General security

How to profit illegally from Bitcoin … cybercrime and much more

Pierluigi Paganini
May 3, 2013 by
Pierluigi Paganini

The interest in Bitcoin, one of the most popular currency schemas is high, financial world, small savers, merchants and of course, cyber-criminals observing with interest the strong surge of its price and subsequent abnormal oscillations. The most frequent questions about Bitcoin asked by the above actors are:

  • How to make money with Bitcoin?
  • What is the benefit of using Bitcoin currency?
  • Who are the enemies of the virtual currency schema?

Soaring Bitcoin value has attracted above all the interest of cybercrime. Recently, we read of malware authors and botmasters that are trying to exploit new and old channels to steal virtual currency or mine it using the computational resources of the victims.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The number of cyber-crimes related to virtual currency is dangerously increasing. New cyber-threats are menacing both Bitcoin exchanges and Internet users.

Criminals can conduct cyber-attacks to steal Bitcoins from the victim's wallet. They can adopt various techniques, such as use of malware to steal a digital wallet or social engineering attacks, to gather information on Bitcoin user's funds.

Another way to monetize the interest in the virtual coin is the abuse of computational resources of victims. This is by cyber-criminals using a botnet composed of a large number of machines infected with malware equipped with a miner module.

The process of Bitcoin mining requests the resolution of algorithms that became more difficult with the increased of number of Bitcoin present on the global market, according to author Satoshi Nakamoto, to avoid inflationary phenomena. In this scenario, the cyber-criminals need to sustain just the cost of arrangement of the botnet, meanwhile illegally using hardware resources of the victims' CPUs and GPUs. As we will see in this article, there is an economic evaluation of the number of machines that need to be infected to create a prolific business.

The last way to get a profit by Bitcoin is speculating on the value of the Bitcoins. Of course, this is not illegal, but the virtual currencies schema suffers oscillations related to incidents such as a cyber-attack (e.g. DDoS or a Data Breach) that are able to cause a fall in the trust in the digital coin. An ill-intentioned hacker could conduct cyber-attacks against principal exchange services to influence the global level of trust in the currency and consequently its value. In this way, the criminals could acquire or sell huge volumes of the currency, making great profits.

Theft of Bitcoin

The problem of theft of Bitcoin is exactly the same for any other currency, the fact the currency is virtually of course implies that the techniques to steal the coin are quite different.

Theft of Bitcoin can be perpetrated by cyber-criminals to make a direct profit, to attack the virtual currency scheme itself for speculation purposes, or to affect the level of trust on the currency.

The principal methods to steal Bitcons are hacking techniques and malware-based attacks. They could be used in attacks on the Bitcoin exchange or the final user.

The number of Bitcoin thefts during the last years has grown hand-in-hand with the popularity of digital currency. One of the most well-known cases occurred in early 2012 when a group of hackers exploited a vulnerability in the cloud services provider, Linode, that gave them the access to users' digital wallets —stealing a total of 46,703 BTC for a total amount of $228,000. The victims were mainly users of trading platforms such as Bitcoinica (around 43,000 BTC) and private users.

In that case, the attackers compromised a customer service portal to target wallets stored on Linode servers. It is considered the equivalent of a bank robbery. According to the official statement released by Linode after the attacks:

"All activity by the intruder was limited to a total of eight customers, all of which had references to 'Bitcoin,'…The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any Bitcoins. Those customers affected have been notified."

If we go back in time we find another important case of Bitcoin theft. In June 2011, one of the principal Bitcoin exchanges was victim of an attack. The hackers stolen around 400,000 Bitcoins for a total amount of $9 million, but the attack is considered memorable because the quantity of coins illegally obtained corresponded to 6% of all the virtual currency in circulation at that time. 478 accounts have been deprived of 25,000 Bitcoin transferred on the largest currency exchange. Mt. Gox reported the event.

Figure 1 - Bitcoin Value during the attack on June 2011

The following table is a list of principal events ordered by amount of stolen Bitcoin extracted from book "Digital Virtual Currency and Bitcoins – The Dark Webs Financial Market – Exchange & Secrets"

Figure 2 - Principal attacks ordered by amount of stolen Bitcoin

The attacks reported up to this point mainly targeted service providers such as the Bitcoin exchange. As anticipated, another way to steal Bitcoin is to directly attack users exploiting lack of security in their systems and in many cases the total absence of defenses to secure digital wallets.

The simplest way to attack a Bitcoin wallet is to steal/discover its password; the attack against Mt. Gox was possible due hacking that exposed the list of user accounts and password hashes.

