-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
They used nickname schemes from other operators
It looks like they're even doing that for small operators. For example, I only run 5 relays, named forest1 through forest5. They cloned one of my relays, forest3, a total of 6 times. Each forest3 relay has a stolen ContactInfo from some other random operator. Needless to say, I only run one of https://metrics.torproject.org/rs.html#search/forest3. Whoever is doing this may have been testing it out as early as a few weeks ago. I noticed back then that there was another forest3 (the same relay that is being impersonated now) which was down when I noticed it. I assumed it was just a coincidence at the time. It no longer shows in the Metrics page as it has been down for too long. Will these (and the other new relays) be taken down soon? As an aside, it's strange that these are all non-exits. That would indicate a somewhat more sophisticated attack than a typical MITM from rogue exits, but a sophisticated threat actor should realize that adding 900+ relays at once with stolen Nickname and ContactInfo fields would raise red flags. Could it be some naïve researcher with a budget and a lax IRB? I don't understand this. Regards, forest -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvLrj6cuOL+I/KdxYBh18rEKN1gsFAmkgp+kACgkQBh18rEKN 1gs4whAAgVSPlK2JjB+38y6NQSrTpn6WOuFmMmJmT7/WvA9zSUzD5dH+ooiZ6DKx U7fzSMO8uy8d9JlKbxba7w71PG7IPcxciJBM4bWNIa96DNhxp/LEhQfHJ5KnPf8w IMLC6s6DDhIZXeRfFpwgNbNMqImnPh9HbVqBYxjbpqV/NkT5AM8P4HrvySQwz2By Lk5yXSAbu1xj0KFMyRuBKNPBKztXNB/Wc+DSnLMELmfNN2taebkT637LPXi0owP1 +fs+0+sCVnQKarZhm5Vv0ml1pqI166+FPnylSK3DHJ2x1P//PGgi8DMDuShHWwVm 7wvus1KpGaozOXazmgg4hdG7pV+2aqmrWUxRp7wbuD1haX/YZgkjZJkblnEzpz/r upuqtg5TcuDURcPUD5yiQsb1oyt+heIQ7Q9ZZwbERd3Sas8tn/nnTenRO7oEbGWk X7AVraTEzjsu3XhMDZsVMI2oaxSXxOE3F5oYTAt3X0Kmp+i3zCnPdAm2J/cLXHCQ 6haDxS8Zy1+3+yhy+mTpJ2NEUAxrCbqrHgF3ZwuvPlJ6gn5MO9pX1TbsCavuL4T+ acbmz8sWz8JQJHK+4evTrjszRh9HK0FxhxQhsR0zrdsRcXjvOTraO2FXQ72fhmsR CSxTKfoBiwmVJBFMPwrqg+K3pyY+0K9uOOt00bPsAJT9VoU2pqk= =KXAz -----END PGP SIGNATURE-----