Hackers have found a way to make money on anonymity
We are talking about Monero's cryptographic script, previously highlighted on the Internet by the fact that mining scripts were placed on sites, thus forcing visitors to these sites unwittingly contribute to the extraction of cryptographic material. However, this time the situation is very different: the script is not placed on an infected site, but is "slipped" to the user with a TOR output node.
According to the expert, this node behavior was detected by accident: on December 7, while using the TOR, he noticed excessive CPU load. Having checked the htop output, he was convinced that the guess is correct: the system has a miner running.
He managed to find out that on one of the output nodes the HTTP page requested is replaced by an artificial blank that shows the user the text of a 502 error instead of the title page.
This launches the script available at https://coinhive.com/lib/coinhive.min.js , the official script for Monero mining. On all tests the account, the owner of which is running the mining - r6TvyUm39Zhk0E6panzmTJz8GXcBNrm5 .
To catch a spoiled output node, a script was written that constantly refers to the same site, in particular http://api.ipify.org/, changing the end nodes, and responds to changes in the size of the returned page. Experiments carried out in this way have revealed that there were several malicious output nodes, but it is difficult to name the exact number of them. On the morning of December 8th, the activity of the miner on the node seems to have stopped.
The fact that the attackers weren't really trying to hide their traces, namely the substitution of the page with the 502 error code, suggests that this method of mining is only being tested so far. Indeed, the owner of the output node is able to produce the correct content of the requested page. So, he may have supplemented it with, for example, a frame that calls the miner in its turn. For what reason did the mining stop? Perhaps, the miners were checking the possibility of such extraction of crypt-currency and soon the node will resume working, but without 502 errors.