This Is the Largest Attack on Deep Web Sites in A Decade

You must have heard the attack by deep web sites, but have you heard about the attack on deep web?

The largest attack on deep web sites in a decade, according to a new analysis of the dark web architecture. An unidentified threat actor was able to control more than 27% of the whole Tor network’s exit capacity in the first few days of February 2021.

According To the Reports, The Largest Attack on Deep Web Sites

According to a report issued on Sunday by an independent security researcher going by the handle Nusenu. The group targeting Tor users has been aggressively exploiting Tor users for more than a year. Has increased the volume of their attacks to a new record level. Throughout the past 12 months, the average exit fraction this entity controlled was above 14%.

Moreover, It’s the most recent in a string of initiatives made. To expose the actor’s harmful Tor behavior since December 2019. The attacks were initially noted and revealed by the same researcher. In August 2020, they were reported to have started in January 2020.

In addition, open-source software called Tor makes it possible to communicate anonymously over the Internet. And in order to hide a user’s IP address, location, and usage from monitoring or traffic analysis. It obfuscates the source and destination of a web request by routing network data across a number of relays.

However, an exit relay is the last node that Tor communication passes through before it reaches its destination. At the same time, intermediary relays are primarily responsible for receiving traffic on the network and moving it along.

Tor Network’s Exit Nodes had Previously been Compromised

The Tor network’s exit nodes had previously been compromised in order to inject malware like OnionDuke. But this is the first instance in which a single unknown actor has been able to maintain control. Over such a significant portion of the Tor exit nodes.

However, the activity peaked early this year, with the attacker attempting. To add over 1,000 exit relays in the first week of May attack on deep web sites. The hacking entity maintained 380 malicious Tor exit relays at its peak in August 2020. Before the Tor directory, authorities intervened to remove the nodes from the network. Since then, all of the malicious Tor exit relays have been discovered. During the second round of attack, the deep web was taken down.

Nusenu claims the Attack on Deep Web Sites’ Main Objectives.

Nusenu claims that the attack’s main objective is to conduct person-in-the-middle assaults against Tor users. By interfering with communications as it pass through its network of exit relays. In particular, the attacker appears to utilize a technique.

That is known as SSL stripping to convert traffic to Bitcoin mixer services from HTTPS to HTTP. In an effort to alter user-supplied Bitcoin addresses and reroute transactions to their wallets. In addition, the maintainers of the Tor Project announced last August. Suppose a user accessed the HTTP version of one of these sites, i.e., the unencrypted, unauthenticated version of the site.

Moreover, they would prohibit the site from forwarding the user to the HTTPS version. Like the encrypted, authenticated version of the site. The attacker might capture sensitive information if the user sent or received it. Without realizing they were on the HTTPS version of the website. There was no lock indicator in the browser.

However, to mitigate such attacks, the Tor Project outlined a number of recommendations. It includes urging website administrators to enable HTTPS by default and deploy .onion sites to avoid exit nodes. And to disable plain HTTP in Tor Browser, adding it’s working on a comprehensive fix.

According To the U.S. Cybersecurity, the Attack on Deep Web Sites

The U.S. Cybersecurity Security and Infrastructure Security Agency CISA stated in a statement in July 2020. That each organization has a different risk of becoming the target of criminal activity that is routed through Tor.

Moreover, by evaluating the chance that a threat actor will target an organization’s systems or data and the probability of the threat actor’s success. Given current mitigations and controls, an organization should be able to evaluate its risk.

Furthermore, according to the agency, organizations should assess the risks posed to their organization by advanced persistent threats, APTs, and moderately sophisticated attackers. And unskilled individual hackers, all of whom have previously used Tor to conduct surveillance and attacks.

