[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Re: Sybil Attack on 2025-11-20 - please setup your AROIs :)

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] Re: Sybil Attack on 2025-11-20 - please setup your AROIs :)
From: forest-relay-contact--- via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 21 Nov 2025 17:57:17 -0000
In-reply-to: <3a4b701e-5114-4c74-9a55-108ec059104d@riseup.net>
List-id: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays.lists.torproject.org>
References: <3a4b701e-5114-4c74-9a55-108ec059104d@riseup.net>
Reply-to: forest-relay-contact@xxxxxxxxxxxxx
User-agent: HyperKitty on https://lists.torproject.org/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> They used nickname schemes from other operators

It looks like they're even doing that for small operators. For example,
I only run 5 relays, named forest1 through forest5. They cloned one of
my relays, forest3, a total of 6 times. Each forest3 relay has a stolen
ContactInfo from some other random operator. Needless to say, I only
run one of https://metrics.torproject.org/rs.html#search/forest3.

Whoever is doing this may have been testing it out as early as a few
weeks ago. I noticed back then that there was another forest3 (the same
relay that is being impersonated now) which was down when I noticed it.
I assumed it was just a coincidence at the time. It no longer shows in
the Metrics page as it has been down for too long.

Will these (and the other new relays) be taken down soon?

As an aside, it's strange that these are all non-exits. That would
indicate a somewhat more sophisticated attack than a typical MITM from
rogue exits, but a sophisticated threat actor should realize that
adding 900+ relays at once with stolen Nickname and ContactInfo fields
would raise red flags. Could it be some naïve researcher with a budget
and a lax IRB? I don't understand this.

Regards,
forest
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvLrj6cuOL+I/KdxYBh18rEKN1gsFAmkgp+kACgkQBh18rEKN
1gs4whAAgVSPlK2JjB+38y6NQSrTpn6WOuFmMmJmT7/WvA9zSUzD5dH+ooiZ6DKx
U7fzSMO8uy8d9JlKbxba7w71PG7IPcxciJBM4bWNIa96DNhxp/LEhQfHJ5KnPf8w
IMLC6s6DDhIZXeRfFpwgNbNMqImnPh9HbVqBYxjbpqV/NkT5AM8P4HrvySQwz2By
Lk5yXSAbu1xj0KFMyRuBKNPBKztXNB/Wc+DSnLMELmfNN2taebkT637LPXi0owP1
+fs+0+sCVnQKarZhm5Vv0ml1pqI166+FPnylSK3DHJ2x1P//PGgi8DMDuShHWwVm
7wvus1KpGaozOXazmgg4hdG7pV+2aqmrWUxRp7wbuD1haX/YZgkjZJkblnEzpz/r
upuqtg5TcuDURcPUD5yiQsb1oyt+heIQ7Q9ZZwbERd3Sas8tn/nnTenRO7oEbGWk
X7AVraTEzjsu3XhMDZsVMI2oaxSXxOE3F5oYTAt3X0Kmp+i3zCnPdAm2J/cLXHCQ
6haDxS8Zy1+3+yhy+mTpJ2NEUAxrCbqrHgF3ZwuvPlJ6gn5MO9pX1TbsCavuL4T+
acbmz8sWz8JQJHK+4evTrjszRh9HK0FxhxQhsR0zrdsRcXjvOTraO2FXQ72fhmsR
CSxTKfoBiwmVJBFMPwrqg+K3pyY+0K9uOOt00bPsAJT9VoU2pqk=
=KXAz
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx

Follow-Ups:
- [tor-relays] Re: Sybil Attack on 2025-11-20 - please setup your AROIs :)
  - From: forest-relay-contact--- via tor-relays

References:
- [tor-relays] Sybil Attack on 2025-11-20 - please setup your AROIs :)
  - From: nusenu via tor-relays

Prev by Author: [tor-relays] Re: Sybil Attack on 2025-11-20 - please setup your AROIs :)
Next by Author: [tor-relays] Re: Exact criteria for receiving a BadExit flag
Previous by thread: [tor-relays] Sybil Attack on 2025-11-20 - please setup your AROIs :)
Next by thread: [tor-relays] Re: Sybil Attack on 2025-11-20 - please setup your AROIs :)
Index(es):
- Author
- Thread