The proxy service for the Tor browser stole Bitcoin users
Security specialists from the company Proofpoint conducted an investigation, during which they found that the proxy service onion.top, through which you can access the Tor network from a regular browser, replaces the addresses of the bitcoin-purses and behaves similarly to the extortion programs LockeR, Sigma, and GlobeImposter.
The service looks through the web pages downloaded through the portal, looking for lines that look like addresses of bitcoins and purses, then replaces those lines with purses of intruders, experts from Proofpoint explained.
During the analysis of the service, it was found that it works by several rules of substituting bitcoin-purses, which clearly indicates a manual setting for each particular site.
So far, there have been two bitcoins-purses belonging to scammers working through onion.top. In total, purses contain about two Bitcoins (about 22 thousand dollars). After the scheme was declassified, the program operators removed links to all proxy servers and advised users to pay only through the Tor browser.
The onion.top proxy service, which allows access to the Tor network from a regular browser, was caught in the substitution of Bitcoin-purse addresses. Similarly, there were websites of extortion programs LockeR, Sigma and GlobeImposter.
Operators of extortion software removed links to all proxy services from their programs, recommending that victims pay only through the Tor browser. And the owners of the program-extortioner LockeR directly warned victims do not use the service onion.top