Jun 24, 2025Ravie LakshmananMalware / Cryptocurrency
Cybersecurity researchers have detailed two novel strategies that can be utilized to disrupt cryptocurrency mining botnets.
The strategies make the most of the design of varied frequent mining topologies with a purpose to shut down the mining course of, Akamai mentioned in a brand new report printed right now.
“We developed two strategies by leveraging the mining topologies and pool insurance policies that allow us to cut back a cryptominer botnet’s effectiveness to the purpose of utterly shutting it down, which forces the attacker to make radical adjustments to their infrastructure and even abandon your complete marketing campaign,” safety researcher Maor Dahan mentioned.
The strategies, the net infrastructure firm mentioned, hinge on exploiting the Stratum mining protocol such that it causes an attacker’s mining proxy or pockets to be banned, successfully disrupting the operation.
The primary of the 2 approaches, dubbed dangerous shares, entails banning the mining proxy from the community, which, in flip, ends in the shutdown of your complete operation and causes the sufferer’s CPU utilization to plummet from 100% to 0%.
Whereas a mining proxy acts as an middleman and shields an attacker’s mining pool and, by extension, their pockets addresses, it additionally turns into a single level of failure by interfering with its common operate.
“The concept is straightforward: By connecting to a malicious proxy as a miner, we will submit invalid mining job outcomes — dangerous shares — that may bypass the proxy validation and will likely be submitted to the pool,” Dahan defined. “Consecutive dangerous shares will finally get the proxy banned, successfully halting mining operations for your complete cryptomining botnet.”
This, in flip, entails utilizing an in-house developed device referred to as XMRogue to impersonate a miner, connect with a mining proxy, submit consecutive dangerous shares, and finally ban the mining proxy from the pool.
The second methodology devised by Akamai exploits eventualities the place a sufferer miner is related on to a public pool sans a proxy, leveraging the truth that the pool can ban a pockets’s deal with for one hour if it has greater than 1,000 employees.
In different phrases, initiating greater than 1,000 login requests utilizing the attacker’s pockets concurrently will power the pool to ban the attacker’s pockets. Nonetheless, it is price noting this is not a everlasting answer because the account can stage a restoration as quickly because the a number of login connections are stopped.
Akamai famous that whereas the aforementioned strategies have been used to focus on Monero cryptocurrency miners, they are often prolonged to different cryptocurrencies as properly.
“The strategies offered above present how defenders can successfully shut down malicious cryptominer campaigns with out disrupting the legit pool operation by making the most of pool insurance policies,” Dahan mentioned.
“A legit miner will have the ability to rapidly get better from this kind of assault, as they will simply modify their IP or pockets regionally. This job can be far more troublesome for a malicious cryptominer as it could require modifying your complete botnet. For much less refined miners, nonetheless, this protection might utterly disable the botnet.”
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.
