Researchers from Karlstad University in Sweden published a paper examining the behavior of some Tor exit relays. They found 25 relays were either malicious or misconfigured and could be snooping on traffic leaving the privacy network. Most of the attacks were man-in-the-middle attacks where someone tried to inject code into an encrypted traffic stream as it left Tor. The attacks, the paper said, may date back to February 2013. The researchers wrote that targeting individuals using Tor is difficult, but less so is the targeting of classes of users based on their destination.
Source: https://threatpost.com/small-number-of-malicious-tor-exit-relays-snooping-on-traffic/103771/