…but that doesn’t help the victims.
John Leyden for The Register: Scammers become the scammed: Ransomware payments diverted with Tor proxy trickery
So the victim pays the original scammer via the onion[.]top Tor proxy, but another scammer redirects the payment via a Man-in-the Middle attack to their own Bitcoin account, so even if the scammer was intending to give the victim the decryption key for their files, it’s unlikely that he/she/it will if the payment never reaches him/her/it because some other scumbag got to it first. Charming.
Based on a blog post from Proofpoint: Double dipping: Diverting ransomware Bitcoin payments via .onion domains