Hacker hijacks ISPs, steals $83,000 from Bitcoin mining pools

Summary:Bitcoin exchanges and trading posts have been hacking targets over the past year, but now one hacker has taken on ISPs to loot Bitcoin from mining pools.

bitcoins-pile-620x202-620x202

It's no longer surprising when we hear a cryptocurrency exchange has suffered a security breach, but now a hacker has targeted mining pools -- and managed to steal $83,000 in cryptocurrency as a result.

The Dell SecureWorks Counter Threat Unit (CTU) research team said Thursday they have identified an exploit which can be used to lift cryptocurrency from mining pools, and at least one hacker has already taken advantage of the security flaw.

A hijacker was able to use a fake Border Gateway Protocol (BGP) broadcast in order to compromise networks belonging to some of the biggest names in the field -- including Amazon, Digital Ocean, and OVH, among others -- between February and May 2014. According to the researchers, at least 51 networks were compromised from 19 different ISPs, and at least one hijacker was able to use this flaw to redirect cryptocurrency miners' connections to a hijacker-controlled mining pool, therefore collecting the miner's profit for themselves.

Miners were able to continue searching for blocks, which results in the minting of new Bitcoins, but spoofed servers ensured that miners never received their cut -- instead, the hijacker took off with all of the earnings.

Screen Shot 2014-08-08 at 10.56.17

In total, it is believed this single hijacker has been able to earn $83,000 in roughly four months.

Although Bitcoin was the main target of the heist, with 1 BTC currently worth $589, it was not the only cryptocurrency affected.

"The threat actor hijacked the mining pool, so many cryptocurrencies were impacted," the researchers said. "The protocols make it impossible to identify exactly which ones, but CTU researchers have mapped activity to certain addresses."

One miner spoken to by Dell SecureWorks said he estimates 8,000 Dogecoin were hijacked and stolen in March, worth $1.39. The miner later added a firewall rule to reject connections from the hacker's mining server, which rejected the hijack and led to normal mining regularity. While $1.39 is a tiny amount, if widespread, such hacking can be lucrative.

The researchers were eventually able to trace the fake broadcasts to a single router at an ISP in Canada. While the hijacker has not been identified, CTU believes the scheme can be blamed on a rogue employee of the ISP, an ex-employee with an unchanged router password, or simply a black-hat hacker.

The CTU research team provided its evidence to the ISP closest to the source of the activity, and the malicious BGP announcements stopped three days later. The team says that despite approximately $2.6 million in cryptocurrency mining activity occurring each day, the chance of future BGP attacks is "minimal," writing:

"BGP peering requires that both networks be manually configured and aware of one another. Requiring human interaction for proper configuration makes BGP peering reasonably secure, as ISPs will not peer with anyone without a legitimate reason. These hijacks and miner redirections would not have been possible without peer-to-broadcast routes."

Topics: Security

About

Charlie Osborne, a medical anthropologist who studied at the University of Kent, UK, is a journalist, freelance photographer and former teacher. She has spent years travelling and working across Europe and the Middle East as a teacher, and has been involved in the running of businesses ranging from media and events to B2B sales. Charli... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.