It is reported that the server is hosted by the Online SAS company, and its two Tor relay nodes can act as Tor entry protection nodes (that is, the key components of the Tor routing used by the user to connect the anonymous network). In addition, the French radical activist Aeris, who manipulated the server, revealed the police action to Tor Project by mail on May 15 and asked other Tor operators to revoke the trust of the two relay nodes.
On May 12, the flow of a large French business facility in France led to the two Tor relay nodes, which were infected with the WannaCry sample of the company’s equipment while communicating with the command and control server hosted on the Tor network. Therefore, it is highly likely that the server was used as the first attempt of Tor communication.
According to people familiar with the matter, Tor servers are generally configured to record or rarely record user details (eg run time and status indicators) for privacy reasons. If it was not for Aeris to change it to the default configuration, the French police would most likely have no chance to find on the seized server. Aeris confirmed that dozens of other Tor nodes in France immediately disappeared after the WannaCry attack. Currently, he has provided French media Bleeping Computer with the list of 30 other servers that the police are investigating.