Tor Exit Nodes: Risks, Monitoring, and Defensive Use
What Are Tor Exit Nodes?
Tor exit nodes frequently appear in cybersecurity discussions, and for good reason. This post explains why they matter so you can decide if your security team should take a closer look.
The Tor network is a powerful tool for enabling anonymity online, and like many privacy-preserving technologies, it has both legitimate and malicious uses (we’re looking at you, DoH!). While it supports privacy for users around the world, it also helps attackers hide their infrastructure, evade detection, and bypass traditional defenses. Understanding how Tor works and how it’s used across different stages of an attack can help defenders apply controls, such as traffic monitoring and access policies, more effectively.
The Tor (The Onion Router) network is a system designed to enable anonymous communication over the Internet. When a user routes their connection through Tor, their data is encrypted and bounced through a series of volunteer-operated nodes, also known as relays, in a layered manner, like peeling an onion. Tor exit nodes are the final relay in the Tor network through which traffic emerges before reaching its destination.
Here’s how it works:
- Client Encryption and Path Building:
When a user initiates a connection via the Tor Browser, the client software selects a random path through the Tor network, consisting of three relays:- Entry (Guard) Node – The first hop; it knows the user’s IP address.
- Middle Node – The second hop; it connects the entry and exit nodes.
- Exit Node – The final hop; it decrypts the traffic and sends it out to the public Internet.
- Onion Routing:
Each relay only knows the previous and next hop, not the full path, and traffic is encrypted in multiple layers. As each relay receives the data, it peels away one layer of encryption (hence “onion routing”) until the exit node forwards the plaintext traffic to the destination website or server. - Exit Node Role:
The exit node is where the traffic appears to originate from as far as the destination is concerned. It sees the content of the request (unless it’s encrypted with HTTPS), but not the origin IP address of the user. This is why exit nodes are a focus in both privacy discussions and cybersecurity operations.
Because exit nodes are the only points in the Tor network that interact with the open Internet, they are a key observation point for defenders monitoring suspicious traffic. You can download a current list of active exit nodes and as well as find more technical detail about changes to the service on their official blog.
Why Tor Exit Nodes Matter in Cybersecurity
While Tor has many legitimate uses, its anonymity makes it attractive to threat actors. Attackers frequently leverage Tor for:
- Exfiltration of data after compromising a system
- Command-and-control (C2) communications
- Scanning and probing for vulnerabilities anonymously
- Anonymized web scraping or credential stuffing
Traffic emerging from Tor exit nodes presents challenges for attribution, enforcement, and even rate-limiting. Monitoring or blocking these nodes can help reduce noise and risk in certain environments.
MITRE ATT&CK TTPs
To further the discussion about Tor’s significance in cybersecurity, it’s helpful to look at how the MITRE ATT&CK framework classifies the different ways attackers abuse it. We compiled the following list to emphasize the broad utility of Tor (or similar services) across the threat landscape. From infrastructure obfuscation and anonymous scanning to covert data theft, Tor enables a wide spectrum of malicious operations. By showcasing its versatility, we aim to help defenders implement more effective detection and mitigation strategies in their environments.
| Tactic | Technique ID | Technique Name | Description | Use Case |
| Command and Control | T1090.003 | Proxy: Multi-hop Proxy | Multi-hop proxy chains are used to conceal the true source and destination of network traffic. | Tor acts as a multi-hop encrypted proxy. Operators route C2 traffic through it to hide their infrastructure and bypass perimeter defenses. |
| Command and Control | T1102 | Web Service | Legitimate web services can be leveraged to carry out C2 communications while blending with normal traffic. | Tor hidden services (.onion domains) are used to host C2 endpoints anonymously, making them harder to block or trace. |
| Command and Control | T1102.001 | Dead Drop Resolver | Commands or payloads are stored at web-accessible locations and retrieved by malware. | Malware connects over Tor to .onion pages that host instructions (dead drops), reducing the need for persistent C2 channels. |
| Command and Control | T1102.002 | Bidirectional Communication | Two-way communication channels are established using web services, allowing command issuance and response retrieval. | Tor provides encrypted, anonymous communication between infected systems and their controller using hidden services. |
| Command and Control | T1572 | Protocol Tunneling | Malicious traffic is encapsulated within another protocol, such as HTTPS, to evade detection mechanisms. | Communication is tunneled through Tor using standard protocols like HTTPS or SOCKS to blend with legitimate activity. |
| Command and Control | T1001 | Data Obfuscation | Traffic is modified or disguised to make it more difficult to analyze or detect. | Tor’s encrypted routing layers hide both the content and the destination of communications, helping obscure intent. |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Data is embedded within command and control traffic for covert transmission out of the environment. | Tor-based C2 channels are frequently used to exfiltrate stolen data along with commands due to encryption and anonymity. |