Statistics for Cyber Attacks on Deep Web Sites

 Some captivating statistics for cyber-attack:

  • During a cyberattack on Yahoo in 2013, 3 billion user accounts were compromised.
  • In 2014, 145 million eBay users were hacked as a result of a significant cyberattack.
  • Every 39 seconds, a computer with an internet connection is compromised.
  • One in three Americans will experience a significant cyberattack on their PC each year.
  • When consumers’ credit and debit cards were compromised, Target gave them a 10% storewide discount and free credit monitoring.
  • LinkedIn suffered a data breach in 2012 that exposed 117+ million account details, including emails and passwords.
  • Hackers leaked numerous thousands of personal records in an FBI intrusion during one of the most recent cyberattacks of 2019.
  • A public database comprising 427+ million passwords and 360+ million emails was the outcome of the MySpace data breach in 2013.

Ransomware Attack On Deep Web Sites

A form of malicious software known as ransomware prohibits you from accessing your computer data, systems, or networks and requests a ransom in exchange for their release. Attacks using ransomware can result in expensive business interruptions and the loss of vital data.

Furthermore, opening an email attachment, clicking on an advertisement, selecting a link. Or even going to a website that contains malware can unintentionally download ransomware onto a computer.

However, once the malware has been loaded, it will prevent access to the computer’s files and data as well as to the computer itself. More dangerous versions can encrypt data stored on networked computers as well as local devices and attached drives.

In addition, you frequently need to be made aware that your computer has been corrupted. Typically, you learn about it when you can’t access your data anymore or when you see computer messages informing you of the attack and requesting ransom money.

How Ransomware Attacks Work Deep Web Sites?

How do the attackers gain access to your network in the first place? This is a guide for you to prevent yourself from ransomware attacks.

The Access:

Attackers breach your network. They take over and install dangerous encryption software.  Moreover, they might grab copies of your data and make threats to reveal it.

The Activation:

When malware is launched, devices become locked, and network data becomes encrypted, making it impossible for you to access it.

The Demands Of Ransom:

Usually, the cybercriminal will send you an on-screen notification outlining the ransom and how to pay it in order to unlock your computer or get back access to your data. Moreover, payment is typically requested over an anonymous website and is typically made in a cryptocurrency like Bitcoin.

Example For Ransomware Attack Deep Web Sites

1.     Wanna Cry

WannaCry is an entry-level ransomware that uses a flaw in the Windows SMB protocol to infect other computers and features a self-propagation mechanism. The encryption/decryption software files contain encryption keys.

Moreover, The Tor communication software is all extracted by the WannaCry packager, which is a self-contained program. It is not obscured and is rather simple to find and get rid of. In 2017, WannaCry spread quickly across 150 countries, inflicting damage on 230,000 systems that were estimated to be worth $4 billion.

2.     Cerber

Cybercriminals can utilize Cerber, which is ransomware-as-a-service (RaaS), to launch assaults and disseminate their booty alongside the malware creator. In order to prevent users from reinstalling the operating system. Cerber runs invisibly while encrypting files and may attempt to stop antivirus and Windows security features from functioning.

However, when it successfully encrypts files on the computer, a ransom notice appears on the desktop background.

3.     Locky

One hundred sixty file types, principally those used by designers, engineers, and testers, can be encrypted using Locky. It initially came out in 2016. Attackers send emails encouraging recipients to download infected Microsoft Office Word or Excel files or ZIP files that automatically install malware when opened. It is typically disseminated using exploit kits or phishing.

4.     Cryptolocker

The 2017 version of Cryptolocker compromised approximately 500,000 machines. Usually, it spreads to computers via email, file-sharing websites, and unsecured downloads. Encrypt items it has permission to write to and encrypt files it can scan mapped network devices, in addition to those on the local workstation. Modern Crypolocker variations can avoid firewalls and anti-virus programs from the past.

5.     Petya & NonPetya

Petya is a ransomware program that hijacks a computer and uses the Master File Table (MFT) to encrypt the whole hard drive. Despite the fact that the files themselves are not encrypted, this renders the entire disk unavailable. Petya was first discovered in 2016 and mostly propagated via a fraudulent job application message that included a link to an infected Dropbox file. Windows-only PCs were impacted.

