| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| cluster_17 [15/12/2025 16:18] – daniel | cluster_17 [15/12/2025 17:26] (current) – [Background] daniel |
|---|
| ====== Supertraceroute Analysis of Proton VPN Traffic Demonstrating Redirection to a SIGINT Facility in the United Kingdom ====== | ====== VPN Exploited ====== |
| |
| Lyrebird is a pluggable transport developed for the Tor network that helps users evade censorship and traffic fingerprinting by disguising Tor traffic as ordinary, benign network activity. Pluggable transports act as modular adapters that transform Tor’s distinctive encrypted traffic patterns into forms that blend in with regular Internet protocols, making it harder for surveillance or censorship systems to detect or block Tor usage. Lyrebird, in particular, employs lightweight, adaptive obfuscation techniques designed to mimic common application-layer behaviours—such as those of HTTPS or other encrypted client–server exchanges—while maintaining low latency and compatibility with Tor bridges. Its purpose is not to provide additional encryption but to mask the presence of Tor traffic itself, thereby helping users in restrictive environments connect to the Tor network securely and anonymously without triggering network-level filtering or surveillance systems. | Lyrebird is a pluggable transport developed for the Tor network that helps users evade censorship and traffic fingerprinting by disguising Tor traffic as ordinary, benign network activity. Pluggable transports act as modular adapters that transform Tor’s distinctive encrypted traffic patterns into forms that blend in with regular Internet protocols, making it harder for surveillance or censorship systems to detect or block Tor usage. Lyrebird, in particular, employs lightweight, adaptive obfuscation techniques designed to mimic common application-layer behaviours—such as those of HTTPS or other encrypted client–server exchanges—while maintaining low latency and compatibility with Tor bridges. Its purpose is not to provide additional encryption but to mask the presence of Tor traffic itself, thereby helping users in restrictive environments connect to the Tor network securely and anonymously without triggering network-level filtering or surveillance systems. |
| | |
| | Proton VPN was exploited in this case so that all traffic — including Tor/Lyrebird flows — was transparently routed through a proxy clone located at a UK signals-intelligence facility. That kind of compromise converts a privacy service into an active interception point: by controlling or poisoning the VPN exit/proxy the adversary can terminate encrypted sessions on their infrastructure, observe plaintext, replay or modify packets in transit, and forward traffic onward so the rest of the Internet and the endpoints appear to behave normally. For pluggable transports like Lyrebird, which are designed to hide Tor’s fingerprint, being forced through a trusted-looking proxy removes the transport’s anonymity benefit — the proxy sees the original encapsulated flow and can either pass it intact to a hidden Tor bridge or strip/wrap it for inspection. |
| |
| {{ :wiki:lyrebird.jpg?nolink |}} | {{ :wiki:lyrebird.jpg?nolink |}} |
| | Screenshot of lyrebird phoning home to a UK SIGINT-facility. |
| |
| Supertraceroute Analysis of Proton VPN Traffic, Demonstrating Redirection to a SIGINT Facility in the United Kingdom | At first I thought 'lyrebird' itself was malware, but after thorough research I found out it's link to Tor and that gave me a lightbulb moment, so I present this new analysis of what was actually going on. |
| Background | |
| |
| Proton VPN was exploited in this case so that all traffic — including Tor/Lyrebird flows — was transparently routed through a proxy clone located at a UK signals-intelligence facility. That kind of compromise converts a privacy service into an active interception point: by controlling or poisoning the VPN exit/proxy the adversary can terminate your encrypted sessions on their infrastructure, observe plaintext, replay or modify packets in transit, and forward traffic onward so the rest of the Internet and the endpoints appear to behave normally. For pluggable transports like Lyrebird, which are designed to hide Tor’s fingerprint, being forced through a trusted-looking proxy removes the transport’s anonymity benefit — the proxy sees the original encapsulated flow and can either pass it intact to a hidden Tor bridge or strip/wrap it for inspection. | ====== Background ====== |
