Tor Vulnerabilities: Security Firm Offering $1 Million To Hack Anonymous Browser

A startup security firm based in the United States is offering a total of $1 million in rewards to security researchers who can find and create ways to exploit vulnerabilities in the anonymous web browsing tool Tor Browser.

The prize money is being put up by Zerodium, an upstart security firm known for buying security flaws and zero-day vulnerabilities from researchers and selling the information to government customers.

The highest individual bounty offered by the company is $250,000, which will be awarded to any researcher who provides the company with an exploit that allows an attacker to hack a target using Tor Browser, a popular application often associated with the dark web and used for browsing the internet securely and anonymously.

Smaller bounties—though still significant prizes for discovering a single exploit—range from between $75,000 and $200,000.

The guidelines set by Zerodium for the exploits lay out some specific requirements. The vulnerabilities must be zero-days, or flaws that have otherwise been unreported and gone unnoticed by the creators of the product. The exploits must also allow for remote code execution—allowing an attacker to inject malicious code into a victim’s machine—and must be achieved silently with no giveaway to the target that the attack is happening.

For Tor users, many of whom are simply aiming to protect their privacy, the bounty program may seem threatening. Not only would the exploits allow for an attacker to hijack a victim’s machine by executing malicious code, it could also put at risk their anonymity—a necessity for some users who rely on Tor to browse the web free of monitoring and restrictions.

While the company acknowledged the Tor network and Tor Browser are “fantastic projects that allow legitimate users to improve their privacy and security on the internet,” Zerodium also said the products attract “ugly people who “conduct activities such as drug trafficking or child abuse.”

Zerodium isn’t particularly shy about what it intends to do with the exploits it acquires, either. In the announcement of the program, Zerodium says the bounty is being offered in order to “help our government customers fight crime and make the world a better and safer place for all.”

There has been growing interest in the dark web—a collection of otherwise unlisted and inaccessible sites that standard browsers cannot access—from government agencies and law enforcement in recent months.

Earlier this year, authorities in the United States, Canada and Thailand all took coordinated action against operators of a dark web marketplace known as AlphaBay —a site known for its sale of illegal goods including drugs, credit card information, guns and other goods or services. Following the shutdown of AlphaBay, law enforcement also closed down another dark web marketplace known as Hansa Market.

Users of other popular locations for buying and selling on the dark web like Dream Market have been high alert since the crackdown, and some fear government agents have infiltrated their communities. Exploits like those sought by Zerodium could potentially be used to identify anonymous buyers and sellers operating on the marketplace.

Zerodium’s bounty will remain active through November 30 or until payouts for Tor Browser exploits reach $1 million before the deadline.