Criminal steals $83,000 by redirecting cryptocurrency miners’ traffic

At the beginning of this year, a malicious person stole $83,000 worth of cryptocurrency in about four months. He did this by redirecting connections from existing miners to a hijacked mining pool, Dell Secureworks discovered.

The hijacker was able to intercept the traffic using the border gateway protocol. That protocol, which previously seemed insecure, is based on trust and allows different networks to connect to each other. The hijacker used a false broadcast for its attack.

The attacker was able to redirect traffic from 51 connections between February and May this year to a hijacked mining pool, a partnership of miners. The connections belonged to 19 ISPs, including Amazon.

The hijacker reportedly stole about $ 83,000, converted almost 62,000 euros. Bitcoin and Dogecoin miners, among others, were affected. Although the first signs appeared in March that someone was deliberately diverting traffic for their own benefit, it was only later that those affected took action by adding a separate rule to the firewall. As a result, the traffic destined for the hijacked mining pool was blocked.

The researchers at Dell Secureworks say they were able to redirect the traffic intended for the attacker back to a router of a Canadian ISP. The hijacker has not been identified, but investigators believe an employee, a former employee or a hacker is behind the attack. The investigators have notified all affected ISPs, but no one has yet been arrested.

The chance that a similar lucrative attack will occur more often, according to Dell Secureworks, is minimal. “The border gateway protocol requires both networks to be manually configured and thus familiar with each other. Human interaction makes the protocol fairly secure, as ISPs don’t just connect to anyone without a valid reason. These hijacks and miner references would would not have been possible without peer-to-broadcast routes,” the researchers said.