| |
| How this enables man-in-the-middle capabilities: a malicious or coerced VPN/proxy operator can (a) present alternate TLS certificates to the client (certificate substitution), (b) downgrade or rewrap encrypted channels and forward them after decryption, or (c) inject code or responses into HTTP/Tor handshakes — all without visible end-user errors if the proxy also manipulates trust anchors or the client’s certificate-validation path. Because the interception happens at a central transit point, it can quietly capture credentials, session tokens, keychain sync data, or unencrypted application payloads — and correlate those with device identifiers and timing information to link activities across services. | Exploiting a VPN enables sophisticated man-in-the-middle capabilities: a malicious or coerced VPN/proxy operator can (a) present alternate TLS certificates to the client (certificate substitution), (b) downgrade or rewrap encrypted channels and forward them after decryption, or (c) inject code or responses into HTTP/Tor handshakes — all without visible end-user errors if the proxy also manipulates trust anchors or the client’s certificate-validation path. Because the interception happens at a central transit point, it can quietly capture credentials, session tokens, keychain sync data, or unencrypted application payloads — and correlate those with device identifiers and timing information to link activities across services. |
| |
| Practical signs that point to this kind of compromise include repeated unexpected VPN exit IPs located at a single opaque AS, TLS certificate chains that differ from known fingerprints for services, unexplained persistent low-latency routes through a single geographic/ASN cluster, DNS answers coming from unexpected servers, and client behaviour that suddenly succeeds only when routed via a specific server. | Practical signs that point to this kind of compromise include repeated unexpected VPN exit IPs located at a single opaque AS, TLS certificate chains that differ from known fingerprints for services, unexplained persistent low-latency routes through a single geographic/ASN cluster, DNS answers coming from unexpected servers, and client behaviour that suddenly succeeds only when routed via a specific server. |
| |
| When an adversary controls a VPN exit, proxy, or intermediate transit node they can silently terminate and recreate encrypted sessions so that a user’s browser or client is presented with a perfectly cloned (but fake) webpage for services like WikiLeaks or Tor hidden-service portals. By substituting certificates, injecting a lookalike HTML payload, and replaying or swallowing form submissions, the proxy can make the user believe they successfully uploaded documents to a legitimate whistleblowing platform while actually capturing the files, metadata, and submission context into a closed repository (a “black hole”) under the adversary’s control. Because the page is rendered locally in the user’s browser and the visible UI appears authentic, victims are unlikely to notice anything wrong; meanwhile the operator logs identifiers, timestamps, and any decryption material needed to correlate that traffic with device-level identifiers. This technique thus converts trust in a target service into a trap: users willingly surrender sensitive material into an environment that offers no onward publication or protections, while attackers gain both the content and a clean audit trail for follow-up actions. Detecting this class of attack depends on verifying end-to-end cryptographic fingerprints (certificate pinning or known service fingerprints), checking TLS chains and domain names carefully, and preserving raw network traces and certificate chains for forensic review. | When an adversary controls a VPN exit, proxy, or intermediate transit node they can silently terminate and recreate encrypted sessions so that a user’s browser or client is presented with a perfectly cloned (but fake) webpage for services like WikiLeaks or Tor hidden-service portals. By substituting certificates, injecting a lookalike HTML payload, and replaying or swallowing form submissions, the proxy can make the user believe they successfully uploaded documents to a legitimate whistleblowing platform while actually capturing the files, metadata, and