The knowledge of the password allows the hackers to compromise the encrypted user's wallet. In these cases, the attack is facilitated by the bad habit of holding coins in an unencrypted wallet.

The wallet encryption doesn't represent a great protection against hacking attacks. Wallets protected with passphrase encryption still remain vulnerable to a replay attack if the host has been compromised by malware, or if malicious code is able to sniff the passphrase using, for example, a keylogger.

There are various methods to protect Bitcoin wallets such as the adoption of "off-line wallets." These are essential defense measures when the total amount of Bitcoin has significant value.

A "hardware wallet" and many others protection mechanisms are listed in the Wiki page "Securing Your Wallet."

The Internet is full of news related to malware designed to steal Bitcoin. Recently, the Webroot blog published an article on malicious code attempting to make money on all sorts of digital transactions. The Webroot Threat Research Department has already detected many malicious campaigns targeting Bitcoin users. The last revelation is on a source code for a Bitcoin Jacker that, once deployed, scans machines searching for Bitcoin wallet files and transmits the data back to the attacker.

The author of the software encourages its users to steal Bitcoin wallet files and then post them on "public" repositories allowing to third actor to decrypt their content by cracking weak passwords to steal the precious coin. As usual, the malware could benefit the bad user habit of choosing weak passwords containing words that are in the dictionary, or passwords that do not contain a mixture of upper case and lower case letters, numbers and symbols.

Figure 3 - Bitcoin Jacker screenshot

To improve the efficiency of the malicious code designed to steal Bitcoin wallets, criminals can compile it with a keylogger, such as Private Keylogger, to grab the passwords related to a stolen wallet file, making them immediately usable.

One of the most malicious malware in history was created with specific intent to steal Bitcoin Infostealer.Coinbit. It is a Trojan horse that attempts to steal Bitcoin wallets stored on Windows machines. During execution, it searches for a Bitcoin wallet on the victim's PC into following path:


If the malware finds a wallet, it tries to send it to the attacker via email using the SMTP server Of course, the malware authors tried to target those wallets that were unencrypted. The malware is dated and fortunately, it hasn't had a wide distribution. The number of instances detected was limited.

Symantec experts discovered its source code on underground forums, which locates the wallet and uploads it to the attacker's servers using FTP protocol. The black market is considered a breeding ground for malware that evolves thanks continuing improvement made by groups of criminals that typically rents or sells their criminal services.

The easiest way to protect a Bitcoin wallet from this type of attack is to encrypt it and avoiding storing it on wide-open indexes on the Web. Let's remember in fact that properly using search engines such as Google, it is possible to locate the wallets with a simple query like the following:

intitle:index.of wallet filetype:dat intitle:index.of "wallet.dat"

Malware-based attacks on Bitcoin wallets aren't a sole prerogative of Windows machines. In November 2011 the Mac malware DevilRobber was spreading in bit-torrent file sharing sites inside copies of a Mac OS X image-editing app called Graphic Converter version 7.4.

According Sophos security firm, the legitimate Apple program was altered by extra code for Bitcoin miners. DevilRobber OSX/Miner-D utilized Mac's GPU (Graphics Processing Unit) for mining activities. In case the malicious code finds the user's Bitcoin wallet it will steal it sending back data to a remote server.

Botnets and Bitcoin

Another way to monetize the use of Bitcoin is to contribute to the generation of new coins, also known as Bitcoin mining. But, to do this, it necessary to solve an algorithm that has increasing complexity related to the number of Bitcoins in circulation. The complexity of the mining process is functionally on the Bitcoin in circulation, according the original idea of Nakamoto, the author of the virtual currency scheme, to avoid inflation phenomenon and more in general to preserve the currency from any kind of speculation.

Cyber-criminals try to exploit the mechanism of Bitcoin mining using computational resources illegally obtained —for example infecting a huge number of machines with malware able to mine Bitcoin as part of a malicious botnet.

In a Bitcoin peer-to-peer architecture, each node could acquire coin blocks sharing its computational resources to solve the cryptographic proof-of-work problem in a Bitcoin mining process that could allow to the user to lead to a reward of up to 50 Bitcoins per block if he were successful in solving a block.

Large botnets could provide necessary computational resources to mine Bitcoins, but also in this case, cyber-criminal organizations have to evaluate the effort carefully to project the possible earnings from their illegal activities. To do this, it is necessary to understand the dimensions of the botnet, evaluating its profitability. To have an idea of assessments made by criminals when they plan to build a botnet, let's analyze the mining power of a single machine with medium computation capabilities that can elaborate roughly one mega-hash/second.

