BGP hijacking for cryptocurrency profit
In cryptocurrency, “mining” is the act of validating transactions listed in the public ledger (also known as the block chain). When a transaction is initiated, it is placed in a queue where it is prioritized based on the date and time of submission, and the size of the affixed transaction “fee.”
Working from the top of the queue, miners cryptographically attempt to “find a block,” which entails crunching numbers to satisfy a particular formula while simultaneously agreeing as network that the calculated results are valid. Mining is a generic activity; the mining pool dictates which cryptocurrency is mined.
In this podcast recorded at Black Hat USA 2014, Joe Stewart, Director of Malware Research at Dell SecureWorks, talks about his team’s discovery of suspicious activity occurring on mining systems connected to the wafflepool.com mining pool.
Several users in this forum and other cryptocurrency forums noticed similar activity — mining systems mysteriously redirected to an unknown IP address that answered with the Stratum protocol. Once connected to this IP address, miners continued to receive work but no longer received block rewards for their mining efforts. Hijackers harnessed miners’ hashing power by redirecting legitimate mining traffic destined for well-known pools to a malicious server masquerading as the legitimate pool:
- Miners continuously connect to a legitimate pool for tasks.
- The hijacker begins an attack.
- When miners attempt to connect to the legitimate pool, a new BGP route directs their traffic to a pool maintained by the hijacker.
- This malicious pool sends each rerouted miner a client.reconnect command, instructing them to connect to a second pool maintained by the hijacker. By convincing the miners to connect to this second malicious pool rather than the original malicious pool, the hijacker filters out traffic that has already been hijacked so it is not hijacked again.
- The hijacker ceases the attack. Miners that were redirected to the hijackers pool continue to see tasks and perform work, but are not compensated. Miners who were not redirected remain unaffected.
- The hijacker repeats the process in short bursts, allowing the activity to continue unimpeded for months.