Threat Analysis

BGP Hijacking for Cryptocurrency Profit

  • Author: Pat Litke and Joe Stewart, Dell SecureWorks Counter Threat Unit
  • Date: 7 August 2014

Overview

The Dell SecureWorks Counter Threat Unit™ (CTU™) research team discovered an unknown entity repeatedly hijacking traffic destined for certain networks belonging to Amazon, Digital Ocean, OVH, and other large hosting companies between February and May 2014. In total, CTU researchers documented 51 compromised networks from 19 different Internet service providers (ISPs). The hijacker redirected cryptocurrency miners' connections to a hijacker-controlled mining pool and collected the miners' profit, earning an estimated $83,000 in slightly more than four months.

Mining fundamentals

In cryptocurrency, "mining" is the act of validating transactions listed in the public ledger (also known as the block chain). When a transaction is initiated, it is placed in a queue where it is prioritized based on the date and time of submission, and the size of the affixed transaction "fee." Working from the top of the queue, miners cryptographically attempt to "find a block," which entails crunching numbers to satisfy a particular formula while simultaneously agreeing as network that the calculated results are valid. Mining is a generic activity; the mining pool dictates which cryptocurrency is mined.

Each time a miner finds a block, new bitcoins are created. The number of new coins that are created varies; as of this publication, 25 new coins are minted for every block found. The miners who contributed to finding the block are awarded a percentage of a "block reward," which amounts to the sum of the 25 newly created bitcoins plus the total of all fees from transactions in the block. The percentage is based on the miner's individual contribution to the discovery. This process allows miners to make money by using their computing resources to verify transactions for other users.

Addresses

Addresses are "accounts" that can receive funds. In cryptocurrency, these addresses are long strings of numbers and letters that correlate to a "private key." The private key is first used to generate the address, and subsequently allows a user to transfer or "spend" currency. A user may receive currency without a private key, but must have the private key to spend the cryptocurrency.

Stratum

Miners begin the mining process by contacting a pool server, which sends information to the miner, tracks individual miners' work, and pays rewards accordingly. The pool server can send commands with the work to have a miner perform various tasks, such as reconnecting elsewhere for load balancing. Miners communicate with the network using the Stratum protocol, which is a JSON-based TCP connection. Once a TCP connection is established, JSON is transferred between the miner and the pool server, allowing communications to be easily monitored.

Hijacking discovery

On March 22, 2014, a user named "caution" posted a message in the bitcointalk.org forum indicating that suspicious activity was occurring on mining systems connected to the wafflepool.com mining pool (see Figure 1).


Figure 1. Bitcointalk.org forum message indicating suspicious activity. (Source: bitcointalk.org)

Several users in this forum and other cryptocurrency forums noticed similar activity — mining systems mysteriously redirected to an unknown IP address that answered with the Stratum protocol. Once connected to this IP address, miners continued to receive work but no longer received block rewards for their mining efforts. Hijackers harnessed miners' hashing power by redirecting legitimate mining traffic destined for well-known pools to a malicious server masquerading as the legitimate pool:

  1. Miners continuously connect to a legitimate pool for tasks.
  2. The hijacker begins an attack.
  3. When miners attempt to connect to the legitimate pool, a new BGP route directs their traffic to a pool maintained by the hijacker.
  4. This malicious pool sends each rerouted miner a client.reconnect command, instructing them to connect to a second pool maintained by the hijacker. By convincing the miners to connect to this second malicious pool rather than the original malicious pool, the hijacker filters out traffic that has already been hijacked so it is not hijacked again.
  5. The hijacker ceases the attack. Miners that were redirected to the hijackers pool continue to see tasks and perform work, but are not compensated. Miners who were not redirected remain unaffected.
  6. The hijacker repeats the process in short bursts, allowing the activity to continue unimpeded for months.

