For more than 16 months, a threat actor has been seen adding malicious servers to the Tor network in order to intercept traffic and perform SSL stripping attacks on users accessing cryptocurrency-related sites.
"Since January 2020, a threat actor has been inserting thousands of malicious servers into the Tor network to identify traffic heading to cryptocurrency mixing websites and perform an SSL stripping attack, which is when traffic is downgraded from an encrypted HTTPS connection to plaintext HTTP.
The belief is that the attacker has been downgrading traffic to HTTP in order to replace cryptocurrency addresses with their own and hijack transactions for their own profit." - https://therecord.media/thousands-of-tor-exit-nodes-attacked-cryptocurrency-users-over-the-past-year/
“One of the more comprehensive fixes we’re exploring from the user side is to disable plain HTTP in Tor Browser.” - https://blog.torproject.org/bad-exit-relays-may-june-2020