Onion.top Proxy Server Stole $22k in BTC

Onion.top proxy server allows to visit tor network website via ordinary browser
31 January 2018   90

Experts at Proofpoint found that the onion.top proxy service, which allows access to the Tor network from a regular browser, changed the bitcoin-wallets addresses. This behavior was noticed on the websites of the extortion programs LockeR, Sigma and GlobeImposter.

Operators of this proxy are surreptitiously diverting Bitcoin payments from ransomware victims to their own wallets by modifying in transit the source of web pages used for payment, replacing the ransomware author-controlled Bitcoin addresses with their own. As a result, the proxy operators are not only preventing ransomware victims from decrypting their files by paying a ransom but are also in effect stealing from the threat actors distributing ransomware. This appears to be the first scheme of this type affecting both ransomware victims and operators.

Proofpoint Team

Tor Browser (Left) and Tor Proxy (Right)Tor Browser (Left) and Tor Proxy (Right) 

Also, the company's employees found that the service has various "replacement rules" of bitcoins-wallets, indicating that operators manually configured the addresses for each individual site.

In total, two addresses of bitcoin-purses belonging to the operators onion.top were revealed. Totally, no more than 2 BTCs are kept on purses (about $ 22 thousand).

Bitcoin Wallet
Bitcoin Wallet

Operators of ransomware took into account what was happening and removed links to all proxy services from their programs, recommending that victims pay only through the Tor browser.


And the owners of the program-extortioner LockeR directly warned the victims not to use the service onion.top.

SEC Suspends Trading in 3 Companies

On Friday The U.S. Securities and Exchange Commission temporarily suspended the trading of three companies as they made the purchase of cryptocurrency and blockchain-related assets
17 February 2018   103

According to the announcement, the trade of  Cherubim Investments, Inc., PDX Partners, Inc., and Victura Construction Group, Inc. will be suspended between 9:30 a.m. EST Friday and March 2. The notice was dated Feb. 15.

SEC stated that its trading suspension orders state that recent press releases issued by CHIT, PDXP, and VICT claimed that the companies acquired AAA-rated assets from a subsidiary of a private equity investor in cryptocurrency and blockchain technology, among other things.

The release also indicates additional reasons for the suspensions. The agency’s orders also say there are questions regarding the nature of the company's business operations. In case of CHIT, the Commission suspended trading in the securities because of its delinquency in filing annual and quarterly reports.

In August 2017, the SEC  issued a warning for investors about the companies that may publicly announce ICO or coin-related events to affect the price of the company’s common stock.

Fraudsters often try to use the lure of new and emerging technologies to convince potential victims to invest their money in scams. 

U.S. Securities and Exchange Commission