Cryptocurrency mining is the race to produce the next block in a cryptocurrency’s blockchain and earn the reward. To do this, individual miners group together to distribute the effort of producing the next block and share the reward if one of the group is the first to do so. To track who deserves part of the reward and how big their part should be, miners send credential information to the pool when they register.
Our research aimed to identify mining credentials and use them to differentiate insider threats from wide-spread malware. We extracted user credentials from network traffic using Deep Packet Inspection and our knowledge of crypto-mining communication protocols, such as getblocktemplate or stratum.
We found that credentials usually include a cryptocurrency-wallet or email address. Sometimes, email addresses tell us something about the person or group responsible for the mining device.
We also compared each credential to all others seen across all mining traffic. We found that some credentials appear in a range of unrelated compromises, which suggests they are likely associated with widely-spread malware. By contrast, credentials that appear only once are more likely to result from an insider compromise. As we can now track observed mining credentials, we can also detect when new credentials are used.