50 Tor Exit Relays. One Operator. Same ASN as Interlock Ransomware C2. We Found It on Day One.

We built a Tor Infrastructure Attribution Framework this morning. Indexed 10,269 relays from the live consensus. Cross-referenced every relay IP against our 1,086,742 IOCs. Then we found Quetzalcoatl.

50 Tor exit relays. All of them exit nodes. Seven countries. Seven ASNs. One nickname. 782,000 units of consensus bandwidth. The second-largest relay operator we indexed by node count, and every single relay is purpose-built for exit traffic.

The primary hosting provider is 1337 Services GmbH, a German company with 36 of the 50 relays. The rest are spread across FranTech Solutions, Contabo, netcup, Decix Frankfurt, and BuyVM. This is diversified infrastructure — not someone running a relay from their apartment.

Then we cross-referenced against our IOC database.

Eight of ten known C2-linked IPs in our index are active Tor relays. Three of those eight are Quetzalcoatl relays. The cluster carries traffic that we've already flagged as threat-associated.

Then we looked at Interlock.

Interlock ransomware exploited CVE-2026-20131, a Cisco FMC zero-day, for root access. We wrote about that Cisco POC in March when we found it on GitHub. CISA issued a joint advisory. The DaVita breach — 200,000 patients, 1.5 terabytes — was Interlock.

We have Interlock's full C2 infrastructure indexed from AWS MadPot: five C2 IPs, a Tor hidden service, exploit domains, staging infrastructure, and file hashes. When we checked which ASNs host those C2 IPs, every single one shares an ASN with active Tor relays.

FranTech Solutions hosts both 21 Quetzalcoatl exit relays and two Interlock C2 servers. Same autonomous system. Same hosting infrastructure. Different purposes, same provider, same operational neighborhood.

Hetzner hosts 5 relays and 2 Interlock C2 IPs. BL Networks hosts 5 relays and an Interlock C2 IP. The pattern repeats.

This doesn't prove the Quetzalcoatl operator runs Interlock. It proves that Interlock's C2 infrastructure is co-located with industrial-scale Tor exit capacity. If you're running a ransomware operation that uses Tor for victim communication and data exfiltration, you want high-bandwidth exit relays in the same hosting environment as your C2 servers. Quetzalcoatl provides exactly that.

The Quetzalcoatl operator made one OPSEC mistake that made this analysis trivial: they named all 50 relays "Quetzalcoatl." A sophisticated operator would use random names across different accounts. Instead, they branded their entire fleet. One search, one cluster.

We'll be running the consensus collector daily. Tomorrow we'll have two snapshots. The delta — new relays, disappeared relays, bandwidth changes, ASN migrations — is where the predictive intelligence lives. When Quetzalcoatl deploys five more relays in 48 hours, our precursor signal fires. When they go dark, we know someone is either rotating infrastructure or got a visit from law enforcement.

The Tor network is critical infrastructure for human rights. Journalists, dissidents, and abuse survivors depend on it. This investigation targets the operational security failures of threat actors who abuse it — not the protocol, not the network, and not its legitimate users.

We didn't break any encryption. We read a public directory that nine authorities sign every hour, cross-referenced it against our existing threat intelligence, and followed the graph.

The framework runs on our existing $75/month Azure infrastructure. Zero incremental cost. The Tor consensus is public data. The attribution is math.

All 10,269 relay records and the Interlock correlation data are in our STIX feed. The Quetzalcoatl cluster IPs, the ASN overlap, and the .onion C2 addresses are indexed and queryable.

analytics.dugganusa.com/api/v1/tor/stats

analytics.dugganusa.com/stix/pricing

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com