Start Free Trial

Identifying Illicit Bitcoin Miners in Your Network

[fa icon="calendar"] Sep 1, 2014 11:00:00 AM / by Josep Sanjuas

One of our customers found that one individual had been running for months an illicit Bitcoin mining operation that pumped his employer’s electricity bill to pocket some Bitcoin. This post explains how Talaia was able to flag this activity (and how it can do the same for you).

Background: Bitcoin


Bitcoin is an exciting technology. In a nutshell, it is a form of “internet money” that runs on a peer-to-peer network with no central authority. It allows any person or organization to receive direct payments over the Internet, skipping any middle men.

Bitcoin MiningBitcoin is widely perceived to be a disruptive technology that can some day compete with other forms of payment. For example, it could one day replace Paypal or credit cardbit coins. Bitcoin has experienced a meteoric rise in both attention and value. It has multiplied its value by ~600 in the last four years (as of this writing), and is now thriving. It is estimated that Venture Capital firms will invest a cool $300 million on Bitcoin centric startups in 2014.

Arguably, the most widely misunderstood aspect of Bitcoin is mining. Bitcoin is hard to grasp, and some aspects of it seem almost magical, especially for those who do not have a background in Computer Science and cryptography.

There are many resources that explain Bitcoin mining better than I would mange to (check for example this video). But let me give a very simplified view in this post. In essence, a Bitcoin miner contributes computing power to the network by performing a huge number of calculations. The more aggregate computing power that Bitcoin miners contribute, the more secure Bitcoin becomes.

But computing power does not come for free: it requires high-end hardware that is power hungry. To offset these costs, Bitcoin rewards miners for their contribution to the network by awarding them coins. The reward is fixed (currently, 25 coins every 10 minutes) and miners share it, proportionally to the computing power they contributed.

Mining Pools

Another interesting aspect of Bitcoin mining is the phenomenon of mining pools. For reasons that escape the scope of this post, Bitcoin rewards miners in a peculiar way. I would need paragraphs to explain all details, so let me simplify it to the following analogy: Bitcoin runs a lottery roundbit coin every 10 minutes. In each round, each miner has an amount of tickets proportional to the computing power he or she contributes. In each round, a single winner takes down the full prize. (Again, this is only an analogy, but the end result is roughly equivalent.)

This means that miners that have little computing power could have to wait for months or years to win the next lottery round, depending on their luck. Instead, miners form alliances called pools, where they aggregate their computing power. This increases their chances of winning a reward sooner, which they split. This does not give them higher rewards, but it makes their income more steady and predictable.

Mining Profitability

Many individuals and companies have been attracted to Bitcoin mining (akin to the gold mining rush). However, since miners share the rewards, the sheer number of miners that have joined the network have made mining a marginally profitable endeavor, as rewards are split among more and more miners.

So, how can a miner stay profitable? The main cost of an ongoing mining operation is electric power. Miners who manage to squeeze more computing power will get a larger share of the reward per watt. Those who use inefficient mining hardware will fall behind. Their electricity bill will be higher than the mining rewards, thus becoming unprofitable.

Illicit Mining Operations

Besides optimizing hardware for power efficiency, there is another way to run a profitable mining operation. Can you guess how? By stealing electric power. When crooks mabit coinnage to find a source of electric power, they can profit from it by running an illicit Bitcoin mining operation. Ongoing mining costs drop to zero, and they can reap the rewards of participating in mining while making somebody else pay for the costs.

I still have not found on the news any instance of an illegally powered data center devoted to Bitcoin mining. This would be a hard one to pull off. However, illicit mining operations are happening today: we are not being hypothetical. There are two ways in which this is already happening. One is via malware, the other is to abuse easy-to-grab power sources.

Bitcoin mining malware has been spotted in the wild. This is a particularly insidious form of malware: it steals energy from unsuspecting computer owners, and turns it into money for the creators of the malware. Crooks gain access to large numbers of infected computers, and push their mining malware to maximize profits (or damage, depending on the point of view).

The second way one can run a Bitcoin mining operation without paying for the electricity bill is to steal it from their employer, tenant, or whatever available source. This is happening today: see hereor here.

Detecting Miners

The definitive way to detect illicit Bitcoin mining operations is by tracking power usage. However, today, many organizations and companies are not going that far in terms of accounting for power usage. This is natural since, until Bitcoin was born, there was little potential for abuse.

An alternative way is to detect miners by inspecting network traffic. This can be achieved by checking for computers that connect to well-known Bitcoin mining platforms or participate in the Bitcoin P2P network. Note that the former is a red flag that indicates mining activity, while the latter merely raises suspicion.

Talaia

Talaia is our cloud-based network visibility service. Its main strength is that it can run as a service. That is, it does not require the deployment of any extra hardware or software in your network. Instead, you merely need to configure your switches to send us aggregate traffic reports. This is achieved using industry-standard protocols such as NetFlow, IPFIX or sFlow. So, you simply set up your instance, send it your NetFlow data, and gain visibility over your network traffic.

Behind the scenes, Talaia uses a complex machine learning based algorithm to tell which application generated each connection (for example, bittorrent, SSH, web, etc). We extended this algorithm to detect Bitcoin as follows. First, we feed it an updated list of nodes that participated in the Bitcoin P2P network. Second, we also fed it a list of IP addresses that correspond to the most popular mining services. This way, Talaia is able to perform Bitcoin mining detection.

We are not aware of any similar network visibility product that has Bitcoin mining detection capabilities, so I will go ahead and assume that Talaia is the first network visibility product that can detect Bitcoin mining.

Flagging an Illicit Mining Operation

Talaia flagged an illicit miner in a customer’s corporate network. (While this customer allowed us to publish this story, we are intentionally vague.) Talaia raised an alarm after detecting connections to Bitcoin mining pool ghash.io, the #1 mining pool in terms of aggregate computing power at the time of this writing.


Screen Shot 2016-11-07 at 19.42.21.pngScreenshot of a Bitcoin mining anomaly detected by Talaia

Screen Shot Talaia
Screenshot of a traffic search in Talaia revealing Bitcoin mining activity

The traffic archive of Talaia revealed the machine was being remotely accessed via a web console. Investigations also revealed that this mining operation had been running for months, until mining detection was implemented in Talaia.

This short story not only confirms that the threat of illicit bitcoin mining is very real, but also highlights the importance of network visibility. In order to properly manage a network, and by extension, an IT infrastructure, you need to install the right set of tools to give you visibility over what is happening in it. We kindly ask you to consider Talaia if you are looking for a network visibility product. 

Written by Josep Sanjuas