Dutch security researcher Victor Gevers has discovered 2,893 Bitcoin miners left exposed on the Internet with no passwords on their Telnet port.
Gevers told Bleeping Computer in a private conversation that all miners process Bitcoin transactions in the same mining pool and appear to belong to the same organization.
“The owner of these devices is most likely a state sponsored/controlled organization part of the Chinese government, ” Gevers says, basing his claims on information found on the exposed miners and IP addresses assigned to each device.
Miners taken offline shortly after
Gevers is also the chairman of the GDI Foundation, a non-profit organization that coordinates vulnerability disclosures and works to secure exposed devices. For the past two days, Gevers has been investigating the incident and was planning to reach out to the affected organization.
This will not be necessary anymore as it appears that someone from the affected party saw Gevers’ tweets and secured the exposed devices shortly after.
I see about 2,893 Chinese Bitcoin “Thunder mining machines” online which are accessible via telnet w/o any password. Is the GFW down? pic.twitter.com/pGuBJnld5i
— Victor Gevers (@0xDUDE) August 28, 2017
“Most of the miners are now not available anymore via Telnet,” Gevers told Bleeping Computer. “Just a few are left, and I am keeping an eye out for those.”
“At the speed they were taken offline, it means there must be serious money involved,” Gevers added. “A few miners is not a big deal, but 2,893 [miners] working in a pool can generate a pretty sum.”
According to a Twitter user, the entire network of 2,893 miners Gevers discovered could generate an income of just over $1 million per day, if mining Litecoin.
4) Then for all the machines accounted its ~$1,096,447 income per day
— Quan (@Quan66726078) August 29, 2017
Based on firmware details Gevers found on the devices, the researcher believes that most are ZeusMiner THUNDER X3 Bitcoin miners.
Some devices infected with malware, backdoors
The expert is still investigating to see how long were these devices left exposed online without a Telnet password.
“I have proof of other visitors on the boxes where they tried to install a backdoor or malware,” Gevers said.
According to another researcher who also took a look over the miners, they also appeared to be participating in a bandwidth sharing scheme run via Chinese service Xunlei.
Last week, Gevers worked to secure thousands of smart devices that were still running default Telnet credentials. IP addresses, usernames, and passwords were leaked online via a list uploaded on Pastebin. One of the IP addresses included on that list belonged to one of the Bitcoin miners and this is how Gevers discovered the whole mining network.