Threat Watch

KAX17 Threat Actor Runs Tor Relays Betraying Anonymity Since 2017

Since at least 2017, a threat actor tracked as KAX17 has run thousands of malicious servers in entry, middle, and exit positions of the TOR network in what a security researcher has described as an attempt to deanonymize TOR users. This alarming discovery has confirmed fears of researchers best described in this Medium article from 2019 – “The Growing Problem of Malicious Relays on the Tor Network.” This new research suggests that a user has a 16% chance to connect to one of KAX17’s entry servers, a 35% chance to pass through a middle relay, and a 5% chance to pass through an exit node. An independent researcher Dr. Neal Krawetz stated that the “High probability of relays and guards can definitely be used to identify hidden services. It can also be used to decloak users — especially if you have some other means to tracking middle relay past the guard, such as monitoring common public services.” Luckily, Tor provides a service that enables users and researchers to report malicious servers such as these. However, there is lag time between reporting and take down, which puts users at risk.


Privacy and safety have been a concern for users since the internet’s inception. The Tor Project provides a safe alternative for whistleblowers, journalists, and law enforcement users. Non-compliant TOR relays jeopardize this anonymity.
Tor is not recommended as a medium for sensitive communication. Threat actors may use it for leak or shame sites and communication with compromised targets. Commercial solutions, such as an enterprise Virtual Private Network (VPN), encrypted peer-to-peer communication, and physical transport all provide layers of protection. As an additional defense strategy, organizations can utilize a service like the Binary Defense Counterintelligence service to actively monitor for sensitive data leaks.