Zero Hashrate: Researchers Unveil Game-Changing ‘Bad Shares’ Tech to Crush Cryptominer Botnets

• Akamai developed new "bad shares" techniques to shut down cryptominer botnets.
• The method exploits mining pool rules to ban attacker proxies/wallets.
• This technique reduced one botnet's hashrate to zero from 3.3 million hashes per second

Security researchers have built new methods to detect and take down cryptocurrency mining botnets. Akamai, in their published report, detailed two new methods to shut down operations, involving a key technique, termed “bad shares.”

This research targeted a malicious cryptominer operation that had been active for six years. The bad shares technique involves submitting invalid mining results to trick pools into banning attacker proxies or wallets, thereby effectively halting their operations. 

Through their efforts, Akamai's researchers successfully brought a cryptocurrency mining operation's hashrate down from 3.3 million hashes per second to zero. 

This was achieved by exploiting mining pool policies where consecutive invalid shares lead to a temporary ban on the miner. This resulted in significant financial losses to threat actors; for instance, a simple laptop was used to cause one cryptominer operator to lose their estimated US$26,000 per year revenue.

The technique was demonstrated on Monero cryptominers, with the principle being applicable to disrupt any other cryptomining effort. 

The method focuses on proxy and direct pool connections, specifically targeting common mining setups, including those reliant on mining proxies (a single point of failure) and direct connections to public pools.

Researchers effectively leveraged impersonation techniques to act as a miner. They developed the XMRogue tool that mimics a miner to connect to proxies and submit the bad shares. This helped bypass validations, such as those related to NiceHash nonce and difficulty.

This technique offers a faster takedown of cryptominers by providing a less complex alternative to relying on third-party solutions.

These solutions may also force attackers to abandon their campaigns due to a decrease in botnet profitability and unmonetizable resources.