Never trust a proxy to i2p or tor. It's too easy to modify content and
you're not in any way anonymous. You're no more anonymous than on the
plain old internet.

The article talks about stealing from criminals, but the idea is the same.
Why trust a mitm with your data at all?

Tor-to-Web Proxy Caught Replacing Bitcoin Addresses on Ransomware Payment
Sites

https://www.bleepingcomputer.com/news/security/tor-to-web-proxy-caught-replacing-bitcoin-addresses-on-ransomware-payment-sites/

By Catalin Cimpanu

The operators of at least one Tor proxy service was recently caught
replacing Bitcoin addresses on ransomware ransom payment sites, diverting
funds meant to pay for ransomware decrypters to the site's operators.

A "Tor proxy service" is a website that allows users to access .onion
domains hosted on the Tor network without needing to install the Tor
Browser.

Users can append a domain extension like .top, .cab, .to at the end of any
Tor URL and access it inside their regular browsers such as Firefox,
Chrome, Vivaldi, Edge, and others.

For example, users can type in nytimes3xbfgragh.onion.to and access the
New York Times' Dark Web portal without installing the Tor Browser.

During the past two years, such services have become extremely popular,
and especially popular with ransomware authors.

Ransomware often includes ransom notes that list the payment portal's Tor
URL, but also alternative URLs for various Tor-to-web proxies, in case
non-technical users found it hard to install the Tor Browser.
Onion.top proxy service caught replacing wallet addresses

But researchers from US cyber-security firm Proofpoint say that they've
caught one of these Tor proxies stealing from both ransomware authors and
ransomware victims alike.

According to researchers, the operators of the Onion.top Tor-to-web proxy
service are secretly parsing Dark Web pages loaded via their portal for
strings that look like Bitcoin wallet addresses and replacing them with
one of their own.

Proofpoint says it noticed the Bitcoin address swap behavior on the ransom
payment portals for three ransomware families —LockeR, Sigma, and
GlobeImposter.

In fact, researchers say they've noticed the behavior because of a warning
message posted on the LockeR payment site by the LockeR authors.

"Do NOT use onion.top, they are replacing the bitcoin address with their
own and stealing bitcoins," the message reads. "To be sure you're paying
to the correct address, use Tor Browser."

LockeR ransom payment site warning against Onion.top URLs

An older image of the ransom payment portal from October 2017 does not
include this message, meaning even the LockeR crew only recently became
aware of the issue.
Onion.top stole $22K from ransomware authors & victims

During experiments carried out by Proofpoint, researchers spotted
different Bitcoin wallet address "replacement rules" based on the page the
user was accessing, suggesting Onion.top operators are configuring these
swaps manually, on a per-site basis.

Proofpoint identified two Bitcoin wallet addresses operated by the
Onion.top team, both holding no more than 2 Bitcoin ($22,000), suggesting
proxy operators weren't that successful in their attacks, the replacement
rules aren't always active, or the service isn't that popular to begin
with.
Ransomware authors are fighting back

Either way, Proofpoint says ransomware operators took notice of Onion.to's
actions and have started taking precautionary measures against all
Tor-to-web proxy services.

The most obvious change is that many have stopped providing Tor proxy
links and are now listing only the pure Tor .onion URL in their ransom
notes, recommending that users access the payment site only via the Tor
Browser alone.

Other ransomware authors have altered their Dark Web-hosted ransom payment
sites. For example, the operators of the MagniBer ransomware now split the
Bitcoin address shown to each victim on their payment site across
different HTML tags.

Magnibear splitting Bitcoin wallet addresses

This makes it harder malicious Tor proxies to detect the Bitcoin address
pattern, but it's not a reliable protection measure. In case users reach
the desperate conclusion that they need to pay the ransom, to avoid losing
their funds to malicious Tor-to-web proxies, it is recommended they access
the link directly in the Tor Browser.

But the best way to avoid ransomware infections is to avoid opening
suspicious files received from unknown persons, or keeping regular backups
of important (or all) files.

An earlier version of this article referenced Onion.to instead of
Onion.top (in three sentences) as the Tor proxy that is replacing Bitcoin
addresses. Bleeping Computer regrets the error and confusion it caused
among some readers.
Related Articles:

Posted on Rocksolid Light.

i like that approach, has real potential...
but seriously, it is a clear warning against any proxy to the darknets. who knows what other information they grab
and/or alter in between ?
thanks for posting this.
Posted on: def3.i2p