BGP fundamentals

Border Gateway Protocol (BGP) is an external routing protocol that connects networks on the Internet. Networks use BGP peering to become aware of other networks' existence. Unlike network routing protocols that can automatically initiate a connection from one network, both ends of BGP-connected networks (also known as a "peers") must be manually configured to communicate. This requirement ensures malicious networks cannot hijack traffic without human intervention from a legitimate network.

Figures 2, 3, and 4 show how threat actors used bogus BGP broadcasts to redirect traffic to the hijacker's server.


Figure 2. A broadcast of the malicious route in progress. Because AS3 is "peered" with AS4, the malicious broadcast is accepted. AS3's broadcast is more specific than AS2's broadcast, so BGP prioritizes it above the AS2 broadcast. (Source: Dell SecureWorks)


Figure 3. Route to legitimate pool server before hijacking. (Source: Dell SecureWorks)


Figure 4. Route to malicious pool server after hijacking. (Source: Dell SecureWorks)

Timeline of hijacker's BGP announcements

Although public reports of hijacked miners began on March 22, 2014, CTU research into historical BGP route announcement data indicates that the hijacking attempts began on February 3. In total, CTU researchers documented 51 compromised networks at 19 different Internet service providers, including Amazon, Digital Ocean, OVH, and other large hosting companies. Appendix A contains a complete list of route hijacking incidents by date.

The data shows that the hijacker attempted to broadcast illegitimate routes for an entire week in February. That activity was apparently unnoticed in the cryptocurrency mining communities, which may suggest that the initial hijacks were not successful.

CTU researchers contacted a hijacked miner who lost profits over a period of a few weeks. Figure 5 charts the output of his mining activity over the time period in question. CTU researchers observed the correlation of hijacking events and the payouts normally received from his mining pool (called Hashfaster). The threat actor hijacked the mining pool, so many cryptocurrencies were impacted. The protocols make it impossible to identify exactly which ones, but CTU researchers have mapped activity to certain addresses.


Figure 5. Dogecoins earned by hijacked Hashfaster miner. The miner did not immediately notice the hijacks at the end of March, leading to a long gap in earnings. The hijacks in April were caught faster. (Source: Dell SecureWorks)

By adding a firewall rule to block traffic destined to the hijacker's mining server, the miner was able to reject the hijack on April 11. His payouts then resumed their regularity. Although the 8000 lost Dogecoins amounted to a few dollars, hijacking hundreds or thousands of small miners can be very lucrative.

Estimating the hijacker's earnings

The hijacker earned an estimated $83,000 in slightly more than four months. The graph in Figure 6 represents the estimated earnings for the five cryptocurrency addresses associated with the hijacker. This graph is incomplete due to a lack of data from March 29 to April 11, 2014. While Figure 6 does not prove that other payout addresses exist, it does strongly indicate that other currencies were being mined.


Figure 6. Estimated earnings for hijacker-controlled cryptocurrency addresses. No data was available between March 29 and April 11, 2014. (Source: Dell SecureWorks)

Dogecoin, HoboNickels, and Worldcoin

These three currencies were easy to extrapolate from the datasets because a central authority communicates with the clients. Correlating payouts to hijack events strongly suggests that the addresses in question belonged to the pool operator, who in this case happens to be the hijacker.

Bitcoin

Determining the Bitcoin address was challenging due to the nature of the peer-to-peer protocol used by the decentralized P2Pool Bitcoin mining pool. CTU researchers examined all addresses from the respective pool server and compared them to addresses in the Stratum traffic. Matching hijack events with payouts revealed one address, charted in Figure 6.

Attribution

All malicious BGP announcements were traced to a single router at an ISP in Canada. The hijacker likely fits one of the following descriptions:

  • A rogue employee of the ISP
  • A rogue ex-employee of the ISP with an unchanged router password
  • A malicious hacker

On May 9, 2014, the CTU research team provided the BGP evidence to the upstream ISP closest to the origin of the malicious activity. The malicious BGP announcements stopped three days later and have not resumed as of this publication. However, the ISP did not disclose details about the source of the malicious changes to the router's configuration.