The first problem for the criminals is to recruit a machine to compose the botnet; this is possible spreading a malware equipped with a miner component.

The infection phase could be organized in various ways such as:

  • Compromising a website with a web exploit.
  • Executing a fake and infected version of legitimate software, packaged with malware.
  • Clicking on malicious shortened URLs spammed through Email or social Media platforms (e.g. through Facebook, or Twitter).

Once infected, the malware downloads Bitcoin miners, CPU and GPU drivers exploit computational resources of the victim and uses them in the mining process. Periodically the amount of Bitcoins generated is transferred to one or more wallets managed by cyber-criminals.

To evaluate the productivity of a botnet, let's use one of the various online Bitcoin mining calculators on the Internet: calculator, that allow us to calculate coins produced per day, per week and per month starting from the following input data:

  • Difficulty Factor
  • Hash Rate (mega-hashes / second)
  • Exchange Rate ($/฿)

Using the following parameters today (April 24, 2013) we obtain the following calculation related to a single day of mining activity.

Figure 4 - Bitcoin mining calculator

To evaluate the profitability of a botnet, we have to multiply the obtained data for the number of machines that compose the malicious structure and for the number of days it operates. We assume that the calculations are based on mining constantly for 24 hours using the CPU only at current exchange rate and difficulty factor.

For example, to estimate the earnings for Botnet mining per month for various botnet size

Botnet size (N° of bots) Bitcoin generation monthly rate Botnet profitability

100 $0.21 $ 21

1000 $0.21 $ 210

10000 $0.21 $ 2100

100000 $0.21 $ 21000

The calculation demonstrates that botnet represents an excellent way to monetize Bitcoin mining. We must consider that the malware used to infect machines are usually complex agents that are also able to steal Bitcoin wallets and other information from the host, such as user's banking credentials.

Bitcoin Botnets crowd cyberspace

The soaring price of Bitcoin has caused an increase of the number of botnets designed also to exploit the computational capabilities of the victims. Recently, Security experts from Kaspersky Lab found variant of malware spread via the popular Skype VoIP. The intent of criminals was to spread a malware to build a botnet for Bitcoin mining.

Dmitry Bestuzhev, Kaspersky Lab Expert, published an interesting article on a recent malicious campaign. The researcher, in fact, isolated a new variant of malware that used the popular Skype VoIP client to send messages to the users suggesting that they click on a malicious link to see a picture of themselves online.

Figure 5 - Bitcoin Botnet

Despite the campaign started a few days ago, thousands of victims have been already infected clicking on the malicious link proposed through Skype. Kaspersky estimated around 2000 clicks per hour.

The investigation revealed that the malware hit mainly victims located in Italy then Russia, Poland, Costa Rica, Spain, Germany, and the Ukraine. The initial dropper is downloaded from a server located in India, meanwhile downloads come from the service. Once the victim is infected, the agent drops different pieces of malware to the system. The malicious code connects to its C2 server, with IP address of, located in Germany. Kaspersky team asserts that we are facing with a multi-purpose malware, but the feature that most attracted the experts is the capability to use the computational resources of victims to mine Bitcoin.

This feature is not new, in the past other security firms such as TrendMicro observed malware able to use victims to generate Bitcoins. In this case, the malicious code appears very invasive and noisy because it saturates CPU use for its activities.

Figure 6 - CPU Usage of Malware during Bitcoin Mining

An excerpt from the original post:

"The mentioned process runs with the command "bitcoin-miner.exe -a 60 -l no -o -u -p XXXXXXXX" (sensitive data were replaced by XXXXXX) It abuses the CPU of the infected machine to mine Bitcoins for the criminal. As I said the campaign is quite active. If you see your machine is working hard, using all available CPU resources, you may be infected. The initial dropper is detected by Kaspersky as Trojan.Win32.Jorik.IRCbot.xkt."

The case is not isolated. Other news is circulating online. A Russian porn site, compromised using a Blackhole exploit, is spreading malware with mining capabilities. It is able, in fact, to use the victims' resources to mine Bitcoins, according to the revelation of ThreatTrack Security.

The malware, dubbed "Fareit," is not really new. It has been circulating on the Internet for at least six months infecting Windows machines, but according Dodi Glenn, director of AV Labs at ThreatTrack, it has been modified to "mine" Bitcoin.

The instances of Fareit malware detected have been modified to install a popular Bitcoin mining application called "CG Miner." From the analysis of installed software packages, the researchers have discovered that the authors may have a Russian origin due the presence of a comment written in Cyrillic.

