New Tactic Cripples Cryptocurrency Mining Campaign, Cutting Off Criminal Profits
A novel approach, deployable from a simple laptop, has successfully shut down a malicious cryptocurrency mining campaign that had been active for over six years, according to cybersecurity experts.
Developed by Akamai, the method involves sending “bad shares” (incorrect mining calculations) to completely disable the cybercriminals’ systems, drastically reducing their revenue generation within seconds. This resulted in an estimated loss of $26,000 per year for the criminals.
The technique, detailed in the “Anatomy of Cryptominers” series, operates independently of third-party actions. Researchers, using a device infected with the Oracle Loader malicious miner, exploited the automated protections inherent in the mining infrastructure. These protections, designed to prevent overload or unavailability, were triggered to automatically and rapidly ban the wallets where the cybercriminals received their profits, as well as the proxies they used to conceal their origins.
Technique Eliminates Transaction Volume
Revenue generation in these systems relies on validating shares, which are calculations sent by devices and authenticated on pools (servers connected to cryptocurrencies).
These are complex tasks, made even more challenging by “bad shares,” errors that can occur during legitimate mining and may lead to temporary suspensions as a protective measure.
Akamai’s technique generated a flood of invalid requests, activating server defenses. In the case of Oracle Loader, the impact was immediate, with transaction volume plummeting from 3.3 million hashes per second to zero.
“Typically, we rely on pool administrators and external services to ban cybercriminals’ accounts. These are complex and time-consuming tasks, as they depend on third-party action,” explains Maor Dahan, a senior researcher at Akamai and one of the method’s developers. “This tactic offers a better option, compromising the effectiveness of these botnets to the point of shutting them down completely.”
Tool Enables Infiltration of Malicious Mining Networks
The development of this method also led to the creation of a tool called XMRogue, specifically designed to combat XMRig, a prevalent malicious mining malware. XMRogue allows researchers to impersonate victims, gaining access to proxies used by cybercriminals to send “bad shares.”
From there, sending large volumes of invalid calculations redirected to mining pools allows automated security systems to identify and shut down malicious operations.
The tool developed by Akamai can also bypass XMRig’s own systems, which discard low-complexity or invalid hashes to maximize the mining potential of infected devices.
The researchers’ tests resulted in a 76% reduction in cybercriminals’ profits. The company estimates that if additional proxies and systems were located and targeted by the technique, earnings could be eliminated entirely, significantly impacting malicious activities.
“The threat of miners is expected to continue growing, but it can now be combated, making attacks less effective for cybercriminals,” adds Dahan. “This method uses existing topology and policies to force attackers to completely abandon campaigns, as their continuation depends on radical changes that may not be financially advantageous and could lead to identification risks.”
Proofs of concept, the XMRogue code, and further details of the tests are available in the “Anatomy of Cryptominers” series, published on Akamai’s blog.
Stay ahead of the curve in the fast-paced crypto world – explore the latest updates and trends at Cryptonewsfeeds.com.