submission context into a closed repository (a “black hole”) under the adversary’s control. Because the page is rendered locally in the user’s browser and the visible UI appears authentic, victims are unlikely to notice anything wrong; meanwhile the operator logs identifiers, timestamps, and any decryption material needed to correlate that traffic with device-level identifiers. This technique thus converts trust in a target service into a trap: users willingly surrender sensitive material into an environment that offers no onward publication or protections, while attackers gain both the content and a clean audit trail for follow-up actions. Detecting this class of attack depends on verifying end-to-end cryptographic fingerprints (certificate pinning or known service fingerprints), checking TLS chains and domain names carefully, and preserving raw network traces and certificate chains for forensic review. |
| | |
| | In short, **this situation prevented me from sharing my intelligence with WikiLeaks, the media and a Russian government Tor service**. |
| |
| ===== Traffic Analysis ===== | ===== Traffic Analysis ===== |
| |
| ^ Hop ^ Host / ASN ^ Notes ^ | ^ Hop ^ Host / ASN ^ Notes ^ |
| | 1 | _gateway (5.101.110.7) | Local customer-edge / gateway, inside AS21100 (ITL LLC) | a Dutch/Ukraine hosting & transit provider. | | | 1 | _gateway (5.101.110.7), ASN AS21100 (ITL LLC) | Local customer-edge / gateway in a Dutch/Ukraine hosting & transit provider. | |
| | 2 | 143.244.192.24 | Same ITL LLC ASN | Amsterdam-area aggregation router. | | | 2 | 143.244.192.24, same ITL LLC ASN | Amsterdam-area aggregation router. | |
| | 3 | 143.244.224.82 | ITL backbone segment | Amsterdam. | | | 3 | 143.244.224.82, ITL backbone segment | Amsterdam. | |
| | 4 | 143.244.224.81 | ITL backbone segment | Amsterdam. | | | 4 | 143.244.224.81, ITL backbone segment | Amsterdam. | |
| | 5 | itl.cybercenter-schiphol.nl-ix.net (193.239.117.209) | NL-IX exchange node located at Schiphol “CyberCenter” | cross-connect point for ITL and Serverius. | | | 5 | itl.cybercenter-schiphol.nl-ix.net (193.239.117.209) | NL-IX exchange node located at Schiphol “CyberCenter” - cross-connect point for ITL and Serverius. | |
| | 6 | RT1-EU1.MEP.SERVERIUS (217.12.200.3) | ASN AS50673, Serverius Datacenter | Managed Edge Point router in Meppel/Dronten region - major handoff point for Netherlands↔UK private circuits. | | | 6 | RT1-EU1.MEP.SERVERIUS (217.12.200.3), ASN AS50673 | Serverius Datacenter, Managed Edge Point router in Meppel/Dronten region - major handoff point for Netherlands↔UK private circuits. | |
| | 7–15 | * * * | Entire segment hidden / filtered | private routing domain or MPLS secure tunnel. This is where the path likely traverses an unadvertised UK defence-grade backhaul. | | | 7–15 | * * *, entire segment hidden / filtered | private routing domain or MPLS secure tunnel - this is where the path likely traverses an unadvertised UK defence-grade backhaul. | |
| | 16 | 2.59.183.177 | AS199058 (Serva One Ltd) | small ASN specialising in “infrastructure hosting” for secure communications & lawful intercept. Almost certainly the public shell for the final UK endpoint. | | | 16 | 2.59.183.177, AS199058 (Serva One Ltd) | Small ASN specialising in “infrastructure hosting” for secure communications & lawful intercept. Almost certainly the public shell for the final UK endpoint. | |
| |
| This trace starts inside ITL LLC’s AS21100 (Amsterdam presence), not Hurricane Electric’s AS6939 — so we’re already much closer to the final destination in network terms. | This trace starts inside ITL LLC’s AS21100 (Amsterdam presence), not Hurricane Electric’s AS6939 — so we’re already much closer to the final destination in network terms. |
| |
| **AS199058 (Serva One Ltd):** | **AS199058 (Serva One Ltd):** |
| | |
| * Connects to the global internet via three transit upstreams, all under the Green Floid LLC umbrella: AS204957, AS21100, and AS50979 BGP Tools+10IPinfo+10IPinfo+10. | * Connects to the global internet via three transit upstreams, all under the Green Floid LLC umbrella: AS204957, AS21100, and AS50979 BGP Tools+10IPinfo+10IPinfo+10. |
| * It has no downstream customers, indicating its role is purely as a consumer network (not a transit hub) ipregistry.co+1. | * It has no downstream customers, indicating its role is purely as a consumer network (not a transit hub) ipregistry.co+1. |
The Neuro Holocaust