| Exfiltration | T1567.002 | Exfiltration to Cloud Storage | Data is exfiltrated using cloud storage or web services, often over encrypted channels. | Tor is used to anonymize the transfer of stolen data to attacker-controlled storage or .onion servers. |
| Resource Development | T1583.006 | Acquire Infrastructure: Web Services | Web infrastructure such as domains or servers is obtained for later operational use. | .onion domains and hidden services are registered and deployed over Tor to host malware, C2 servers, or phishing kits anonymously. |
| Defense Evasion | T1027 | Obfuscated Files or Information | Code or data is hidden or encoded to prevent detection by security tools. | Traffic routed over Tor benefits from inherent encryption and anonymization, making it harder to inspect or attribute. |
| Discovery | T1595 | Active Scanning | Target networks are scanned to gather information such as open ports, services, or potential vulnerabilities. | Scanning activities are conducted over Tor to mask the source of probes against target infrastructure. |
| Discovery | T1595.001 | Scanning IP Blocks | Large address spaces are scanned to locate accessible systems and services. | Tor exit nodes are used to scan wide IP ranges, identifying exposed assets while remaining anonymous. |
| Discovery | T1595.002 | Vulnerability Scanning | Specific systems are scanned to identify known vulnerabilities or misconfigurations. | Vulnerability scanning tools route traffic through Tor to identify weaknesses in targets without revealing the attacker’s origin. |
| Credential Access | T1110 | Brute Force | Repeated login attempts are made to gain unauthorized access by guessing or using common passwords. | Login brute-force attacks are launched via Tor to bypass IP restrictions and avoid detection. |
| Credential Access | T1110.004 | Credential Stuffing | Previously leaked credentials are used to attempt logins across services. | Tor is used to distribute these login attempts across many IPs, increasing stealth and success while avoiding rate limits. |
| Reconnaissance | T1589.003 | Gather Victim Identity Information: Credentials | Username and password data is collected from public or breached sources to inform follow-on targeting. | Tor is used to scrape credential leaks from forums, dumps, or pastes while hiding the requester’s identity. |
Defensive Applications of Tor Exit Node Intelligence
There are multiple defensive use cases for tracking and leveraging Tor exit node IPs in a security program:
- Blocking Tor Exit Traffic
Many security teams choose to block inbound or outbound traffic involving known Tor exit nodes, especially in environments that do not serve anonymous users. This can be done via:
- Firewall rules
- Web application firewalls (WAFs)
- DNS-based filtering
- SIEM correlation rules
Keep in mind, this approach may generate false positives if your service intentionally serves Tor users.
- Threat Hunting and Monitoring
By monitoring network traffic to and from Tor exit nodes you can uncover suspicious or malicious behavior such as:
- Beaconing to C2 infrastructure
- Unauthorized data transfers
- Anonymized access attempts
This is particularly useful in SOC environments that log DNS queries, proxy traffic, or NetFlow/Zeek logs.
- Threat Intelligence Enrichment
Ingesting and enriching alert data with Tor exit node intelligence can improve triage workflows. For example:
- Flagging alerts from exit node IPs with a higher risk score
- Adding context during incident investigations
- Enhancing SOAR playbooks with automated risk annotations
Where to Get Reliable Tor Exit Node Data
There are a few trustworthy sources for up-to-date Tor exit node information:
- Tor Project Exit Node List
- Threat intelligence feeds (commercial and OSINT)
- Third-party aggregators or IP reputation services
Considerations and Cautions
Blocking or monitoring Tor exit traffic is not always the right choice. For organizations supporting user privacy, activism, or global accessibility, outright blocking could limit service availability or raise ethical concerns. Any implementation should be aligned with your organization’s risk posture and user profile. Also, IP addresses of Tor exit nodes can change frequently. This means real-time updates and automation are essential if you’re maintaining blocklists or alerts.
Here are a few good resources for advice about developing a Tor security policy:
- CISA: Defending Against Malicious Cyber Activity Originating from Tor
- ASD: Defending Against the Malicious Use of the Tor Network
- CyberProof: An Analysis of the Security Risks Posed by Tor Browser
Final Thoughts
Using Tor exit node IPs as part of your threat intelligence strategy adds visibility into a common vector for anonymous, and potentially malicious, traffic. Whether you’re blocking, monitoring, or enriching alerts, Tor exit node intelligence is a flexible and valuable tool, but it should be used thoughtfully and in context. Not all Tor traffic is malicious, and indiscriminate blocking can lead to unintended consequences. Instead, aligning Tor intelligence with your organization’s risk tolerance and use cases ensures it contributes meaningfully to detection, response, and threat hunting efforts.
For our customers, Tor exit node data can also be integrated directly into existing threat intelligence subscriptions upon request. Contact your account manager to learn more about integration options or additional enrichment.
As part of our commitment to empowering defenders, we offer several free OSINT feeds, one of which includes a regularly updated list of active Tor exit nodes. Click below to sign up for free access.
Leslie Dawn
Technical Account Manager
Leslie Dawn is a Technical Account Manager / Threat Intelligence Analyst at Malware Patrol. Her background of nearly a decade in cyber threat intelligence provides her with a nuanced understanding of threat landscapes and client security needs.
