Almost a decade ago, Torrent trackers looked into their IP logs to find interesting connections coming from a variety of organizations that openly advocate against their right to exist. Some of the reported illegal downloads even revealed a peculiar taste in music of presidential staff. Peer-to-peer file sharing battle lost, the very same organizations turned their sights on other distributed technologies, cryptocurrency mining being one of them. In this piece, Inca’s investigation team looks into digital fingerprints left by digital currency mining software on the web.
Modern cryptocurrency mining equipment is a sophisticated piece of software or hardware with telemetry pages and remote access functionality. This functionality, however, often comes with a privacy trade off. Improper login configuration and telemetry pages leak important information that can help to identify them on the web. Inca’s investigation team collected digital fingerprints from the telemetry pages of Antminer, Claymore and other mining rigs to generate search strings for Shodan, Censys and Zoomeye. These are technical search engines that are mostly used to discover machine-readable interfaces of web services. Channeling the search engine outputs into our analytics framework, we were able to match obtained IP addresses with IP range allocation datasets obtained from I-Blocklist, a service mostly used to block connections from government and affiliated organizations.
Below are a few examples of mining equipment that were indexed by search engines at IP address ranges that belong to organizations whose purpose is far from running cryptocurrency mining equipment.
1. Armed Forces Main information Center (AFMIC)
The Armed Forces Main information Center (AFMIC) is the main Internet Service Provider and Information center for the Egyptian Armed Forces.
2. Higher Education Commission
The Higher Education Commission is a Government of Pakistan statutory regulator whose main functions are funding, overseeing, regulating and accrediting the higher education institutions in the country.
Similarly, we managed to find out that the Brazilian Center for Research in Physics linked to the Ministry of Science and Technology and Iranian Research Organization for Science and Technology (IROST) attached to the Ministry of Science, Research and Technology of Iran are involved in illicit mining. 1
3. Ministry of Interior of the Kingdom of Thailand
The Ministry of Interior of the Kingdom of Thailand is a cabinet-level department in the Government of Thailand.
Broadly, blockchain forensic investigations which deanonymize IP address attributions can remove a degree of anonymity that may otherwise be present on the blockchain. When it comes to investigating suspicious activity, it’s crucial for investigators to utilize aggregation tools for different data streams such as we offer. It facilitates matching IP addresses involved in mining activity with a specific entity. This establishes a baseline for the whole investigation, where OSINT techniques and digital forensics combined provide actionable intelligence for any interested parties.
We cannot say that organizations are directly involved in mining. It is possible that government addresses and capacities are being used by third parties. ↩︎