For the past few months, a “ghost” has been haunting Chinese bitcoin miners. A mysterious hacker has implanted a virus in mining machines for bitcoin ransom or inducing more to get infected, according to a report by local crypto media Yibenchain.

hAnt – hacking Antminer

Citing a bitcoin miner under the pseudonym cC, on the evening of Jan 5, his miners management interface suddenly turned green with an ant in the middle and mining pickaxes on both sides. Click the green screen, a message would pop out reading (in both English and Chinese)

Image credit to Yibenchain

“I am hAnt! I continue to attack your Antminer. As long as you spread the infected machine, my server verifies that there are 10 new IPs and the number of antminers reaches 1,000. I will stop attacking you! Otherwise I will turn off your antminer’s fan and overheat protection, which will cause you to burn your machine or will burn the house. Click the ‘Diwnload firmware patch’ button to download the firmware patch with your specific ID. Just update it to your normal Antminer to get infected. You can bring the machine that updated the patch to another computer room to complete the infection, or induce others to use the firmware patch in the network group. Or support 10 BTCs, I will stop attacking.”

The virus name – hAnt – seems to suggest that it is particularly hacking Antminers. Mining pool BTC.Top founder Jiang Zhuo’er told us that they had been tracking it for a long time. According to data he has collected, the virus has once been detected in Antminer bitcoin miner S9, T9 and even litecoin miner L3+. It is a Linux based virus, which could be on your PC, antminer if anywhere.

The hacker threatens to burn the mining machine even the house if miners reject to spread the virus or pay 10BTC ransom. In fact, few would do so since it’s not difficult to fix the infection. According to cC, The first solution is to format the SD card of the infected miners, that means to flash a new operating firmware, but it takes long time – almost 4 days, during which the breakdown of his machines has lost him thousands of yuans; if it doesn’t work, mining operators can further replace the byte library and the control panel, or even sell the machines.

Overclocking firmware the culprit

According to Jiang, it is very likely that the virus comes from an overclocking firmware released by an anonymous source.

Many miners would like to overclock their mining equipment to boost the hash power, taking Antminer S9 for example, its hash power could increase by 33.33% from 13.5T to 18T by simply overclocking the firmware. While their power consumption and heat would also spike in the meanwhile, which may shorten these dosed miners’ lifespan. In this context, overclocking firmware is not encouraged by most miner makers, instead, it is often developed by some individual players.

This makes a miner vulnerable to infection by hackers, for firmware is a program written into the hardware, much underlying than the operating system. If the firmware carries a virus, hackers can do whatever they want with the miners.

“Infected miners continue to spread the virus furtively instead of having an immediate breakdown this time. The hacker to some extent controls the onset of the virus. ” In the view of Jiang Zhuo’er, the villain behind the incident is very cunning.

He analyzed technically the virus developer should not be a Chinese, but the overclocking firmware carrying virus is mainly spread through the domestic Baidu Wangpan, a cloud service provided by Baidu.

“It suggests two possibilities – the hacker is deliberately targeting China where bitcoin mines are concentrated; Second, Chinese miners inadvertently helped spread the virus before they realized the overclocked firmware was infected.” said Jiang.

How to prevent it

“Avoiding installing third-party firmware of unknown origin and regularly changing the login password of routers and miners may be the best way for miners to prevent virus infection.” Jiang suggested.

The virus has so far been evolving into many variants. “The latest variant can even monitor miners change their passwords and record the new ones.” What makes the miners most angry is that the timing chosen by the hackers is often impossible for them to take actions effectively, such as surreptitiously switching the mining address into the hacker’s account in late night; Some hackers only target certain machines, stealing a few hours’ hash power a day, really hard for miners to notice. While the few hours could bring the hacker 2,400 yuan ($355) by hijacking the hashpower from a bitcoin mine holding 4,000 mining machines.

The event again raised bitcoin players’ concerns about hackers lurking in the shadows. There are even worries about whether the bitcoin network could collapse completely in a sudden attack by hackers.

“It’s hard to see that happening. The hash power of bitcoin network is still highly decentralized with numerous mines, it’s quite difficult for hackers to just figure out the network location of these mines.” Said Mr Jiang.

The decentralization of bitcoin has built an ecosystem with unshakable stability across the network despite those tricky hackers.