Functional Tor browser replica has malware that steals Bitcoins

posted 9 months ago
A trojanized Tor Browser knockoff distributed by cybercriminals to steal Bitcoins from darknet market buyers allowed cybercriminals to steal 4.8 BTC. Fake domains were used "tor-browser[.]org" and "torproect[.]org" – (the real Tor website is ""). In 2017 cybercriminals promoted webpages of the trojanized Tor Browser using spam messages on various Russian forums. In 2018, the criminals used to generate a lot of pastes optimized for search engines to rank them high for words that cover topics like drugs, cryptocurrency, censorship bypass, and the names of Russian politicians. The header of a paste translates to English as “BRO, download Tor Browser so the cops won’t watch you…”

The trojanized Tor Browser is a fully functional application, the criminals only changed the default browser settings and some of the extensions. The most important change is to the xpinstall.signatures.required settings, which disable a digital signature check for installed Tor Browser add-ons. This non-typical form of malware is designed to steal Bitcoin from visitors to darknet markets. Criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This allowed them to go unnoticed stealing Bitcoin for years.
Tags: blockchain, bitcoin, news