Hackers steal cryptocurrency by substituting BGP announcements for mining pools
According to information from the Dell SecureWorks Counter Threat Unit team, unknown persons announced the IP addresses of large mining pools of cryptocurrencies Bitcoin, Dogecoin, HoboNickels and Worldcoin for 4 months: from February 3 to May 12, 2014. It was possible to do this due to the lack of both server authentication and encryption in the Stratum protocol, which is used by most pools.
The first notes of suspicious activity were noticed by caution user from the bitcointalk forum on March 22. Its miners connected to an unknown IP address and, for some reason, stopped mining.
The attackers announced the IP addresses of the pools only for a short time, probably in just a few minutes or seconds, terminated the TCP connection, sent reconnect command to all reconnected miners with the address of their mining pool, then removed the announcement. In total, they managed to get about $ 83,000 in all 4 months.
BGP announcements were made from one ISP in Canada. 3 days after the notification of the ISP, the substitution stopped. At the moment, it is not known who committed them. There are three versions:
- ISP Worker
- Dismissed ISP worker with access to routers
For more information, visit Dell SecureWorks .