IT Brief Asia - Technology news for CIOs & IT decision-makers
Asia

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Digital network attack monero coin protective shield cybersecurity defense
#
Malware
#
Network Security
#
Cybersecurity

Akamai tool disrupts cryptominer botnets, cutting USD $38K

Today
Author image
By Jed Nykolle Harme, Editor

Akamai has released research outlining methods to disrupt cryptominer botnets, including the successful takedown of a large-scale operation that had been active for six years.

Research findings

The report details two new techniques that allow defenders to forcefully disable malicious cryptomining activities at scale. According to Akamai's researchers, exploiting "bad shares" can result in the banning of malicious mining proxies from cryptocurrency mining pools, causing the botnet's hashrate—the rate at which mining calculations are performed—to plummet from millions to zero almost instantly.

One case study cited involved the identification and dismantling of a botnet that was generating 3.3 million hashes per second. By employing this method, Akamai's team cut off the attackers' estimated USD $26,000 in annual revenue. This was achieved by targeting a central point of failure in the botnet's infrastructure: the mining proxy, which was responsible for coordinating the activities of infected computers.

The concept of bad shares

The central premise of one of the techniques involves deliberately submitting invalid mining results, or "bad shares," to the mining pool via the compromised proxy. Mining pools typically validate submitted shares and penalise repeated invalid submissions by banning the associated source.

As explained in the research report, "If we can make a back-end node or a pool to ban the attacker miners (a.k.a. victims), we can stop the resource exploitation of the cryptominer and essentially release the victims."

When this method was applied to the targeted botnet, the mining proxy's hashrate fell from 3.3 million to zero, effectively terminating ongoing cryptomining on all connected victim machines and reducing their CPU usage significantly.

XMRogue tool introduction

To carry out these actions, Akamai developed a custom tool named XMRogue. This tool is designed to impersonate a miner, connect to a mining proxy, and submit consecutive bad shares, thereby causing the proxy to forward invalid results to the pool and triggering a ban.

"XMRogue is a tool that enables us to impersonate a miner, connect to a mining proxy, submit consecutive bad shares, and eventually ban the mining proxy from the pool," the report states.

One of the challenges addressed by XMRogue is the need to ensure that bad shares bypass the proxy's validation mechanisms and reach the pool for banning. The researchers detail how "crafting a custom share is relatively simple," provided that certain key values are extracted from the proxy's response messages to the miner.

Testing and impact

Testing with a real-world botnet, Akamai's team identified all associated mining proxies and targeted the most active one using XMRogue. The result was an immediate hashrate drop to zero for the proxy in question, and a substantial decrease in the botnet's overall revenue—from nearly USD $50,000 annually to USD $12,000, a 76% reduction. The research notes, "By targeting additional proxies, the revenue could have potentially dropped to zero."

The team also observed that such an impact forces attackers to either completely reconfigure their infrastructure—which increases their risk of being discovered—or abandon the campaign altogether.

Direct pool connections

The report covers a second tactic for scenarios where victim machines are connected directly to public mining pools without intermediaries. In these cases, XMRogue can trigger the mining pool to temporarily ban a wallet address by sending more than 1,000 login requests simultaneously using that wallet. This measure is enforced by pools as an anti-abuse protection and can momentarily disrupt malicious mining.

The researchers provided an example involving a smaller campaign leveraging the MoneroOcean pool. Initiating multiple logins with the attacker's wallet led to a rapid decline and eventual halt of the campaign's mining rate, though the effect was reversible once the technique was stopped.

Defence implications

Akamai's research notes that these techniques, which rely on the legitimate operational policies of mining pools, can shut down malicious cryptominer campaigns without affecting lawful miners. "A legitimate miner will be able to quickly recover from this type of attack, as they can easily modify their IP or wallet locally," say the researchers.

For attackers running large botnets, however, reconfiguration would be far more complex and costly, offering defenders a practical way to impede cryptomining abuse at scale.

Outlook on cryptomining threats

Reflecting on the wider trend, Senior Security Researcher Maor Dahan stated, "We believe that the threat of cryptominers will continue to grow over time. But now we can fight back and disrupt the attacker's operation, making it much more challenging to monetize cryptominers effectively."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Endava forms global advisory board to guide AI transformation
Tanium names Tara Ryan as Chief Marketing Officer for growth
FIRST launches CORE Fund to boost global cyber response skills
Alcatel-Lucent Enterprise adds PROFINET to boost IT-OT unity
Okta launches Cross App Access to boost AI security in firms

Top stories

Cloudflare launches Containers beta for flexible edge computing
Over 40% of agentic AI projects set for cancellation by 2027
HPE & NVIDIA unveil next-gen AI factory solutions for enterprise
Ericsson unveils revamped partner programme for enterprise wireless
Saviynt appoints Steve Blacklock to lead global partner strategy