Defenders Get New Insights from Akamai on How to Block Cryptominer Attacks

Security researchers from Akamai have released a groundbreaking blog series detailing new tactics to counter cryptominer botnets at scale.

In the final installment of their “Cryptominers’ Anatomy” series, the team showcases two novel, proactive techniques that exploit the very architecture of cryptomining infrastructures to shut down malicious operations.

Cryptominers pose a persistent threat, often hijacking computing resources for illicit gain, and traditional defense methods—such as requesting pool bans or targeting infrastructure—can be slow and unreliable.

Akamai’s new approach turns the tables on attackers by leveraging weaknesses in mining protocol and pool policies.

Exploiting Stratum Protocol and Proxy Topologies

The first technique targets cryptominers that use a mining proxy a typical setup among sophisticated attackers to hide their wallet addresses and pool connections.

The Akamai team developed a tool called XMRogue that impersonates a miner to connect to the malicious proxy. By submitting intentionally invalid mining results known as “bad shares” to the pool through the proxy, the tool triggers pool-side bans.

Since all compromised machines funnel through the proxy, banning it disrupts the entire botnet.

The researchers demonstrated this by crashing a six-year-old operation: banning a central proxy reduced its hash rate from 3.3 million hashes per second to zero in seconds, resulting in an estimated $26,000 in annual revenue loss for the attacker.

The key to success lies in understanding the Stratum protocol used for mining communications. Attackers must submit valid shares (proofs of work) to the pool to earn cryptocurrency.

Pools protect themselves from abuse by banning IPs or wallets that submit too many invalid shares.

By crafting bad shares that slip past proxy validation using correct worker IDs, job IDs, and nonces, the tool ensures the proxy forwards the shares to the pool, resulting in a ban.

This method is highly effective against proxy-based topologies, as the proxy is a single point of failure for the entire botnet.

Overcoming Direct Pool Connections with Wallet Flooding

Not all cryptominers use proxies. Some connect victims directly to public pools, making the previous technique ineffective.

Akamai’s second approach exploits pool policies that ban wallets with excessive worker connections.

By flooding the pool with thousands of login requests using the attacker’s wallet address, the pool automatically bans the wallet for a set period, halting all mining activity.

The researchers tested this method on a MoneroOcean campaign, observing a drop in the hash rate to zero after launching the attack.

However, this technique is less permanent: once the flood stops, the attacker’s wallet is unbanned and mining resumes. Still, it forces attackers to either abandon the campaign or risk detection by making significant changes to their infrastructure.

Shifting the Balance of Power

Akamai’s research demonstrates that defenders can now proactively disrupt cryptominer botnets by exploiting weaknesses in mining protocol and pool policies.

These techniques are non-disruptive to legitimate miners but create significant hurdles for attackers.

As cryptominer threats evolve, Akamai’s insights provide defenders with powerful new tools to protect enterprise resources and reduce the profitability of attackers.