A hacking blog written in Chinese and hosted on the dark web has posted technical instructions for stealing mining rewards using trojaned machines and man-in-the-middle attacks to redirect mining pool
A hacking blog written in Chinese and hosted on the dark web has posted technical instructions for stealing mining rewards using trojaned machines and man-in-the-middle attacks to redirect mining pool data.
The post, discovered through a dark web directory, outlines a method to intercept mining packets and reroute them to a different pool without the rig owner detecting anything. The mining machine would display normal activity on its dashboard while the pool operator would see unexplained hashpower disappear.
No one has confirmed this malware exists in actual use or that developers have built it beyond the concept stage. Still, researchers worry about the attack's potential consequences.
An attacker could funnel most rewards to their account while passing some payments back to the legitimate pool, keeping the scheme hidden. Mining depends heavily on luck, so a rig operator might blame variance for lower returns rather than suspect compromise. Eventually, consistent underperformance relative to the machine's stated hashpower might trigger suspicion, but the attacker would have already stolen bitcoin by then.
For mining operations running on thin margins, this could cause serious damage. The attack requires two things: a previously installed trojan and the ability to modify IP tables. An attacker with that level of access could cause far worse harm than mining theft, but this method appeals because it avoids detection.
Blake Anderson, a Bitcoin security consultant and early mining operator, examined the technical details. "The security vulnerability [the post] references are trojans and man in the middle attacks," Anderson said. "If you assume both of those vulnerabilities, virtually anything becomes possible."
Spencer Liven of Sterlingcoin also reviewed the attack and confirmed it could work.
The post includes a detailed walkthrough. An attacker would install a mining proxy on a compromised machine within the target network, then use iptables commands to intercept packets meant for the legitimate pool. The proxy forwards mining shares to the real pool while collecting rewards for the attacker. The process routes packets through multiple iptables chains—the PREROUTING chain redirects inbound packets, an INPUT chain passes them to the proxy, and OUTPUT and POSTROUTING chains handle return traffic.
The specific rules target ports 3333 and 3334, which most mining pools use. Attackers must employ IP masquerading rather than standard source network address translation because mining rigs switch between pools and pools run multiple IP addresses. This keeps return traffic appearing legitimate to both the mining machine and the real pool.
This exploit reveals no flaw in Bitcoin itself. It shows instead how attacks on miners grow more complex. Mining operations should enforce strict security measures against these emerging tactics.