Route hijacking mitigation

An estimated $2.6 million in cryptocurrency mining activity occurs each day. Every network administrator should prepare for the risk of narrowly-focused, malicious BGP hijacking incidents. ISPs should opt-in to the Resource Public Key Infrastructure (RPKI) service, which leverages the power of encryption to ensure that IP prefixes belonging to an ISP can only originate from specified ASNs.

From a cryptocurrency perspective, the easiest option for pool servers is to require miners to use the Secure Socket Layer (SSL) protocol. SSL prevents a system from being redirected to a different server, even if the IP address is the same. Miners should also implement server certificate validation. This validation ensures that the certificate the pool server sends when establishing the connection is valid and authorized for use with the connected domain, even if the domain's IP address changes.

Conclusion

BGP peering requires that both networks be manually configured and aware of one another. Requiring human interaction for proper configuration makes BGP peering reasonably secure, as ISPs will not peer with anyone without a legitimate reason. These hijacks and miner redirections would not have been possible without peer-to-broadcast routes. Although BGP hijacking is possible, the overall threat is minimal.


Appendix A — Timeline of BGP announcements 

Date Hijacked pool Network AS owner
Feb 03, 2014 Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
Feb 04, 2014 BTCGuild 198.245.63.0/24 (AS16276 OVH SAS, FR)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 142.4.211.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
Feb 05, 2014 HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
Feb 06, 2014 BTCGuild 198.245.63.0/24 (AS16276 OVH SAS, FR)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
Feb 07, 2014 Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Unknown 54.203.244.0/24 (AS16509 Amazon.com Inc., US)
Feb 08, 2014 Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Unknown 54.203.244.0/24 (AS16509 Amazon.com Inc., US)
Mar 22, 2014 Clevermining 107.170.227.0/24 (AS14061 Digital Ocean Inc., US)
  Clevermining 107.170.47.0/24 (AS62567 Digital Ocean Inc., US)
  CloudMines 192.99.18.0/24 (AS16276 OVH SAS, FR)
  Coinshift 54.213.177.0/24 (AS16509 Amazon.com Inc., US)
  Coinshift 54.84.236.0/24 (AS14618 Amazon.com Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 142.4.195.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 192.99.20.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.194.173.0/24 (AS16509 Amazon.com Inc., US)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 108.61.49.0/24 (AS20473 Choopa LLC, US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Multipool 50.117.92.0/24 (AS18779 EGIHosting, US)
  NoBrainerCrypto 107.170.244.0/24 (AS14061 Digital Ocean Inc., US)
  Nut2Pools 198.27.75.0/24 (AS16276 OVH SAS, FR)
  WafflePool 162.243.89.0/24 (AS62567 Digital Ocean Inc., US)
  WafflePool 192.241.211.0/24 (AS14061 Digital Ocean Inc., US)
  WafflePool 95.85.61.0/24 (AS200130 Digital Ocean Inc., EU)
Mar 23, 2014 Clevermining 107.170.227.0/24 (AS14061 Digital Ocean Inc., US)
