[cryptography] Bitcoin-mining Botnets observed in the wild? (was: Re: Bitcoin in endgame

Adam Back adam at cypherspace.org
Fri May 11 19:22:44 EDT 2012

Strikes me 12TH/sec is not actually very much computation? 
http://bitcoinwatch.com/ also gives network hashrate at 12.4 TH/sec.

But a single normally clocked (925Mhz) AMD 7970 based graphics card which
has 2048 cores is claimed to provide 555MH/sec.  

https://en.bitcoin.it/wiki/Mining_hardware_comparison#ARM (ignore the
aggresively overclocked 7970s...  the one that counts has 925 in the clock
speed column!)

But that means the entire bitcoin network compute is only equivalent to 23
AMD 7970 GPUs?  That seems wrong by orders of magnitude, there are youtube
videos of private individuals with mining rigs in that range in their

(Somewhat amusing scale of raw compute being thrown via SHA256 hashcash at
the bitcoin core at this thing- still its arguably not wasted CPU because as
human endeavours go other forms of currencies have their costs too.  So a
p2p currency if it played out might save a lot.  Personally I lost a bundle
on major currency devaluation GBP, EUR, USD look at them against the CHF to
see how much you'all lost due to whatever human / political inefficiencies
you attribute currency devaluation on that scale to.  A stable mechanism for
value storage would be a rather useful instrument.)


