Tor exit nodes abuses


I’m a VPN user but sometimes I like to use Tor, paying attention to the basic warnings: use https, use onion version of clear net sites when possible, no login and/or personal data, no javascript, use bridges and so on…

But making a research about exit nodes, I noticed that almost all are involved with abuses. I couldn’t find a “clean” exit node but one or two. I downloaded the whole list from and tested several nodes using

All these sites reported various abuses, from SPAM to several hacking actions and many more. How can it possible I haven’t yet found a “clean” node except one or two. I made a check on about 50 relays. They are not many but various and from different countries.

The second (and more important) question is: is an exit node which is involved with abuses a threat just for the owner of the relay (that can be charged especially in case of serious crimes) or can it be tricky in Tor surfing activity too? In other words, can a node used for abuses be a trap for people who use Tor?
I know that I can be threatened by a snoopy and tricky owner of an exit node (e.g. hackers or governments) who can sniff my traffic (especially if I’m not prudent), but… can people who use nodes for illicit activities do the same thing as they were the node owners?

I hope my question is understandable: I try to do the best I can but unfortunately English is not my native language so I expect that something is not so clear as it should be.

Thank you!

Well… since tor is free and everyone can use them almost every nods are not clean and no only the node owner can view your traffic

Thank you, I suspect something like this, but it’s not still clear how they use the node like the owner does. The scenario is: A is the owner, B is the hacker. So, B uses A’s node for his illicit traffics. A can get in trouble, ok, but can B sniff the traffic of a unaware surfer (called C) who landed on a site whose exit node is the same that B uses? Suppose that C is not expert and he doesn’t uses any protection: no bridges, java script allowed, login with his name and personal info, no https and so on. Can really B (like A could do) see who C is? Here there is a report about a node involved in several abuses.

It’s not clear from a report like this if the threat involves both A and C

Might be reported due high numbers of visiting ? not for just “hacking” or bad stuff

No, it’s always reported as bad stuff… The image I attached before doesn’t show well the whole report: this is better and shows just a part of the 500 and more reports of illicit or bad activities of another node.

You can also view this more complete report about another node:

I renew the circuit several times but I always get exit nodes like this with even more than 1000 reports of hacking , brute force, spam and similar. Sometimes I get less harmful nodes and very rarely I get clean nodes.

I still wonder if the “abusers” can get control of the node and have a chance to spy users.

If that your question then no :stuck_out_tongue:
Tor works on 3 nodes as you know. 1st takes your IP and connect you, 2nd it’s like a bridge and 3rd one is the actual node that websites detect so it’s hard to identify its you but still can see data of course but again it’s useless

you do know that abusing the node and hacking the node are very different things right?

unless you get multiple nodes of the three working together to de-anonymize you you shouldn’t be.
what people or .org’s can see coming out of the exit node is the URL’s visited and any encrypted AND un-encrypted traffic going towards these domains.
If you visit >
they will be able to gather information on you that way. Just like our glorious DNS does for our ISPs.

If you go through un-encrypted channels, using the same example or you where to use outdated encryption algorithms or /algo - strengths f.e. by using tor without the tor browser and unsafe config.
etc, etc. also your password and more could be snooped.

The safest way to use tor is to boot off an onion address and not leave .onion domains while you’re browsing. This fends of loads of possible exploits.

Most people whom run relays whom aren’t in it for de-anonymization as governments or f.e. researchers.
When setting up a tor-relay and especially an exit you prob. won’t be making this choice without thinking it through. Best advice I read is too ASK your ISP or VPS / dedicated server rental company if they are ok with you running such a public service for the tor network.

Yeah if I am following you correctly you’re worried to a point you might get snooped on traffic, some elaborate crimal / criminals where to find out what weird ‘something’ you where doing and would then threaten you for ransom?

This seems highly unlikely to me. Perhaps someone else will think differently.


I know that I’m not so important to be targeted by sophisticated hackers. I don’t even surf illicit sites or sell drugs on the web so I don’t think police and agencies can be interested in what I do. :wink:
But, no matter the sites you surf, the good thing is to be safe from snooping bad boys anyway! I can visit puppies, flowers, cooking and poetry websites, but I have to be safe the same… I think so. But you are right, it seems highly unlikely!

Yes, I know, but I was wondering if it’s possible for some abusers to get control of the relay anyway. I think it’s quite unlikely, but to be sure I stay oh https and, if available, onion version of websites, I don’t allow javascript or other stuff that can threaten me, I don’t make login with my real name (and in general I don’t make login at all!), I dont’ even use emails with my real name and I use services like protonmail and similar, I don’t make payments, change circuit a Identity quite often… It should be enough! :grinning:

1 Like

Yeah I think so, good of you to ask though!
Perhaps ask around in the Tor matrix room, and perhaps someone there will give a beter answer although iirc it is a unofficial room.

1 Like