  Clevermining 107.170.47.0/24 (AS62567 Digital Ocean Inc., US)
  CloudMines 192.99.18.0/24 (AS16276 OVH SAS, FR)
  Coinshift 54.213.177.0/24 (AS16509 Amazon.com Inc., US)
  Coinshift 54.84.236.0/24 (AS14618 Amazon.com Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 142.4.195.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 192.99.20.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.194.173.0/24 (AS16509 Amazon.com Inc., US)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 108.61.49.0/24 (AS20473 Choopa LLC, US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Multipool 50.117.92.0/24 (AS18779 EGIHosting, US)
  NoBrainerCrypto 107.170.244.0/24 (AS14061 Digital Ocean Inc., US)
  Nut2Pools 198.27.75.0/24 (AS16276 OVH SAS, FR)
  WafflePool 162.243.89.0/24 (AS62567 Digital Ocean Inc., US)
  WafflePool 192.241.211.0/24 (AS14061 Digital Ocean Inc., US)
  WafflePool 95.85.61.0/24 (AS200130 Digital Ocean Inc., EU)
Mar 29, 2014 Clevermining 107.170.227.0/24 (AS14061 Digital Ocean Inc., US)
  Clevermining 107.170.47.0/24 (AS62567 Digital Ocean Inc., US)
  CloudMines 192.99.18.0/24 (AS16276 OVH SAS, FR)
  Coinshift 54.213.177.0/24 (AS16509 Amazon.com Inc., US)
  Coinshift 54.84.236.0/24 (AS14618 Amazon.com Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 142.4.195.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 192.99.20.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 142.4.211.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 188.165.198.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.194.173.0/24 (AS16509 Amazon.com Inc., US)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 108.61.49.0/24 (AS20473 Choopa LLC, US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Multipool 50.117.92.0/24 (AS18779 EGIHosting, US)
  NoBrainerCrypto 107.170.244.0/24 (AS14061 Digital Ocean Inc., US)
  Nut2Pools 198.27.75.0/24 (AS16276 OVH SAS, FR)
  WafflePool 162.243.89.0/24 (AS62567 Digital Ocean Inc., US)
  WafflePool 192.241.211.0/24 (AS14061 Digital Ocean Inc., US)
  WafflePool 192.99.35.0/24 (AS16276 OVH SAS, FR)
  WafflePool 95.85.61.0/24 (AS200130 Digital Ocean Inc., EU)
Apr 04, 2014 Clevermining 107.170.227.0/24 (AS14061 Digital Ocean Inc., US)
  Clevermining 107.170.47.0/24 (AS62567 Digital Ocean Inc., US)
  CloudMines 192.99.18.0/24 (AS16276 OVH SAS, FR)
  Coinshift 54.213.177.0/24 (AS16509 Amazon.com Inc., US)
  Coinshift 54.84.236.0/24 (AS14618 Amazon.com Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 142.4.195.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 192.99.20.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 142.4.211.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 188.165.198.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.194.173.0/24 (AS16509 Amazon.com Inc., US)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 108.61.49.0/24 (AS20473 Choopa LLC, US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Multipool 50.117.92.0/24 (AS18779 EGIHosting, US)
  NoBrainerCrypto 107.170.244.0/24 (AS14061 Digital Ocean Inc., US)
  Nut2Pools 198.27.75.0/24 (AS16276 OVH SAS, FR)
  WafflePool 192.241.211.0/24 (AS14061 Digital Ocean Inc., US)
  WafflePool 192.99.35.0/24 (AS16276 OVH SAS, FR)
