NAT Mac address leak to Internet

Question

Recently in the leaked 0-day exploit for Tor browser, whole shellcode's purpose was getting user's MAC address and sending it to the servers which people are suspecting that exploit was developed by Law enforcement to unmask some TOR users real identity.

My question is, these days everyone is behind some kind of ADLS/VDSL/Fios router. So 99.9% of internet users are behind NAT. So if I'm behind my router, my MAC address AFAIK would never leave my network. So considering that, what's the benefit of sending MAC address of my PC inside my network to outside? Who and how they can track that MAC address to me?

Maybe my main question is, why and how my NATted device's MAC address is transferred to lets say ISP or internet? Please explain what am I missing. I know ARP packets carry these messages, but I assume NATted devices ARP packet won't reach ISP.

Answer 1

You're mixing stuff up. The Tor browser runs locally, on your machine, the machine with the network card that has the MAC address. So, that MAC address never by itself leaves the local network. The internet doesn't care you're using Ethernet locally.

As you said, this might have been done to strip people of anonymity. It doesn't matter that you can't be recognized on the internet by your internal network hardware address if all that's necessary is proof that you've been the one doing something via Tor.

Since you brought up the law enforcement aspect: Your MAC address might not be worth anything on the internet, but when it's used to prove that it was in fact you, and not your flatmate on the same LAN, who did something, it might make the difference between being sentenced and being let go due to lack of undeniable proof.

Consider the fact that one of the motivations to use Tor is to evade state surveillance. If you had to scare away people from doing so, how else than via a deliberate leaking of identification providing info would you do that?