How Tor Exit Node Monitoring Became an Intelligence Tool
The Tor network was designed to provide online anonymity, but its architecture contains a fundamental vulnerability at its exit points. When encrypted traffic leaves the Tor network through an exit node to reach its final destination, it can be monitored by whoever operates that node. This weakness became the basis for one of the more controversial aspects of WikiLeaks’ early document acquisition methods.
In 2007, Swedish security researcher Dan Egerstad demonstrated the scope of this vulnerability. By operating five Tor exit nodes, he was able to capture login credentials — including server addresses, email accounts, and passwords — for approximately 100 accounts belonging to embassies and government ministries worldwide.
The significance of Egerstad’s findings went beyond the vulnerability itself. The compromised accounts were not being accessed by embassy staff through Tor. Instead, the traffic indicated that hackers — potentially intelligence operatives — were using Tor’s anonymity to access accounts they had already compromised through other means. Iran’s government reportedly contacted Egerstad to thank him for uncovering intrusions they had not previously detected.
The GhostNet Discovery
That same year, Canadian security researchers at the University of Toronto uncovered GhostNet, a massive electronic espionage operation that had infiltrated computers and stolen documents from hundreds of government and private offices worldwide. The targets included the Dalai Lama, Taiwanese and Vietnamese political figures, and American officials.
China was widely suspected of being behind GhostNet. The researchers discovered the operation by monitoring networks where stolen data was being transmitted out — a technique that both Egerstad and journalist Kim Zetter concluded likely involved monitoring Tor exit nodes.
These cases established a pattern: security researchers could spy on spies by monitoring the same anonymity infrastructure that intelligence operatives relied upon to cover their tracks.
Tor’s Intelligence Origins
The Tor network itself was originally developed by the Information Technology Division of the Naval Research Laboratory for the United States Navy. Its stated purpose included open source intelligence gathering and protecting the communications of deployed assets. The tool that was built for intelligence work had become a double-edged sword — useful for both conducting and detecting espionage.
WikiLeaks and the Tor Network
In January 2007, a leaked message from WikiLeaks’ then-secret internal mailing list revealed a statement attributed to Julian Assange describing how the organization obtained documents. The message indicated that hackers monitoring Chinese and other intelligence operations would collect data as those operations extracted it from compromised networks. WikiLeaks, according to the message, would collect the same material simultaneously.
The message suggested that WikiLeaks had accumulated enormous volumes of documents through this method — material from Afghanistan, Indian federal systems, and multiple foreign ministries — claiming the organization had stopped archiving after reaching one terabyte.
A June 2010 profile in The New Yorker provided further detail. According to the article, a WikiLeaks activist who operated a Tor node noticed Chinese hackers using the network to gather foreign government information. The activist began recording this traffic. While only a small fraction was ever published on WikiLeaks, the initial collection became the site’s foundation, enabling Assange to claim the organization had received over one million documents from thirteen countries.
Assange’s Response to the Allegations
When pressed about these claims by The Register in 2010, Assange did not deny the core facts. He called The New Yorker account “misleading” but acknowledged it concerned “a 2006 investigation into Chinese espionage one of our contacts were involved in.” He stated that “somewhere between none and a handful” of documents obtained through Tor monitoring were published on WikiLeaks.
This response effectively confirmed that material captured through Tor exit node surveillance had been published by the organization. Assange’s objection was narrower than it appeared — he disputed that WikiLeaks itself conducted the espionage, not that the organization published material obtained through such methods.
When asked for further clarification by other journalists, Assange reportedly declined to engage with the question.
The Ethical Questions
The distinction between receiving documents from whistleblowers and publishing material intercepted through network surveillance carries significant ethical weight. Traditional whistleblowing involves a source making a conscious decision to disclose information they believe the public should see. Tor exit node monitoring, by contrast, involves passively intercepting data in transit — a form of signals intelligence.
In January 2011, American private security firm Tiversa stated it had evidence that WikiLeaks had published sensitive documents obtained through surveillance of peer-to-peer networks, suggesting that Tor was not the only network where such collection occurred.
These revelations complicated the public narrative around WikiLeaks, which had positioned itself primarily as a platform for whistleblowers seeking to expose wrongdoing. The evidence suggested that at least during its early period, the organization’s document collection methods were closer to intelligence gathering than to traditional journalism or whistleblower facilitation.
