A TOR server operator called @Nusenu reports on Medium.com that a threat actor has added servers to the TOR network to conduct SSL stripping attacks on users entering cryptocurrency sites using the TOR Browser, and was so successful that a malicious actor was running more than 23% of the entire Tor network’s exit capacity, and an estimated quarter of all connections leaving the network were going through exit relays controlled by a single attacker conducting person-in-the-middle attacks. The blog post notes: “It appears that they are primarily after cryptocurrency related websites — namely multiple bitcoin mixer services. They replaced bitcoin addresses in HTTP traffic to redirect transactions to their wallets instead of the user provided bitcoin address. Bitcoin address rewriting attacks are not new, but the scale of their operations is. It is not possible to determine if they engage in other types of attacks.