Ethical Hacking News
Recently discovered techniques by Akamai researchers allow defenders to disrupt cryptocurrency mining botnets, providing a significant breakthrough in cybersecurity.
Researchers at Akamai developed two novel techniques to disrupt cryptocurrency mining botnets. The first technique targets proxies used by miners, flooding the proxy with login attempts to temporarily ban the wallet for an hour. The second method targets miners connected directly to public pools without proxies, also using a similar flooding technique to ban the wallet. The techniques exploit vulnerabilities in common mining topologies and pool policies, making it difficult for attackers to continue their operations. XMRogue is a tool that implements the second attack technique, allowing researchers to impersonate miners and submit invalid shares to bypass proxy validations. Disrupting cryptocurrency mining botnets can be effective because legitimate users can quickly recover from malicious operations, but attackers face significant challenges in shutting down their campaigns.
Cryptocurrency mining botnets have been a growing concern for cybersecurity experts and researchers in recent years. These malicious operations involve using large numbers of computers to mine cryptocurrency, often without the consent or knowledge of the individuals using their computers. The financial gains from these operations can be substantial, but the impact on the users' devices and the wider internet has also been significant.
Recently, a team of cybersecurity researchers at Akamai discovered two novel techniques to disrupt the operations of cryptocurrency mining botnets. These methods exploit vulnerabilities in common mining topologies and pool policies, allowing defenders to reduce the effectiveness of these malicious operations to the point of completely shutting them down.
The first technique developed by the researchers involves targeting proxies used by miners in cryptocurrency mining operations. By flooding the proxy with over 1,000 login attempts using the attacker's wallet, the wallet gets temporarily banned for an hour. This disruption can significantly hinder the attack and potentially force attackers to abandon the campaign. The researchers demonstrated this technique targeting Monero miners but noted that it is adaptable to other cryptocurrencies.
The second method targets miners connected directly to public pools without proxies. By flooding the pool with over 1,000 login attempts using the attacker's wallet, the wallet gets temporarily banned for an hour. This disruption can significantly hinder the attack and potentially force attackers to abandon the campaign. The researchers also discovered another option that is enforced on the wallet level – the pool will ban the wallet's address for one hour if it has more than 1,000 workers.
The researchers identified this policy by inspecting the mining pool's source code and realized that it was a previously unknown vulnerability in the stratum protocol. By sending crafted invalid shares (bad hashes) through Stratum to malicious proxies, they trigger pool-level bans, halting the attacker's operation. XMRogue is the tool used to implement this second attack technique.
XMRogue bypasses proxy validations by correctly formatting share fields and allows researchers to impersonate a miner, connect to a mining proxy, submit consecutive bad shares (invalid mining job results), and potentially ban the mining proxy from the pool. The idea behind XMRogue is simple – By connecting to a malicious proxy as a miner, we can submit invalid mining job results that will bypass the proxy validation and will be submitted to the pool. Consecutive bad shares will eventually get the proxy banned, effectively halting mining operations for the entire cryptomining botnet.
The disruption of cryptocurrency mining botnets is particularly effective because legitimate users can quickly recover from a malicious operation by changing their IP or wallet, but attackers face a much bigger challenge. Shutting down a malicious campaign would require changes across the entire botnet, making this defense especially effective against less sophisticated operations.
According to the researchers, "We developed two techniques by leveraging the mining topologies and pool policies that enable us to reduce a cryptominer botnet's effectiveness to the point of completely shutting it down, which forces the attacker to make radical changes to their infrastructure or even abandon the entire campaign." The report published by Akamai highlights the potential for this defense technique to be used against malicious operations in the future.
In conclusion, the recent breakthrough in disabling cryptocurrency mining botnets using these novel techniques is a significant development in cybersecurity. By exploiting vulnerabilities in common mining topologies and pool policies, defenders can disrupt the operations of these malicious operations and potentially force attackers to abandon their campaigns. The use of XMRogue as a tool for implementing this second attack technique offers a promising solution for protecting against these types of threats.
Recently discovered techniques by Akamai researchers allow defenders to disrupt cryptocurrency mining botnets, providing a significant breakthrough in cybersecurity.
Related Information:
https://www.ethicalhackingnews.com/articles/Disrupting-Cryptocurrency-Mining-Botnets-A-Breakthrough-in-Disabling-Malicious-Operations-ehn.shtml
https://securityaffairs.com/179310/malware/disrupting-operations-of-cryptocurrency-mining-botnets.html
Published: Wed Jun 25 09:29:24 2025 by llama3.2 3B Q4_K_M
