Who’s watching the anonymous? A whole lot of people it turns out.

The developers of Tor, the powerful anonymity tool with millions of users around the world, recently found a group of nodes in their network that “we assume were trying to deanonymize users,” project leader Roger Dingledine wrote in a security advisory notice.

Plenty of people want to break Tor—governments, hackers, spy agencies—but the newest suspects are none of the above. Instead, Dingledine points to academia.

Earlier this month, a lecture promising to break Tor on a $3,000 budget was announced and then canceled without much explanation. The presenters, from Carnegie Mellon University, have reportedly been mostly silent when Tor’s developers asked them for details. Dingledine suspects that the lecturers are “likely” behind this attack.

Dingledine suspects that the spying relays attempted to control and look in on a person’s entry and exit into the Tor network, giving them the ability to see a person’s IP address and destination. You can find a more technical explanation here.

Dingledine called the attack “actually pretty neat from a research perspective.”

Tor developers, who found the the spying group of relays on July 4, say the relays target users who operate or access Tor hidden services, the anonymous websites that exist entirely within the Tor network. The most famous example is probably Silk Road but others include SecureDrop, a tool designed to allow anonymous communications between journalists and sources.

“The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4,” Dingledine wrote. “While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.”

No one yet knows what this means for Tor users but the attackers may have been able to find out the location of hidden services, a crucial step in deanonymizing Tor’s users. Worse yet, Tor’s developers say that this attack may have inadvertently helped other attackers reveal Tor users.

Photo by langalex/Flickr (CC BY-SA 2.0)