  WafflePool 95.85.61.0/24 (AS200130 Digital Ocean Inc., EU)
Apr 08, 2014 Clevermining 107.170.227.0/24 (AS14061 Digital Ocean Inc., US)
  Clevermining 107.170.47.0/24 (AS62567 Digital Ocean Inc., US)
  CloudMines 192.99.18.0/24 (AS16276 OVH SAS, FR)
  Coinshift 54.213.177.0/24 (AS16509 Amazon.com Inc., US)
  Coinshift 54.84.236.0/24 (AS14618 Amazon.com Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 142.4.195.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 192.99.20.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 142.4.211.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 188.165.198.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.194.173.0/24 (AS16509 Amazon.com Inc., US)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 108.61.49.0/24 (AS20473 Choopa LLC, US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Multipool 50.117.92.0/24 (AS18779 EGIHosting, US)
  NoBrainerCrypto 107.170.244.0/24 (AS14061 Digital Ocean Inc., US)
  Nut2Pools 198.27.75.0/24 (AS16276 OVH SAS, FR)
  WafflePool 192.241.211.0/24 (AS14061 Digital Ocean Inc., US)
  WafflePool 192.99.35.0/24 (AS16276 OVH SAS, FR)
  WafflePool 95.85.61.0/24 (AS200130 Digital Ocean Inc., EU)
Apr 11, 2014 Clevermining 107.170.227.0/24 (AS14061 Digital Ocean Inc., US)
  Clevermining 107.170.47.0/24 (AS62567 Digital Ocean Inc., US)
  CloudMines 192.99.18.0/24 (AS16276 OVH SAS, FR)
  Coinshift 54.213.177.0/24 (AS16509 Amazon.com Inc., US)
  Coinshift 54.84.236.0/24 (AS14618 Amazon.com Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 142.4.195.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 192.99.20.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 142.4.211.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 188.165.198.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.194.173.0/24 (AS16509 Amazon.com Inc., US)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 108.61.49.0/24 (AS20473 Choopa LLC, US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Multipool 50.117.92.0/24 (AS18779 EGIHosting, US)
  NoBrainerCrypto 107.170.244.0/24 (AS14061 Digital Ocean Inc., US)
  Nut2Pools 198.27.75.0/24 (AS16276 OVH SAS, FR)
  WafflePool 192.241.211.0/24 (AS14061 Digital Ocean Inc., US)
  WafflePool 192.99.35.0/24 (AS16276 OVH SAS, FR)
  WafflePool 95.85.61.0/24 (AS200130 Digital Ocean Inc., EU)
Apr 24, 2014 Clevermining 107.170.227.0/24 (AS14061 Digital Ocean Inc., US)
  Clevermining 107.170.47.0/24 (AS62567 Digital Ocean Inc., US)
  CloudMines 192.99.18.0/24 (AS16276 OVH SAS, FR)
  Coinshift 54.213.177.0/24 (AS16509 Amazon.com Inc., US)
  Coinshift 54.84.236.0/24 (AS14618 Amazon.com Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 142.4.195.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 192.99.20.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 142.4.211.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 188.165.198.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.194.173.0/24 (AS16509 Amazon.com Inc., US)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 108.61.49.0/24 (AS20473 Choopa LLC, US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Multipool 50.117.92.0/24 (AS18779 EGIHosting, US)
  NoBrainerCrypto 107.170.244.0/24 (AS14061 Digital Ocean Inc., US)
