They MITM connections that aren't encrypted and prevent them from becoming so.
Many bitcoin mixers are not HSTS preloaded. And to avoid creating a trail, TOR Browser doesn't save frequently visited sites, history for autocomplete, cached redirects, or cached HSTS headers between sessions.
And as Tor users prize secrecy, many don't bookmark their bitcoin mixer. Instead they key in the address manually - and sometimes they're used to doing without the https://www. prefix. And by convention, browsers use http when you do that.
The exit node then removes the http-to-https redirect, and presents the bitcoin mixer over http, with the bitcoin addresses replaced.
It's almost impossible for the Tor project to detect this, as the attackers only target a small whitelist of sites - so the Tor project can only detect attackers by guessing the sites on the attack whitelist.
Iād say the first step could be switching http-https around. Attempt to connect to https and fallback to http if the user agrees to being less secure.
Many bitcoin mixers are not HSTS preloaded. And to avoid creating a trail, TOR Browser doesn't save frequently visited sites, history for autocomplete, cached redirects, or cached HSTS headers between sessions.
And as Tor users prize secrecy, many don't bookmark their bitcoin mixer. Instead they key in the address manually - and sometimes they're used to doing without the https://www. prefix. And by convention, browsers use http when you do that.
The exit node then removes the http-to-https redirect, and presents the bitcoin mixer over http, with the bitcoin addresses replaced.
The result looks like this: https://imgur.com/otaBerJ
No MITM of encrypted connections needed.
It's almost impossible for the Tor project to detect this, as the attackers only target a small whitelist of sites - so the Tor project can only detect attackers by guessing the sites on the attack whitelist.