Moreover, Petya needs the user’s consent before it may make admin-level changes. After the user confirms, the machine restarts, displays a phony system crash screen and begins secretly encrypting the drive. After that, the ransom demand appears.

Furthermore, the Petya virus’ initial iteration wasn’t very effective, but a later variation developed by Kaspersky Labs and called NotPetya turned out to be more harmful. NotPetya has a propagation mechanism and can propagate on its own without help from humans.

However, In the beginning, NotPetya spread using a backdoor in commonly used accounting software in the Ukraine. Later, it made use of the Windows SMB protocol flaws EternalBlue and EternalRomance. NotPetya encrypts other hard drive files in addition to the MFT. The data is harmed so that it cannot be recovered while being encrypted. The data of users who pay the ransom is not truly returned.

6.     Ryuk

Ryuk uses drive-by downloads or phishing emails to infiltrate computers. It employs a dropper, which installs a trojan and creates a permanent network connection on the victim’s computer. When creating an Advanced Persistent Threat (APT), attackers can start with Ryuk and add tools like keyloggers, perform privilege escalation, and undertake lateral movement. On every additional system, the attacker accesses, Ryuk is installed.

The locker ransomware is activated, and the files are encrypted once the attackers have installed the malware on as many computers as they can. The ransomware component of a Ryuk-based attack campaign only comes after the attackers have already caused harm and stolen the necessary files.

7.     Grand Crab

2018 saw the release of GrandCrab. It was used to launch ransomware-based extortion operations where attackers threatened to divulge victims’ pornographic viewing habits. It encrypts files on a user’s computer and demands payment. There are various versions, all of which are designed for Windows computers. For the majority of GrandCrab versions, free decryptors are now accessible.

What Is a DDoS Attack on Deep Web Sites?

The legitimate use of an online service taken too far is a DDoS attack. Moreover, for example, per minute, the website can handle a certain number of requests. With the increase in the number, the performance of the website decreases, or it may become completely inaccessible. Any attack can cause overload like this, and in any case of attack, for example, any site going down on any big sale.

Moreover, a target at various levels is capable of overwhelming DDoS attacks. Such as, if there are many requests on the application that it may handle, Then the server that may connect to it simultaneously may have a limit on the amount that is running.

Types Of DDoS Attack of Deep Websites

Those that flood services and those that crash services are the two forms of DoS attack.

Distributed DoS

When multiple systems flood the bandwidth, a distributed DoS occurs or the resources of a target system. It contains more than one IP address or machine, and from the malware, thousands of hosts are infected by them.

Moreover, multiple machines instead of one generates more traffic. Simply by using ingress filtering, it may be impossible to attack traffic. The current volume of the attack might not help; merely not purchasing more incoming bandwidth is one example. Furthermore, the scale of DDoS exceeded by 2016 and continued to rise over recent years by a terabit per second.

Some examples of DDoS attacks are mentioned below:

  1. UDP flooding
  2. SYN flooding
  3. DNS amplification

Yo-yo Attack

Yo-yo attack is basically a type of DoS or DDoS attack that uses autoscaling aimed at cloud-hosted applications. The attacker generates a flood of traffic until the cloud-hosted scales increase traffic outwards to handle it.

However, leaving the victim with over-provisioned resources also halts the attack. Because of causing the resources to scale back up again, the attack resumes. When compared to a typical DDoS attack, this can operate at a lower cost for an attacker because it only needs to generate traffic for a portion of the attack period.

However, during periods of scaling up and down. It can result in a reduced quality of service and a financial drain on resources.

Application Layer DDoS Attack

The most basic DoS attack basically uses brute force to overwhelm the victim with an excessive number of packets, overtax its connection bandwidth, or exhaust its system resources. Floods that use all available bandwidth depend on the attacker’s capacity to produce a massive flow of packets. Using a botnet and distributed denial-of-service is a popular goal today.

