First off before I go into what happened I would recommend you to read my article What Is the Dark Web to understand some of the terminologies I’m using in this article.
A couple of days ago a malicious attacker was detected on the tor network and was given the code name “KAX17”. KAX17 was creating malicious entry nodes to try to deanonymize users of the tor network and at one point there was a chance of about 35% that you connect through a KAX17 entry node.
Malicious tor nodes appear quite commonly on the tor network but what makes this one different from all of the others is that it targets entry nodes and not exit nodes.
Most attacks on the tor network target exit nodes for monetary gain by switching out the bitcoin addresses of clear web bitcoin mixers with their own essentially redirecting the deposited bitcoin to themselves. KAX17 on the other hand cannot get any monetary gain from their attacks because they are targeting entry nodes which leaves us with the conclusion that they are trying to deanonymize users.
The tor network has taken down all of KAX17’s known entry nodes which amounted to 900 but they realized that KAX17 is more sophisticated than the other previous attacks on the tor network. KAX17 doesn’t immediately make the tor nodes malicious some of the entry nodes KAX17 was operating were started in 2017 and just recently made malicious.
The large budget, sophistication, and no monetary benefit of this attack make it quite clear that there has to be a government agency behind it. Which is probably trying to take down dark web markets after The White House Market and Canazon both closed a couple of weeks ago after about two successful years.