[[!img doc/anonymous_internet/tor/tor.svg size="600x" link="no" alt="A Tor connection goes through 3 relays with the last one establishing the actual connection to the final destination"]]
Pretend to be the destination server, a technique known as <i>machine-in-the-middle</i> attack (MitM). That is why you should pay even more attention to the security warnings in <i>Tor Browser</i>. If you get such a warning, use the [[New Identity|doc/anonymous_internet/Tor_Browser#new-identity]] feature of <i>Tor Browser</i> to change exit node.
To learn more about what information is available to someone observing the different parts of a Tor circuit, see the interactive graphics at [[Tor Support: How HTTPS encryption and Tor works in Tor Browser to enhance your privacy and anonymity|https://support.torproject.org/about-tor/security/https-encryption-and-tor/]].
Tor exit nodes have been used in the past to collect sensitive information from unencrypted connections. Malicious exit nodes are regularly identified and removed from the Tornetwork. For an example, see <a href="https://arstechnica.com/information-technology/2007/09/security-expert-used-tor-to-collect-government-e-mail-passwords/">Ars Technica: Security expert used Tor to collect government e-mail passwords</a>.
End-to-end correlation attacks have been studied in research papers, but we don't know of any actual use to deanonymize Tor users. For an example, see <a href="https://www.freehaven.net/anonbib/cache/murdoch-pet2007.pdf">Murdoch and Zieliński: Sampled Traffic Analysis by Internet-Exchange-Level Adversaries</a>.