Cyber Incident Victim: SIGAINT
Date:
Apr 2015
Location:
United States of America
Summary
The Tor-based email service SIGAINT was targeted through a coordinated attack leveraging 70 malicious exit relays within the Tor network, representing approximately 6% of all exit nodes at the time. Attackers attempted to redirect users to a fraudulent .onion address via man-in-the-middle techniques to intercept login credentials in real-time, though infrastructure compromise was not confirmed. While minimal account hijacking incidents suggested password theft was not the primary objective, the malicious nodes—deployed in small batches across multiple hosting providers to evade detection—were swiftly blacklisted. Analysis indicated potential use of Raspberry Pi devices and cloud services, with operational patterns hinting at deliberate stealth in the relay deployment strategy.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2015, SIGAINT, a privacy-focused email service operating primarily within the Tor anonymity network, was targeted through a coordinated attack leveraging malicious Tor exit relays. An administrator disclosed on April 23 that approximately 70 rogue exit nodes—initially identified as 58 before Tor contributor Philipp Winter uncovered 12 additional nodes—had been deployed to intercept traffic directed at SIGAINT’s infrastructure. These nodes, constituting roughly 6% of Tor’s exit relay capacity at the time, were strategically introduced in small batches over the preceding month to evade detection. The attacker exploited the exit nodes’ position as the final hop in Tor’s routing chain to manipulate traffic, specifically rewriting SIGAINT’s .onion URL to redirect users to a counterfeit site. This technique enabled man-in-the-middle (MITM) attacks aimed at capturing login credentials in real time. Analysis of Tor logs indicated the malicious relays had a 2.7% probability of being selected for SIGAINT-bound traffic, though the service’s administrator assessed that the attacker likely did not breach core infrastructure. The operator noted minimal reports of compromised accounts—fewer than one per 42,000 users quarterly—suggesting credential theft was not the primary objective.
The Tor Project promptly blacklisted all 70 malicious exit nodes, neutralizing immediate threats to SIGAINT users. Forensic examination revealed the attacker utilized multiple hosting providers, with 21 nodes traced to cloud service vultr.com and at least eight other providers involved. Technical artifacts, including a Debian version string commonly associated with Raspberry Pi devices, hinted at the attacker’s infrastructure choices. While SIGAINT’s administrator speculated about potential state-sponsored involvement, no conclusive attribution emerged. The incident spurred discussions within the Tor community regarding countermeasures, with Electronic Frontier Foundation’s Seth David Schoen and Tor Project leader Roger Dingledine advocating broader SSL adoption to complicate future MITM attacks. Despite concerns over intercepted traffic, SIGAINT maintained operational continuity, with no evidence of systemic compromise beyond limited credential exposure. The attack underscored the persistent risks posed by malicious exit relays within decentralized anonymity networks.