  Nut2Pools 198.27.75.0/24 (AS16276 OVH SAS, FR)
  WafflePool 192.241.211.0/24 (AS14061 Digital Ocean Inc., US)
  WafflePool 192.99.35.0/24 (AS16276 OVH SAS, FR)
  WafflePool 95.85.61.0/24 (AS200130 Digital Ocean Inc., EU)
Apr 25, 2014 BTCGuild 192.198.107.0/24 (AS55286 B2 Net Solutions Inc., US)
  BTCGuild 198.245.63.0/24 (AS16276 OVH SAS, FR)
  BTCGuild 54.246.170.0/24 (AS16509 Amazon.com Inc., US)
  Eclipse 69.197.61.0/24 (AS25761 Staminus Communications, US)
  Eclipse 72.20.58.0/24 (AS25761 Staminus Communications, US)
  Eligius 192.241.205.0/24 (AS14061 Digital Ocean Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  GHash.IO 88.150.205.0/24 (AS35662 Redstation Limited, GB)
  Slush 54.195.36.0/24 (AS16509 Amazon.com Inc., US)
  Slush 54.225.68.0/24 (AS14618 Amazon.com Inc., US)
  Slush 95.211.52.0/24 (AS16265 LeaseWeb B.V., NL)
Apr 26, 2014 BTCGuild 192.198.107.0/24 (AS55286 B2 Net Solutions Inc., US)
  BTCGuild 198.245.63.0/24 (AS16276 OVH SAS, FR)
  BTCGuild 54.246.170.0/24 (AS16509 Amazon.com Inc., US)
  Eclipse 69.197.61.0/24 (AS25761 Staminus Communications, US)
  Eclipse 72.20.58.0/24 (AS25761 Staminus Communications, US)
  Eligius 192.241.205.0/24 (AS14061 Digital Ocean Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  GHash.IO 88.150.205.0/24 (AS35662 Redstation Limited, GB)
  Slush 54.195.36.0/24 (AS16509 Amazon.com Inc., US)
  Slush 54.225.68.0/24 (AS14618 Amazon.com Inc., US)
  Slush 95.211.52.0/24 (AS16265 LeaseWeb B.V., NL)
May 02, 2014 BTCGuild 192.198.107.0/24 (AS55286 B2 Net Solutions Inc., US)
  BTCGuild 198.245.63.0/24 (AS16276 OVH SAS, FR)
  BTCGuild 54.246.170.0/24 (AS16509 Amazon.com Inc., US)
  Eclipse 69.197.61.0/24 (AS25761 Staminus Communications, US)
  Eclipse 72.20.58.0/24 (AS25761 Staminus Communications, US)
  Eligius 192.241.205.0/24 (AS14061 Digital Ocean Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  GHash.IO 88.150.205.0/24 (AS35662 Redstation Limited, GB)
  Slush 54.195.36.0/24 (AS16509 Amazon.com Inc., US)
  Slush 54.225.68.0/24 (AS14618 Amazon.com Inc., US)
  Slush 95.211.52.0/24 (AS16265 LeaseWeb B.V., NL)
May 04, 2014 BTCGuild 192.198.107.0/24 (AS55286 B2 Net Solutions Inc., US)
  BTCGuild 198.245.63.0/24 (AS16276 OVH SAS, FR)
  BTCGuild 54.246.170.0/24 (AS16509 Amazon.com Inc., US)
  Clevermining 107.170.227.0/24 (AS14061 Digital Ocean Inc., US)
  Clevermining 107.170.47.0/24 (AS62567 Digital Ocean Inc., US)
  CloudMines 192.99.18.0/24 (AS16276 OVH SAS, FR)
  Coinshift 54.213.177.0/24 (AS16509 Amazon.com Inc., US)
  Coinshift 54.84.236.0/24 (AS14618 Amazon.com Inc., US)
  Dogecoinr 198.251.81.0/24 (AS53667 FranTech Solutions, US)
  Eclipse 69.197.61.0/24 (AS25761 Staminus Communications, US)
  Eclipse 72.20.58.0/24 (AS25761 Staminus Communications, US)
  Eligius 192.241.205.0/24 (AS14061 Digital Ocean Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  GHash.IO 88.150.205.0/24 (AS35662 Redstation Limited, GB)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 142.4.195.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 192.99.20.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 142.4.211.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 188.165.198.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.194.173.0/24 (AS16509 Amazon.com Inc., US)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 108.61.49.0/24 (AS20473 Choopa LLC, US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Multipool 50.117.92.0/24 (AS18779 EGIHosting, US)
