Hackers have managed to reroute raw internet traffic from numerous internet service providers (ISPs) in an attempt to steal bitcoins.

Dell SecureWorks says it has identified a total of 19 ISPs affected. Data used by Amazon, DigitalOcean and OVH was compromised in the attack.

Each incident lasted just 30 seconds, but the hacker managed to carry out the attack 22 times over the course of four months. The ultimate goal was to seize control of bitcoin miners, organised in mining pools.

Stealing up to $9,000 a day

The attacks appear to have been successful. Dell SecureWorks reports that up to $9,000 in bitcoin and altcoins such as dogecoin was stolen per day.

During the attack, miners believed they were still mining for their pool, while the flow of cryptocurrency generated by their mining operations redirected elsewhere. Researchers believe the culprits employed BGP hijacking to redirect the traffic, using spoofed commands to redirect traffic from ISPs.

The hackers used a staff user account belonging to a Canadian ISP, but the researchers do not know whether the hack was orchestrated by an ISP employee or someone from outside the company. A detailed description of the attack is available on the SecureWorks blog.

Researcher Pat Litke said this sort of attack can easily grab a “large collection of clients” in next to no time.

“It takes less than a minute, and you end up with a lot of mining traffic under your control,” he told Wired.

Six-figure damages?

The researchers concluded that around $83,000 worth of cryptocurrency was stolen in the attacks, though this is not the final tally.

According to the research team, this particular type of attack is difficult to replicate as the attacker must have access to an ISP. Therefore, Dell SecureWorks does not expect such attacks to be widespread.

This is not the first time Dell SecureWorks has tackled security threats related to bitcoin. Earlier this year the firm published a report identifying 146 strains of bitcoin malware. It also issued a number of warnings involving vulnerable browser extensions and other software.