Apr 27, 2015 · 2 minutes

An email provider that uses the Tor network to promise its users some degree of anonymity revealed Thursday that someone attempted to spy on its users by operating at least 70 of the exit nodes that connect Tor users to the "clearnet."

SIGAINT, the provider in question, suggests an intelligence agency was trying to spy on its users. It claims that the scope of the operation, combined with the lack of law enforcement requests in the month preceding the attack, implicates a government actor. But others have disagreed with SIGAINT's assessment.

As Motherboard reported when the hacking attempt was first revealed:

Philipp Winter, a researcher at Karlstad University in Sweden and the member of the Tor Project that handles malicious exit nodes, said that 70 is an unusually high number, but also “not a tragedy,” and that there are no signs that they were set up by a spy agency.

'The simplest explanation is usually the best one, and a state actor does not seem like a simple solution to me,' he told Motherboard. 'Practically all attacks by exit relays that we discover seem to be done by random jerks, and I haven't seen any evidence that points in a different direction here.' It's not clear which is scarier: the idea that an intelligence agency tried to spy on a Tor-powered email service, or the idea that such a large number of exit nodes went rogue and the Tor Project says it was probably done by "random jerks."

Whoever tried to surveil these SIGAINT users could have viewed everything they did if they connected to one of the rogue exit nodes. Luckily for SIGAINT, the odds of that happening are estimated to be about 2.7 percent, which means the vast majority of its users probably weren't affected by the attempted hack.

A more sophisticated attack would require hackers to seize control over at least five of the Tor network's nine directory authorities, which would allow them to direct the network's traffic to the exit nodes of their choosing, thereby allowing them to surveil the service's users. (More on that in a report from December.)

There's no evidence that these directory authorities have been compromised. But it's become apparent that establishing rogue exit nodes, or hacking existing ones, is easier than most of the Tor network's users should be comfortable with. Despite the tool's obvious benefits, trusting Tor keeps getting more difficult.

[illustration by Brad Jonas]