Moreover, The OSI model’s definition of its application layer is more constrained than is typically the case in practice. The user interface is considered to be the application layer according to the OSI model.


Some companies offer services known as “booters” or “stressors,” which feature straightforward web-based front ends and accept payment online. They are marketed and advertised as stress-testing tools. But they also give technically inexperienced attackers access to sophisticated attack tools and can be used to carry out unlawful denial-of-service assaults.

Moreover, the bandwidth generated by a consumer stressor, which is typically driven by a botnet, can vary from 5 to 50 Gbit/s and can, in most situations, prevent the average home user from accessing the internet.


Nuke is basically an old-fashioned denial of service attack consisting of fragmented or invalid ICMP packets sent to the target against a computer network. Moreover, repeatedly sending this corrupt data is achieved by using a modified ping utility. Thus, slow down the computer until it fully stops.

In addition, WinNuke is the Nuke attack that gained some prominence. In the NetBIOS handler in Windows 95, it exploited the vulnerability. However, to TCP port 139 of the victim`s machine, a string of out-of-mind data was sent. Thus causing it to display a Blue Screen of Death and lock up.

Peer-to-peer Attacks

To initiate DDoS attacks, the attackers found a way to exploit a number of bugs in peer-to-peer servers. These aggressive peer-to-peer DDoS attacks exploit DC++. The attacker does not have to communicate with the client. It subverts, and with a peer-to-peer network, there is no botnet.  

However, instead, the attacker acts as a puppet master, instructing clients of large peer-to-peer file-sharing hubs to disconnect from their peer-to-peer network and connect to the victim’s website.

Reflected Attack

Sending fraudulent requests of any kind to a very large number of systems that will respond to the requests may be part of a distributed denial-of-service attack. Furthermore, by setting the source address to the victim’s IP address using Internet Protocol address spoofing.

However, all responses will be sent to and flood the intended recipient. Distributed reflecting denial of service DDoS attack is another name for this type of mirrored assault. In addition, one type of mirrored assault is an ICMP echo request attack, also known as a “Smurf attack.”

Moreover, hosts transmit Echo Requests to broadcast addresses on incorrectly configured networks in an effort to persuade other hosts to send Echo Reply packets to the target. Certain early DDoS systems implemented a distributed version of this assault.

Tools For Attack on Deep Web Sites

Below are mentioned the techniques and tools used in the largest attack on deep websites:

Tools Used in The Largest Attack Deep Web Sites

In instances like MyDoom and Slowloris, the tools are embedded in malware and carry out their attacks secretly, without the system owner’s knowledge. A well-known example of a DDoS tool is Stacheldraht. It employs a layered structure, and the attacker connects to the handler’s compromised systems. It provides commands to zombie agents, facilitating the DDoS attack using a client program.

However, the attacker uses automated routines to exploit security holes in applications. That accepts. Remote connections run on the targeted remote systems, compromising agents through the handlers. Up to a thousand agents can be under each handler’s supervision.

In addition, in some situations, such as Operation Payback, run by the hacktivist group Anonymous, a machine may participate in a DDoS attack with the owner’s permission. This is how the Low Orbit Ion Cannon has generally been utilized.

Moreover, today, a large range of DDoS tools, including paid and free versions, with various functionalities. These are accessible alongside the High Orbit Ion Cannon. In IRC channels and forums devoted to hackers, there is a black market for these.

Furthermore, DoS attack deep web criminals frequently target websites or services hosted on prestigious web servers, such as banks or credit card payment systems. These attacks may be inspired by retaliation, extortion, or hacktivism. A DoS or DDoS assault is comparable to a crowd of people blocking a store’s entrance, making it difficult for real customers to enter, interrupting commerce, and costing the owner money.

Leave a Comment