Cybersecurity researchers at Akamai have unveiled groundbreaking defensive techniques capable of completely shutting down cryptomining botnets, marking a significant advancement in the fight against cryptocurrency-based cybercrime.
The innovative approach, detailed in the final installment of Akamai’s “Cryptominers’ Anatomy” blog series, demonstrates how defenders can exploit the very infrastructure that malicious actors rely upon to generate illegal revenue from compromised systems.
The emergence of cryptomining malware has become one of the most persistent and profitable cyberthreats facing organizations worldwide.
These sophisticated attacks leverage the distributed computing power of infected machines to mine cryptocurrencies, particularly Monero, due to its privacy-focused attributes that make transactions difficult to trace.
Unlike traditional malware that seeks immediate financial gain through ransom or data theft, cryptominers operate silently in the background, consuming system resources while generating steady revenue streams for their operators over extended periods.
The scale and persistence of these operations have reached alarming proportions, with some campaigns operating continuously for years while generating substantial profits.
Traditional defensive approaches have proven inadequate against the distributed nature of cryptomining botnets, as simply requesting mining pools to ban attacker accounts or attempting to disrupt supporting infrastructure often proves time-consuming and relies heavily on third-party cooperation.
The challenge has been compounded by the sophisticated mining topologies employed by attackers, including the use of mining proxies that conceal both backend infrastructure and wallet addresses, making detection and mitigation significantly more difficult.
Akamai researchers identified a critical vulnerability in the operational design of cryptomining campaigns that could be exploited to achieve immediate and devastating results against malicious operations.
The research team, led by Senior Security Researcher Maor Dahan, discovered that the very protocols and policies designed to protect mining pools from abuse could be weaponized against the attackers themselves.
Their findings revealed that most mining pools implement protective measures against invalid share submissions, automatically banning miners that consistently submit incorrect hash calculations to prevent resource exhaustion on pool servers.
The breakthrough came through the development of two distinct techniques that exploit different mining topologies commonly used by malicious cryptomining operations.
The first technique, dubbed “bad shares,” targets mining proxy configurations where multiple infected victims connect to a single intermediate server that forwards their computational work to the actual mining pool.
.webp)
The second approach focuses on direct pool connections, exploiting wallet-level policies that mining pools use to prevent abuse from accounts with excessive worker connections.
Exploiting Mining Proxy Infrastructure Through Strategic Share Manipulation
The most devastating of Akamai’s newly developed techniques centers on the exploitation of mining proxy infrastructure, which represents a critical single point of failure in many sophisticated cryptomining operations.
Mining proxies have become increasingly popular among cybercriminals because they provide enhanced operational security by concealing both the target mining pool and the attacker’s wallet address from network detection systems.
However, this centralized architecture creates an exploitable vulnerability that defenders can leverage to bring down entire botnets with surgical precision.
The technique operates by impersonating a legitimate mining client and connecting to the malicious proxy using standard Stratum protocol communications.
Once connected, the defensive tool submits carefully crafted invalid mining job results known as “bad shares” that bypass the proxy’s local validation mechanisms but fail validation at the mining pool level.
The key to this approach lies in understanding the validation logic implemented by popular mining proxy software such as XMRig-proxy, which performs basic checks on submitted shares before forwarding them to the backend pool.
.webp)
To demonstrate this technique, Akamai researchers developed XMRogue, a specialized tool that automates the process of connecting to mining proxies and submitting consecutive bad shares.
The tool must carefully craft these malicious shares to satisfy the proxy’s validation requirements while ensuring they will be rejected by the mining pool.
This involves parsing job assignment responses from the proxy to extract critical parameters including worker identification, job identification numbers, and nicehash nonce values that must be correctly incorporated into the bad share submission.
Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