  NoBrainerCrypto 107.170.244.0/24 (AS14061 Digital Ocean Inc., US)
  Nut2Pools 198.27.75.0/24 (AS16276 OVH SAS, FR)
  Slush 54.195.36.0/24 (AS16509 Amazon.com Inc., US)
  Slush 54.225.68.0/24 (AS14618 Amazon.com Inc., US)
  Slush 95.211.52.0/24 (AS16265 LeaseWeb B.V., NL)
  WafflePool 192.241.211.0/24 (AS14061 Digital Ocean Inc., US)
  WafflePool 192.99.35.0/24 (AS16276 OVH SAS, FR)
  WafflePool 95.85.61.0/24 (AS200130 Digital Ocean Inc., EU)
May 06, 2014 Clevermining 107.170.227.0/24 (AS14061 Digital Ocean Inc., US)
  Clevermining 107.170.47.0/24 (AS62567 Digital Ocean Inc., US)
  CloudMines 192.99.18.0/24 (AS16276 OVH SAS, FR)
  Coinshift 54.213.177.0/24 (AS16509 Amazon.com Inc., US)
  Coinshift 54.84.236.0/24 (AS14618 Amazon.com Inc., US)
  Dogecoinr 198.251.81.0/24 (AS53667 FranTech Solutions, US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 142.4.195.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 192.99.20.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 142.4.211.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 188.165.198.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.194.173.0/24 (AS16509 Amazon.com Inc., US)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 108.61.49.0/24 (AS20473 Choopa LLC, US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Multipool 50.117.92.0/24 (AS18779 EGIHosting, US)
  NoBrainerCrypto 107.170.244.0/24 (AS14061 Digital Ocean Inc., US)
  Nut2Pools 198.27.75.0/24 (AS16276 OVH SAS, FR)
  WafflePool 192.241.211.0/24 (AS14061 Digital Ocean Inc., US)
  WafflePool 192.99.35.0/24 (AS16276 OVH SAS, FR)
  WafflePool 95.85.61.0/24 (AS200130 Digital Ocean Inc., EU)
May 07, 2014 BTCGuild 198.245.63.0/24 (AS16276 OVH SAS, FR)
  BTCGuild 54.246.170.0/24 (AS16509 Amazon.com Inc., US)
  Eclipse 69.197.61.0/24 (AS25761 Staminus Communications, US)
  Eclipse 72.20.58.0/24 (AS25761 Staminus Communications, US)
  F2Pool 112.124.13.0/24 (AS37963 Hangzhou Alibaba Advertising Co. Ltd., CN)
  F2Pool 114.215.103.0/24 (AS37963 Hangzhou Alibaba Advertising Co. Ltd., CN)
  F2Pool 115.28.152.0/24 (AS37963 Hangzhou Alibaba Advertising Co. Ltd., CN)
  F2Pool 115.28.153.0/24 (AS37963 Hangzhou Alibaba Advertising Co. Ltd., CN)
  F2Pool 115.28.63.0/24 (AS37963 Hangzhou Alibaba Advertising Co. Ltd., CN)
May 09, 2014 BTCGuild 192.198.107.0/24 (AS55286 B2 Net Solutions Inc., US)
  BTCGuild 198.245.63.0/24 (AS16276 OVH SAS, FR)
  BTCGuild 54.246.170.0/24 (AS16509 Amazon.com Inc., US)
  BitMinter 192.31.187.0/24 (AS32421 Black Lotus Communications, US)
  Clevermining 107.170.227.0/24 (AS14061 Digital Ocean Inc., US)
  Clevermining 107.170.47.0/24 (AS62567 Digital Ocean Inc., US)
  CloudMines 192.99.18.0/24 (AS16276 OVH SAS, FR)
  Coinshift 54.213.177.0/24 (AS16509 Amazon.com Inc., US)
  Coinshift 54.84.236.0/24 (AS14618 Amazon.com Inc., US)
  Dogecoinr 198.251.81.0/24 (AS53667 FranTech Solutions, US)
  Eclipse 69.197.61.0/24 (AS25761 Staminus Communications, US)