The botnet is increasing in complexity. In a previous article written with colleagues of security firm Group-IB, it was reported a botnet malware was recently found that spreads itself through hacked Twitter accounts and uses C&C. Placed there for communication between the bots, each of the infected machines are added to the Bitcoin mining ring, which helps the cybercriminals to get more Bitcoins with the help of new computational resources.

Figure 7 - Bitcoin Botnet

Some of such malware targets only on the PCs with GPU or efficient CPU to make the process faster. The cases of botnets introduced are just a few samples of possible use of this architecture for mining purposes. In the last month, other botnets such as Skynet and ZeroAccess presented this capability, and you can bet that many more will be discovered in the short term.

Bitcoin and speculative hypothesis

The last possibility to earn with Bitcoin is speculating on its oscillations —fluctuations that could be induced to influence the level of trust of users within the virtual currency schema piloting sales or purchases of huge quantity of coins.

Security experts, economists and of course cyber-criminals noted the relationship cause and effect between the value of digital currency and cyber-attacks against major players in the virtual currency system, such as the Bitcoin exchange service.

According many experts, cybercrime is trying to influence the value of Bitcoin with a series of attacks to principal Bitcoin web platforms, such as Mt.Gox and Instawallet, that suffered different type of offensives —respectively a distributed DDoS attack and a data breach.

Mt. Gox is considered the world's largest and oldest Bitcoin exchange. it handles around about 80% of all U.S. Dollar trades and 70% of all currencies, meanwhile Instawallet is a web storage service for Bitcoin. Mt. Gox requested the support of security company Prolexic, which specializes in DDoS mitigation to stop the cyber-attacks.

Another example of this strategy is confirmed by the recent attack to the Bitcoin Blockchain portal ,which was knocked offline also by a DDoS attack despite the fact the site adopted the proper countermeasures. Security expert Claudio Guarnieri at Rapid7 wrote about botnet Skynet and "the influence he might have on virtual currency scheme", the botmaster recently started launching UDP and SYN flooding DDoS attacks against the Bitcoin exchanges VirWox, BitFloor and Mt. Gox.

  • Following are DDoS commands issued by the operator in the very last days:
  • 21:59 < suda> !udp 53 1000 1100 100 60
  • 22:03 < suda> !udp 53 1000 1100 100 180
  • 22:31 < suda> !syn 443 100 60
  • 03:36 < suda> !syn 443 100 30
  • 03:44 < suda> !syn 443 100 5
  • 03:52 < suda> !syn 443 100 1
  • 04:06 < suda> !syn 443 1000 1
  • 17:05 < suda> !syn 443 100 10
  • 17:06 < suda> !syn 443 10 5
  • 17:22 < suda> !syn 443 1000 1

The concept is that cyber-crime can influence currency value taking advantage of its fluctuations, but despite that, many experts believe that cyber-criminals are trying to exploit the business opportunity given by Bitcoin instability. Many others assert that in reality the attacks are not conducted by cybercrime, but state-sponsored hackers that try to destabilize any virtual currency schema. Bitcoin is not centralized; it is a currency that avoids the control of any authority. That's why it is opposed by various governments. Of all the methods discussed frankly, that this is harder to conceive, but cyber-crime is a cutthroat industry and the dynamics sometimes unpredictable. It is for this reason that it is not possible to rule out any hypothesis.


This article proposed various ways to illegally monetize Bitcoin virtual currency scheme. Of course cyber-crime is considered a principal actor, but it's not a mystery that law enforcement and financial institutions are deeply opposed to a system where it is impossible to apply a centralized control.

In 2012, the editorial staff of Wired has obtained a non-classified document, titled "Bitcoin Virtual Currency: Unique Features Present Distinct Challenges for Deterring Illicit Activity," prepared by the FBI related to the Bitcon system.

The report highlights the difficulty in obtaining information on suspicious transaction records and the impossibility of tracking users that made them.

Bitcoin, and more in general any other virtual currency schema, has introduced a revolutionary and uncomfortable concept of decentralization of the currency. The concept is at odds with the monopoly power of governments that are the only holders of the issue of currency. Such a system brings into question the legitimacy of monetary policies in a global and digital economy.

The complete control of the monetary system allows governments to define the price of money by controlling the market. The real danger of digital money, above the vulnerabilities in its processes, is the impossibility for the governments to exert control over financial flows. This could lead to a distortion of the main mechanisms of control and taxation, bringing total chaos in a market already in disarray and promoting the development of illegal activities through the coverage of cash flows.

Starting from these premises, do you think that only criminals are interested in attacking virtual currencies such as the Bitcoin?

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.