Several hundred Tor exit relays together push more than
1 GiB/s of network traffic. However, it is easy for exit
relays to snoop and tamper with anonymised network
traffic and as all relays are run by independent volun-
teers, not all of them are innocuous. In this paper, we
seek to expose malicious exit relays and document their
actions. First, we monitored the Tor network after devel-
oping a fast and modular exit relay scanner. We imple-
mented several scanning modules for detecting common
attacks and used them to probe all exit relays over a pe-
riod of four months. We discovered numerous malicious
exit relays engaging in different attacks. To reduce the
attack surface users are exposed to, we further discuss
the design and implementation of a browser extension
patch which fetches and compares suspicious X.509 cer-
tificates over independent Tor circuits. Our work makes
it possible to continuously monitor Tor exit relays. We
are able to detect and thwart many man-in-the-middle at-
tacks which makes the network safer for its users. All
our code is available under a free license.