  Eclipse 72.20.58.0/24 (AS25761 Staminus Communications, US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  GHash.IO 88.208.18.0/24 (AS39572 AdvancedHosters Ltd., UA)
  GHash.IO 88.208.33.0/24 (AS39572 AdvancedHosters Ltd., UA)
  HashCows 37.187.9.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 142.4.195.0/24 (AS16276 OVH SAS, FR)
  Hashfaster 192.99.20.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 142.4.211.0/24 (AS16276 OVH SAS, FR)
  LiteGuardian 188.165.198.0/24 (AS16276 OVH SAS, FR)
  Middlecoin 54.194.173.0/24 (AS16509 Amazon.com Inc., US)
  Middlecoin 54.197.251.0/24 (AS14618 Amazon.com Inc., US)
  Middlecoin 54.214.242.0/24 (AS16509 Amazon.com Inc., US)
  Multipool 108.61.49.0/24 (AS20473 Choopa LLC, US)
  Multipool 146.185.179.0/24 (AS46652 ServerStack Inc., US)
  Multipool 162.243.142.0/24 (AS14061 Digital Ocean Inc., US)
  Multipool 162.243.226.0/24 (AS62567 Digital Ocean Inc., US)
  Multipool 50.117.92.0/24 (AS18779 EGIHosting, US)
  NoBrainerCrypto 107.170.244.0/24 (AS14061 Digital Ocean Inc., US)
  Nut2Pools 198.27.75.0/24 (AS16276 OVH SAS, FR)
  Slush 54.195.36.0/24 (AS16509 Amazon.com Inc., US)
  Slush 54.225.68.0/24 (AS14618 Amazon.com Inc., US)
  Slush 95.211.52.0/24 (AS16265 LeaseWeb B.V., NL)
  WafflePool 192.241.211.0/24 (AS14061 Digital Ocean Inc., US)
  WafflePool 192.99.35.0/24 (AS16276 OVH SAS, FR)
  WafflePool 95.85.61.0/24 (AS200130 Digital Ocean Inc., EU)
May 10, 2014 BTCGuild 192.198.107.0/24 (AS55286 B2 Net Solutions Inc., US)
  BTCGuild 198.245.63.0/24 (AS16276 OVH SAS, FR)
  BTCGuild 54.246.170.0/24 (AS16509 Amazon.com Inc., US)
  BitMinter 192.31.187.0/24 (AS32421 Black Lotus Communications, US)
  Eclipse 69.197.61.0/24 (AS25761 Staminus Communications, US)
  Eclipse 72.20.58.0/24 (AS25761 Staminus Communications, US)
  Eligius 192.241.205.0/24 (AS14061 Digital Ocean Inc., US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  GHash.IO 88.208.18.0/24 (AS39572 AdvancedHosters Ltd., UA)
  GHash.IO 88.208.33.0/24 (AS39572 AdvancedHosters Ltd., UA)
  Slush 54.195.36.0/24 (AS16509 Amazon.com Inc., US)
  Slush 54.225.68.0/24 (AS14618 Amazon.com Inc., US)
  Slush 95.211.52.0/24 (AS16265 LeaseWeb B.V., NL)
May 13, 2014 50BTC 144.76.102.0/24 (AS24940 Hetzner Online AG, DE)
  50BTC 5.9.38.0/24 (AS24940 Hetzner Online AG, DE)
  BTCGuild 192.198.107.0/24 (AS55286 B2 Net Solutions Inc., US)
  BTCGuild 198.245.63.0/24 (AS16276 OVH SAS, FR)
  BTCGuild 54.246.170.0/24 (AS16509 Amazon.com Inc., US)
  BitMinter 192.31.187.0/24 (AS32421 Black Lotus Communications, US)
  Eclipse 69.197.61.0/24 (AS25761 Staminus Communications, US)
  Eclipse 72.20.58.0/24 (AS25761 Staminus Communications, US)
  GHash.IO 46.229.169.0/24 (AS39572 AdvancedHosters Ltd., UA)
  GHash.IO 88.208.18.0/24 (AS39572 AdvancedHosters Ltd., UA)
  GHash.IO 88.208.33.0/24 (AS39572 AdvancedHosters Ltd., UA)
  PolMine 31.186.87.0/24 (AS57367 DevonStudio Sp. z o.o., PL)
  Slush 54.195.36.0/24 (AS16509 Amazon.com Inc., US)
  Slush 54.225.68.0/24 (AS14618 Amazon.com Inc., US)
  Slush 95.211.52.0/24 (AS16265 LeaseWeb B.V., NL)
Back to more Threat Analyses and Advisories

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.