On August 9, a certain Nusenu, the owner of an exit node in TOR, published a post in which he stated that more than 23% of all exit nodes are under the control of cybercriminals who intercept user traffic and replace Bitcoin wallets on the fly in an attempt to steal other people's funds. The original article is here .
The true scale of this group's operations is unknown, but their main goal is to make a profit. Attackers carry out man-in-the-middle attacks on Tor users and manipulate traffic passing through exit nodes under their control. The peculiarity of the situation is that the attackers used the sslstrip technique, which for some reason is considered long dead and no longer relevant. While the so-called. experts talk about HTTP Strict Transport Security (= HSTS) and other preloaded lists of domains, network villains are exploiting old equipment with might and main. At one time, Edward Snowden used the same techniques in his work.
Thus, the grouping replaces bitcoin addresses within the HTTP traffic associated with mixer services. Such services help "obscure the trail" by turning a simple transfer of funds from one account to another into a complex scheme: instead of one transaction, the service breaks down the required payment into hundreds or thousands of small transfers that are sent to different accounts and go through many wallets before reaching the true goals. That is, by changing addresses at the level of HTTP traffic, attackers effectively intercept the victims' funds, without the knowledge of both the users themselves and the cryptocurrency mixers.
I suggest that you familiarize yourself with two video clips. The first tells the history and essence of the sslstrip attack, which allows you to cut off https links and intercept data intended for an ssl session.
The second describes the HSTS mechanism, which is designed to prevent the use of the sslstrip technique. In addition, the video demonstrates a way to bypass HSTS using the Intercepter-NG tool and explains the principle of operation.
I also recommend that you read the following interview, which addresses the issues of MiTM attacks and possible ways to protect against them.