Hacker swipes $83,000 from Bitcoin mining pools

Bitcoin exchanges and trading posts have been hacking targets over the past year, but now one hacker has taken on ISPs to loot cryptocurrency from mining pools.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
2 min read


It's no longer surprising when we hear that a cryptocurrency exchange has suffered a security breach, but now a hacker has targeted mining pools -- and managed to steal $83,000 in cryptocurrency as a result.

The Dell SecureWorks Counter Threat Unit (CTU) research team said Thursday it has identified an exploit that can be used to lift cryptocurrency from mining pools, and at least one hacker has already taken advantage of the security flaw.

A hijacker was able to use a fake Border Gateway Protocol (BGP) broadcast in order to compromise networks belonging to some of the biggest names in the field -- including Amazon, Digital Ocean, and OVH -- between February and May 2014. According to the researchers, at least 51 networks were compromised from 19 different ISPs, and at least one hijacker was able to use this flaw to redirect cryptocurrency miners' connections to a hijacker-controlled mining pool, therefore collecting the miner's profit for themselves.

Miners were able to continue searching for blocks, which results in the minting of new bitcoins, but spoofed servers ensured that miners never received their cut -- instead, the hijacker took off with all of the earnings.

In total, it is believed this single hijacker has been able to earn $83,000 in roughly four months.

Although Bitcoin was the main target of the heist, with 1 BTC currently worth $589, it was not the only cryptocurrency affected.

"The threat actor hijacked the mining pool, so many cryptocurrencies were impacted," the researchers said. "The protocols make it impossible to identify exactly which ones, but CTU researchers have mapped activity to certain addresses."

One miner spoken to by Dell SecureWorks said he estimates 8,000 dogecoin were hijacked and stolen in March, worth $1.39. The miner later added a firewall rule to reject connections from the hacker's mining server, which rejected the hijack and led to normal mining regularity. While $1.39 is a tiny amount, if widespread, such hacking can be lucrative.

The researchers were eventually able to trace the fake broadcasts to a single router at an ISP in Canada. While the hijacker has not been identified, CTU believes the scheme can be blamed on a rogue employee of the ISP, an ex-employee with an unchanged router password, or simply a black-hat hacker.

The CTU research team provided its evidence to the ISP closest to the source of the activity, and the malicious BGP announcements stopped three days later. The team says that despite approximately $2.6 million in cryptocurrency mining activity occurring each day, the chance of future BGP attacks is "minimal," writing:

"BGP peering requires that both networks be manually configured and aware of one another. Requiring human interaction for proper configuration makes BGP peering reasonably secure, as ISPs will not peer with anyone without a legitimate reason. These hijacks and miner redirections would not have been possible without peer-to-broadcast routes."