[tor-relays] Sybil Attack on 2025-11-20 - please setup your AROIs :)

Hi,

as some of you might have noticed, yesterday 2025-11-20 someone added ~900 new tor relays
to the tor network.

They used nickname schemes from other operators:

* NTH
* prsv
* Quetzalcoatl
* for-privacy.net
* relayon
* DFRI
* bauruine
...

For this reason I wanted to encourage every operator, especially the large once to
setup their AROI.
Here is a howto:

Why?
You get nice timeseries graphs of your relays.
example: Operator: artikel10.org | OrNetStats

And it helps to **automatically** tell false-friends apart especially since families have become so
large that we can no longer use that as a good signal because family must be splitted if they become too large for the
descriptor limit.

A good example is nothingtohide.nl, all of their relays have a proper AROI configuration and they verify properly:

Here are 3 examples of large relay operators
where AROI verification fails (partially):

If you are one of them or if you know them please ping them if you can:

* quetzalcoatl-relays.org Tor Relays :: Contact :: email:Quetzalcoatl_relays[]proton.me...
* emeraldonion Tor Relays :: Family 34933f
* prsv.ch Tor Relays :: Contact :: email:admin[]prsv.ch url:https://prsv.ch/...

kind regards,
nusenu

They used nickname schemes from other operators

It looks like they're even doing that for small operators. For example,
I only run 5 relays, named forest1 through forest5. They cloned one of
my relays, forest3, a total of 6 times. Each forest3 relay has a stolen
ContactInfo from some other random operator. Needless to say, I only
run one of Relay Search.

Whoever is doing this may have been testing it out as early as a few
weeks ago. I noticed back then that there was another forest3 (the same
relay that is being impersonated now) which was down when I noticed it.
I assumed it was just a coincidence at the time. It no longer shows in
the Metrics page as it has been down for too long.

Will these (and the other new relays) be taken down soon?

As an aside, it's strange that these are all non-exits. That would
indicate a somewhat more sophisticated attack than a typical MITM from
rogue exits, but a sophisticated threat actor should realize that
adding 900+ relays at once with stolen Nickname and ContactInfo fields
would raise red flags. Could it be some naïve researcher with a budget
and a lax IRB? I don't understand this.

Regards,
forest

It looks like all the newly added relays, or at least all the ones that
I was looking at, have shut down. I suppose whoever put them up has now
realized that they have been detected. Will all the fingerprints be
blacklisted anyway?

Regards,
forest

Actually, the relays are still running, at least at this moment. (You
can check this yourself by telneting to their ORPort.)

They appear down on the metrics page because they are no longer in the
consensus, because a threshold of the directory authorities are rejecting
them (as of about 30 hours ago).

--Roger

That's because onionoo sometimes returns 13 relays I had shutdown nearly two years ago. And digitalcourage uses the .social tld for AROI and not the .de

Hi,

here’s metastable-void/真空, the head of Tor Operations division at Menhera/Human-life Information Platforms Institute (AS63806).

thanks for the advice. since we’re the largest relay operator in Japan and we are expanding soon, I’ll seriously consider setting up AROI.

Cheers,

This stuff indeed started happening to my relay a couple of weeks ago, it's as if they're spinning up new relays from the same location. Relay Search
The real me is Relay Search

Might be worth checking out the AROI thing.

Could it be some naïve researcher with a budget

and a lax IRB?

Wouldn't that 'researcher' want to interact with the community and seem less sketchy though?