We are happy to announce a new ThreatSTOP originated target, TS Originated - Tor Proxies - Domains, which provides protection from various malware and ransomware variants which utilize Tor proxy services to attack victims.

Abuse of Tor proxy services for malicious use has been on the rise in the past two years, with many ransomware variants demanding ransom payments over the Tor network. The Tor network, which gives its users anonymity, is a great platform for threat actors to deploy their malicious activity while hiding from discovery.

What is a Tor Proxy Service?

Tor (short for “The Onion Router”) is a network that allows users to browse anonymously by using a series of virtual tunnels. To access the Tor network, users can simply download a designated Tor browser and browse the requested domain (also called an “onion site”). Tor Proxy Services provide a way to access the Tor network without the Tor browser, allowing users to access the network with their browser of choice by appending the service’s extension to the end of the Tor domain.

A Constant Rise in Malicious Use

As threat actors are multiplying in number and adopting more advanced tactics, the use of Tor is on the rise. Many malware variants are using it to hide their network traffic and control and command servers, making it harder to detect them on infected machines and extremely difficult to shut them down. For example, a Cerber ransomware attack that distributed phishing emails with malicious links used Tor proxy services to retrieve the ransomware’s payload from the Tor network using the victims’ Firefox browser.

Tor is also widely used for ransom collection by many ransomware variants. After a victim has been infected, the ransomware will encrypt the victim’s files or block their access. In order to regain their files, a ransom note will request a payment, providing the payment portal’s URL. Since downloading and using the Tor browser requires a certain level of technical skills, threat actors often provide a Tor proxy URL to ensure that even non-technical victims pay the ransom. When payment portals are hosted on the Tor network, users have no way of tracing their payment, which leaves them even more in the dark regarding whether they will get their files back.

Of the many ransomware variants using Tor proxies, some of the big names are TeslaCrypt, TorrentLocker, CTB-Locker, and Onion Ransomware.

The Tor Proxy Service that Stole from Everyone

Earlier this year, operators at the Tor proxy service Onion[.]top were caught stealing ransom payments from the attackers behind LockeR, Sigma, and GlobeImposter ransomware variants. Researches at Proofpoint discovered that the operators were swapping ransom payment addresses to their own bitcoin wallet addresses. By the time they were discovered, they were able to snag $22,000 from paying victims.

Want to learn more about Tor? Read our blog posts on enhancing protection against the Tor network, and on the use of VPN and Tor to bypass network security.


We highly recommend enabling the TS Originated - Tor Proxies - Domains target in order to protect you from these threats.

If you do have a ThreatSTOP account, instructions to add targets to IP Defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our Support team.


Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?

Get a Demo