via malicious tor exit nodes
[[ShadowLink]] – used to create a hidden tor service on compromised machines
[[torrc]] – Tor configuration file
[[Forest Blizzard]] – have been known to use Tor-based capabilities
[[Device Code Authentication Phishing]] – attacks came from VPS and Tor
[[ORB2 (FLORAHOX)]] – uses a customized Tor relay network layer
[[Internet Gateway Device (IGD)]] – can be used to de-anonymize tor users
[[ZeroBin.net]] – Tor service
[[Iranian Hacking]]- Iranian-based hackers have used onion domains for hosting
[[APT28]] – uses Tor in their credential guessing campaigns
[[libevent]] – notification library used in Tor
[[Jake Appelbaum]] – Developer of the Tor project
[[LulzSec]] – used Tor
[[Anonymous]] – used Tor
[[Tor Hidden Service]]
[[Grizzly Steppe]] – used Tor for malware delivert
[[curl command]] – using the curl command over Tor requires the --socks5-hostname option
[[Catalan Police Union Hack]] – used tor for the attack
[[Cayman National Bank Hack]] – Fisher credited Tor for helping with the bank attack
[[2019 ANU Data Breach]] – attackers used tor for C2
[[Snowflake Protocol]] – This protocol uses WebRC
[[MIT]] – has some exit nodes.[^8]
[[Waterloo University]] – runs an exit node[^9]
[[UNC]] – has an Exit node.[^8]
[[CMU]] – has an exit node.[^8]
Backlinks
[[DarkNet]]
[[Diffie-Hellman Key Exchange]]
DNS
[[Electronic Frontier Foundation]]
IP Addresses
[[Iran]]
[[OPSEC]]
[[SOCKS5]]
[[TCP]]
[[Tox]]
[[UDP]]
VPN
Sources
[1] David Bombal, Never access the Dark Web without doing this! (Tor and Telegram demos), (Sep. 22, 2024). Accessed: Jan. 21, 2025. [Online Video]. Available: https://www.youtube.com/watch?v=7wLLcFMmbpg
[2] “[TOR] Dread – There is One and Only One Rule in OpSec – Tutorials & Guides,” Closed Network Podcast Forum. Accessed: Feb. 09, 2025. [Online]. Available: https://forum.closednetwork.io/t/tor-dread-there-is-one-and-only-one-rule-in-opsec/91
[3]privacysavvy
[4]CISA_AA20-183A
[5]talosintelligence_de-anonymizingRansomware
[6]“Inside the NSA’s War on Internet Security,” Dec. 28, 2014. [Online]. Available: https://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
[7] P. Fisher, “HackBack.” [Online]. Available: https://pastebin.com/raw/0SNSvyjJ
[8]Defcon33Dingledine