Security experts from Proofpoint, the company conducted an investigation, which found that proxies onion.top which allows you to access the Tor network from a standard web browser, substitute the address of the bitcoin wallets and behaves similarly to the ransomware LockeR, Sigma and GlobeImposter.
The service scans uploaded through the portal web page, searching for them strings that look like addresses of bitcoin wallets, and then replace the following lines in the wallets of the attackers — said the experts from ProofPoint.
In the analysis of service revealed that he is working on several rules of spoof bitcoin wallets, which clearly indicates a manual configuration for each specific site.
While the two bitcoin wallet owned by the fraudsters, operating through the onion.top. In total, the wallets contain about two Bitcoins (about 22 thousand dollars). After the scheme was declassified, program operators have removed the links to all proxy servers and advised users to make payments only through the Tor browser.