Experts at Proofpoint found that the onion.top proxy service, which allows access to the Tor network from a regular browser, changed the bitcoin-wallets addresses. This behavior was noticed on the websites of the extortion programs LockeR, Sigma and GlobeImposter.
Operators of this proxy are surreptitiously diverting Bitcoin payments from ransomware victims to their own wallets by modifying in transit the source of web pages used for payment, replacing the ransomware author-controlled Bitcoin addresses with their own. As a result, the proxy operators are not only preventing ransomware victims from decrypting their files by paying a ransom but are also in effect stealing from the threat actors distributing ransomware. This appears to be the first scheme of this type affecting both ransomware victims and operators.
Tor Browser (Left) and Tor Proxy (Right)
Also, the company's employees found that the service has various "replacement rules" of bitcoins-wallets, indicating that operators manually configured the addresses for each individual site.
In total, two addresses of bitcoin-purses belonging to the operators onion.top were revealed. Totally, no more than 2 BTCs are kept on purses (about $ 22 thousand).
Operators of ransomware took into account what was happening and removed links to all proxy services from their programs, recommending that victims pay only through the Tor browser.
And the owners of the program-extortioner LockeR directly warned the victims not to use the service onion.top.