Dell SecureWorks security researchers have described a series of attacks earlier this year in which someone cleverly got miners of bitcoins and other “cryptocurrencies” like dogecoin to contribute their efforts to his mining pools, sending the proceeds to him instead of them.
Bitcoin mining involves solving complex computational problems faster than rivals, in order to add blocks of bitcoin transactions to the “blockchain,” the shared bitcoin ledger. Not only does this keep the blockchain going, but it also generates new bitcoins as rewards for the miners. Obviously, getting there first requires a lot of raw computational power, so most miners pool their resources.
According to SecureWorks, the attacker netted around $83,000 between February and May of this year. To accomplish this scam, it seems he had access to a router at a Canadian ISP, either by hacking into it or by somehow knowing the password.
The internet is a network of networks, and ISPs’ networks connect to the internet using the border gateway protocol (BGP), which essentially lets them advertise their existence to other networks. The attacker apparently reconfigured the Canadian ISP’s server to broadcast illegitimate BGP routes to the miners’ own ISPs or networks, including Amazon and hosting companies such as OVH and Digital Ocean — many miners do so in the cloud, so they don’t need to run their own rigs.
Those attacks redirected whole chunks of traffic from the affected networks, so when the miners attempted to hook up with their mining pools, they unwittingly connected with the hijacker’s server instead. The hijacker then routed their connections to a second “pool” that he also controlled. The attacks were only brief, but once they’d set up the new connections, the result was that miners’ computers were doing lots of mining work and not getting any reward for it.
The researchers recommended that mining pools’ servers should implement server certificate validation and require miners to establish secure SSL connections, so that they can’t be unwittingly redirected to other servers. As attackers need access to ISPs internal systems to do this kind of thing, they said, “the overall threat is minimal.”