Yesterday I found this post on /r/privacy, it has really little upvotes and there’s no mention of it neither on /r/privacytoolsio nor /r/tor. From my point of view, this is a real threat when it comes to the de-anonymization of Tor’s network users.
If you are using Tor network for any kind of logging of any kind of important account I would recommend against it. Maybe I’m not understanding the full-scope of this but this could create correlation and phising attacks, hurting not only the anonymity of its users, but also its privacy and security.
Here are some extracts of the article:
This graph shows the Sybil’s guard capacity over time (~3y). The graph ends at the beginning of Oct 2019 (it intentionally lacks X and Y axis).
At their peak they reached >10% of the Tor network’s guard capacity. A guard relay is the first relay in the chain of 3 Tor relays forming a circuit and the only relay seeing the Tor user’s real IP address, but not seeing the destination accessed by the user.
To give you a feeling about their size in relation to other known operators:
The biggest known guard relay operator as of 2019–12–08 is bellow 2% guard capacity.
After reporting them to the Tor Project they got removed (the once I knew about initially), but it did not take them long to setup new relays soon after.
Until this day (2019–12–08) they are actively running high bandwidth relays on the Tor network. Due to the sheer size of this particular adversary I had some hope that this discovery would act as a wake-up call and finally spark some improvements, unfortunately it did not so far.
Why didn’t we detect them earlier?
Initially their capacity was somewhat limited and most of their capacity got added in the course of the past year but a year is still a very long time for detection.
To avoid detection they spread their relays across multiple hosting providers and added them relatively slowly over a long period of time.
They make use of the biggest Tor hosters (OVH and Hetzner) to blend in with the rest, but they also make use of hosters rarely seen before they joined (i.e. AS20860). In fact their relays made the autonomous system “Iomart Cloud Services” (AS20860) so big, it is now the 6th biggest ASN by guard capacity on the Tor network:
Top 10 ASNs by Guard Capacity: Iomart Cloud Services on position 6. (Data Source: https://metrics.torproject.org/rs.html#aggregate/as)