Researchers Devise Methods to Disrupt Cryptominer Botnets

Arjun PatelJune 26, 2025

Today, hackers, cybersecurity researchers, and law enforcement are in a constant game of cat and mouse on the internet. While these techniques target vulnerabilities in the Stratum mining protocol, they still represent a step towards shutting down illegal mining operations. The methods focus on banning either the mining proxy or the attacker's wallet, effectively crippling the botnet's functionality.

Exploiting the Stratum Mining Protocol

The newly uncovered tactics focus on abusing the Stratum mining protocol, a widely used communication protocol standard in cryptocurrency mining. By strategically manipulating this protocol, researchers can trigger a ban on either the mining proxy or the attacker's wallet, thereby disrupting the entire mining operation.

As security researcher Maor Dahan recently illustrated, these non-technical methods can go a long way in shutting down mining operations. They do this primarily by abusing vulnerabilities in the Stratum mining protocol. This exploitation results in the attacker mining proxy or wallet being banned, breaking the cryptocurrency mining botnet.

"Bad Shares" and XMRogue

The first method–often referred to as bad shares forking–works by kicking the mining proxy off the network. This technique is made possible by Akamai’s homegrown XMRogue tool, which mimics a miner to hook into a mining proxy.

Then, XMRogue submits the maximum number of invalid shares in a row, successfully fooling the pool into banning the mining proxy. The ban arrests the entire farm system. This makes the victim’s CPU usage drop from 100% to 0%.

We developed two techniques by leveraging the mining topologies and pool policies that enable us to reduce a cryptominer botnet's effectiveness to the point of completely shutting it down, which forces the attacker to make radical changes to their infrastructure or even abandon the entire campaign. - Maor Dahan

Targeting Public Pools Directly

The second approach is aimed at cases in which one victim miner goes straight to a public pool without going through the proxy. Public pools implement bans that blacklist a wallet’s address for one hour. That’s when it has 1,000 or more workers associated with the address.

By initiating over 1,000 login requests using the attacker's wallet concurrently, researchers can force the pool to ban the attacker's wallet. This has the effect of immediately shutting down any mining operation owned by that wallet for the duration of the ban.

In short, Akamai developed the two approaches to combat cryptocurrency mining botnets. These strategies are designed to put a stop to mining operations by focusing specifically on the Stratum mining protocol.

Arjun Patel

Crypto Regulatory Analyst

Arjun Patel is a collaboratively minded crypto analyst whose work combines technical depth with strong regulatory and real-world awareness. With a balanced approach to risk and change, he uses diplomatic communication and a mix of academic knowledge and practical experience. His writing is clear, structured, and contextual, frequently tying technical analysis to wider industry trends and societal impact.