Cybersecurity researchers have developed and demonstrated two novel techniques to disrupt and even shut down malicious cryptominer campaigns, significantly reducing attackers’ revenues and freeing infected machines from exploitation. These methods were detailed in recent reports by Akamai and have shown real-world effectiveness against large-scale botnets.
Bad Shares Exploit
This approach targets the Stratum mining protocol, which is widely used by cryptomining operations. Many malicious miners use a proxy server to aggregate mining activity from infected machines before submitting results to a mining pool. By impersonating a miner and connecting to the malicious proxy, defenders can deliberately submit invalid mining results, known as “bad shares.”
Mining pools are designed to detect and penalize repeated invalid submissions by banning the source. If enough bad shares are submitted through the proxy, the pool bans the proxy, instantly halting all mining activity coordinated through it. This causes CPU usage on victim machines to drop from 100% to zero, effectively disabling the entire cryptomining botnet.
XMRogue Tool
To automate and scale this technique, researchers created XMRogue (available on GitHub), a custom tool that impersonates a miner, connects to the mining proxy, and submits consecutive bad shares. XMRogue is engineered to bypass the proxy’s validation, ensuring the bad shares reach the mining pool and trigger a ban on the proxy. In a real-world test, using XMRogue on a botnet proxy reduced its hashrate from 3.3 million to zero and cut the attackers’ annual revenue by 76%, from nearly $50,000 to $12,000. Targeting additional proxies could potentially reduce revenue to zero.
Direct Pool Connection Attack
Some cryptominer campaigns connect infected machines directly to public mining pools without using a proxy. For these scenarios, XMRogue can disrupt operations by sending a large number of simultaneous login requests with the attacker’s wallet address, triggering the pool’s anti-abuse mechanisms and temporarily banning the wallet. This can momentarily halt the malicious mining, though the effect is reversible when the attack stops.
Impact and Significance
These techniques exploit fundamental aspects of mining pool policies and the architecture of cryptominer botnets, turning the attackers’ own infrastructure into a point of failure. The result is a dramatic reduction in illicit mining activity and revenue, forcing attackers to either overhaul their infrastructure—making them more vulnerable to detection—or abandon their campaigns altogether. Importantly, these methods are designed to target only malicious mining operations, leaving legitimate miners unaffected.
