This study presents the first empirical evidence that the Tor network is actively exploited to launch large-scale, real-world attacks against “cloudless” IoT devices—exposing a critical security gap stemming from their direct Internet exposure and absence of cloud-based protective layers. To address this threat, we propose TORCHLIGHT: a novel collaborative detection framework integrating IP-pattern filtering, distributed VPS-based honeypot sensing, and LLM-powered chain-of-thought reasoning. Over a 12-month analysis of 26 TB of Tor traffic, TORCHLIGHT identified 45 vulnerabilities—including 29 zero-days and 25 CVE-assigned flaws—affecting 12.71 million devices globally, with an estimated remediation value of $312,000. The work sparked widespread academic and industry attention, ranking among Hacker News’ Top 25 (190K+ views), and establishes a new paradigm for proactive IoT threat hunting targeting Tor-based covert communication channels.

The rapidly expanding Internet of Things (IoT) landscape is shifting toward cloudless architectures, removing reliance on centralized cloud services but exposing devices directly to the internet and increasing their vulnerability to cyberattacks. Our research revealed an unexpected pattern of substantial Tor network traffic targeting cloudless IoT devices. suggesting that attackers are using Tor to anonymously exploit undisclosed vulnerabilities (possibly obtained from underground markets). To delve deeper into this phenomenon, we developed TORCHLIGHT, a tool designed to detect both known and unknown threats targeting cloudless IoT devices by analyzing Tor traffic. TORCHLIGHT filters traffic via specific IP patterns, strategically deploys virtual private server (VPS) nodes for cost-effective detection, and uses a chain-of-thought (CoT) process with large language models (LLMs) for accurate threat identification. Our results are significant: for the first time, we have demonstrated that attackers are indeed using Tor to conceal their identities while targeting cloudless IoT devices. Over a period of 12 months, TORCHLIGHT analyzed 26 TB of traffic, revealing 45 vulnerabilities, including 29 zero-day exploits with 25 CVE-IDs assigned (5 CRITICAL, 3 HIGH, 16 MEDIUM, and 1 LOW) and an estimated value of approximately $312,000. These vulnerabilities affect around 12.71 million devices across 148 countries, exposing them to severe risks such as information disclosure, authentication bypass, and arbitrary command execution. The findings have attracted significant attention, sparking widespread discussion in cybersecurity circles, reaching the top 25 on Hacker News, and generating over 190,000 views.