In my previous article, I explained how engineers built miner machines -- dedicated computing devices for mining cryptocurrencies -- and how miners work together to get hashing jobs from mining pools. In this article, I will explain how attackers obtain cryptocurrencies without paying for the power, or the device.
Stealing Cryptocurrencies
Stealing cryptocurrencies is no different than stealing other currencies that can be circulated online. If the attacker has access to the account where the currency is transferring from or the attacker can convince the transfer process that his account is the destination, then the attack is successful. In my previous article, I explained that when a miner machine wins a Bitcoin, the award is contributed to the account. An attacker can reconfigure the miner machine to report its account as the attacker's account, and all the awards for this miner machine will be deposited to the attacker's account.
If the attacker has control over one device on the network connecting the mining pool and the mining facilities, the attacker can also perform a common trick called a man-in-the-middle (MITM) attack. The attacker can replace the reported miner account with his account when sending the data to the mining pool and become the beneficiary of the miner's hard work.
Attacking a mining pool is just like attacking any website -- when an attacker gains root access to a mining pool, moving the cryptocurrency between accounts becomes as easy as moving money across bank accounts. Mining pool accounts are not necessarily directly connected to the blockchain system. When a miner owner receives a bitcoin deposit in her pool account, she needs to check if the bitcoin is also deposited into her bitcoin wallet.
Stealing CPU Cycles And Power
Not every attacker in the cryptocurrency world has access to miner machines or routers along the way from mining facilities to mining pools, but attackers are never short of creativity. Some attackers focus on stealing central processing unit (CPU) cycles from internet of things (IoT) devices. In October 2016, the Mirai botnet launched its first well-known attack. Using hundreds of thousands of infected IoT devices, Mirai rendered the domain name system (DNS) servers from Dyn unaccessible by jamming the DNS servers' traffic. While this kind of distributed denial of service (DDoS) attack made Mirai famous, most cybersecurity researchers believe the attacker(s) did not profit from this attack.
Attackers soon switched their focus from attacking servers and websites to using infected devices to mine cryptocurrencies. While the infected devices (mostly internet protocol (IP) cameras with weak default credentials) are not powerful enough to compete against application specific integrated circuits (ASIC) mining machines when it comes to mining bitcoins, attackers use those devices to mine other cryptocurrencies, and Monero is a popular choice, because it's relatively easy to obtain and has a higher price than other cryptocurrencies.
Most owners of the infected devices are not aware of the fact that their devices are working for two owners. They are working as a camera, Wi-Fi router or printer for the people who bought them and plugged them into the grid and are simultaneously working for attackers who have root access to the devices, consuming the power and bandwidth of their owner and contributing cryptocurrencies to the attackers.
Another way of stealing CPU cycles is to infect popular websites with scripts that run on visitors' browsers when they visit the website. When a visitor loads an infected webpage, the script starts to run inside the browser of the visitor's computer, consuming CPU cycles and power to mine for cryptocurrencies.
Summary
In the first part of this miniseries, using Bitcoin as an example, I discussed how cryptocurrencies are created and how people built powerful computing machines in order to win the computing power arms race. I explained how miner machines are organized to mine bitcoin and share the profit. In this piece, I examined several ways cyber attackers can steal cryptocurrencies, either from different places in the mining ecosystem or by stealing power and device CPU cycles from infected IoT devices and converting them into cryptocurrencies.