On Fri, May 11, 2012 at 01:20:48PM -0600, Zooko Wilcox-O'Hearn wrote:
>Here's a copy of a post I just made to my Google+ account about this
>alleged Botnet herder who has been answering questions about his
>operation on reddit:
>=== introduction ===
>Someone is posting to reddit claiming to be a malware author, botnet
>operator, and that they use their Botnet to mine Bitcoin: ¹.
>I asked them a question about the economics of using a Botnet for the
>Bitcoin distributed transaction-verification service ("Bitcoin
>mining"): ².
>They haven't provided any proof of their claims, but on the other hand
>what they write and how they write it sounds plausible to me.
>=== details ===
>Here are my notes where I try to double-check their numbers and see if
>they make sense.
>They in their initial post ¹ that they do 13-20 gigahashes/sec of work
>on the Bitcoin distributed transaction verification service.
>The screenshot they provided ³ shows 10.6 gigahashes/sec (GH/s) in
>progress, and that they're using a mining pool named BTCGuild.
>According to this chart of mining pools ⁴, BTCGuild currently totals
>about 12.5% of all known hashing power, and according to ⁵ the current
>total hashing power on the network is about 12.5 terahashes/sec
>(TH/s), so BTCGuild probably accounts for about 1.5 TH/s.
>They say that their Botnet has about 10,000 bots. The screen shot
>shows a count of "total bots" = 12,000 and "connected in the last 24
>hours" = 3500. This ratio of total bots to bots connected in the last
>24 hours is consistent with other reports I've read of Botnets ⁶, and
>also consistent with my experience in p2p networking. The number of
>"live bots" available at any one time for this Botnet herder should
>probably average out to somewhere between 350 and 550. Let's pick 500
>as an easy number to work with. Does it makes sense that 500 bots
>could generate 10 GH/s? That's 20 MH/s per live bot. According to the
>Bitcoin wiki's page on mining hardware ⁷, a typical widely-available
>GPU should provide about 200 MH/s. Hm, so they are claiming only 1/10
>the total hashpower that our back-of-the-envelope estimates would
>assign to them. Here is an answer they give to another person's
>question that sheds light on this: ⁸.
>Q: "Isn't Bitcoin mining pretty resource intensive on a computer? Like
>to the point someone would notice something is up on their system form
>it slowing eveyrthing down?"
>A: "My Botnet only mines if the computer is unused for 2 minutes and
>if the owner gets back it stops mining immidiatly, so it doesn't suck
>your fps at MW3. Also it mines as low priority so movies don't lag. I
>also set up a very safe threshold, the cards work at around 60% so
>they don't get overheated and the fans don't spin as crazy."
>It sounds plausible to me that those stealth measures could cut the
>throughput by 10 compared to running flat-out 24/7. Also it isn't
>clear if the botnet counts computers that don't have a GPU at all, or
>don't have a usable one. Maybe such computers are rare nowadays?
>Anyway if they are counted in there then that would be another reason
>why the hashing throughput per bot is lower than I calculated.
>In answer to another question ¹⁰, they said they get a steady $40/day
>from running the Bitcoin transaction-confirmation ("mining") service.
>According to this chart ¹¹ from ¹², the current U.S. Dollar value of
>Bitcoin mining is (or was a couple of days ago when they wrote that)
>about $0.33 per day for 100 MH/s. Multiplying that out by their claim
>of 10.6 GH/s results in $35/day. So that adds up, too.
>(Note that it sounds like their primary business is stealing and
>selling credit card numbers, and the Bitcoin transaction-verification
>service is a sideline.)
>I don't see a reason to doubt that they really generate about 10.6
>GH/s of the Bitcoin distributed transaction verification service.
>My primary question is: if this is profitable on a per-bot basis, then
>why don't they scale up their operation? Of course, the answer to this
>presumably sheds light on the related question of why competitors of
>theirs don't launch similar operations. Perhaps one limiting factor is
>that the larger your Botnet, the more likely you'll be arrested by
>police or extorted by competitors. That may be a limiting factor that
>this person doesn't yet know about or doesn't like to think about.
>They mentioned ⁹ that most of their fellow cybercriminals are "too
>inexperienced to accept Bitcoin", so it may be that this person is
>just ahead of the curve and more people will launch operations like
>this in the future.
>That's the question that I asked them on reddit—why don't they scale
>up? They haven't yet replied to my question, but they earlier
>mentioned in response to a different question ⁹:
>Q: "How many botted machines do you typically gain per month or per campaign."
>A: "about 500-1000 a day, weekends more. I'm thinking about just
>buying them in bulks and milking them for bitcoins. Asian installs are
>very cheap, 15$/1000 installs and have good GPUs."
>If they're really gaining 500 to 1000 new bots per day but they have a
>total of only 12,000 then either their operation is rapidly expanding,
>or the attrition rate is similarly high as the acquisition rate.
>=== the bottom line and my take ===
>I don't see any reason to doubt that this is real, and that this
>person with their Botnet is responsible for about 0.08% (i.e. less
>than 1/1000 — not 8%!) of the total Bitcoin distributed
>transaction-verification service, and that they profit for it at the
>rate of about $35 per day.
>There's one open question in my mind about whether this particular
>operator is currently rapidly expanding (adding 1000 bots per day to
>their network of 12,000 bots) or if the attrition rate of bots
>departing from the 12,000-node network is close to 1000 per day.
>If the $35/day revenue is really mostly profit (i.e., they don't have
>to spend so much time maintaining their 12,000-node Botnet that they
>forego more profitable activities, like stealing more credit cards or
>finishing their homework), I would expect them and others like them to
>turn more and more bots to this purpose.
>However, the nature of Bitcoin is that all providers of distributed
>transaction-confirmation service are in competition with one another.
>In the two weeks since this post went up on reddit, people around the
>globe deployed about 2 TH/s more hash power (see this graph of
>aggregate Bitcoin hash power ⁵), which cut the profitability of this
>one person's operation from $35.00/day to $30.00/day. If more and more
>Botnet operators get into the Bitcoin mining game, they will reduce
>the profitability of Bitcoin mining. (As well as competing with each
>other for access to victim computers, which has got to be a limited
>resources, right? Right? Or is there just a practically infinite
>supply of vulnerable computers waiting to be tapped if only someone
>can find a way to profit from them?)
>In parallel, the legitimate Bitcoin miners appear to be continuing to
>roll out new distributed transaction-verification service on their own
>hardware. Here is a recent post by "Bitcoinminer" about commercial
>Bitcoin farms based on GPU: ¹³. The operation spotlighted in that post
>apparently delivers 100 GH/s (about 10X that of our Botnet herder). At
>the same time, sales of FPGA-based Bitcoin devices appear to be
>booming. I wrote a post about that: ¹⁴. You'll have to scroll down
>through extensive discussion to find where I summarized the numbers,
>but in summary it appears that people are in the process of investing
>half a million USD in Bitcoin FPGA which, when all deployed, will
>deliver around 430 GH/s.
>I think there may be a kind of "Game of Chicken" going on: if someone
>makes a convincing show of investing in Bitcoin mining then they may
>deter other people from getting into the game and dividing up the
>profits. That may be the subtext of Bitcoinminer's blog post—he may be
>trying to discourage competitors. An interesting thing about "Game of
>Chicken" is that large upfront costs can actually be an advantage
>because they demonstrate your commitment! If people are spending half
>a million dollars on FPGA Bitcoin miners, then their competitors had
>better believe they're really going to keep running them, even if
>competition drives down profitability.
>See, to deploy 10 GH/s of Bitcoin hash power using FPGA would require
>you to purchase about $10,000 worth of hardware which has no resell
>value except to other Bitcoin miners. To deploy 10 GH/s using GPU
>would require an outlay on about $5000 of hardware, which you could
>later resell for gaming (or whatever other uses GPUs have nowadays --
>CAD/CAM?). To deploy 10 GH/s using a Botnet requires an unknown-to-me
>outlay of time, money, skill, or risk of personal harm, but at least
>the marginal cost of adding another few MH/s seems much lower than in
>the hardware-based approach. Our Botnet herder on reddit said he could
>buy access to Asian PCs with good GPUs for $15 for 1000 PCs. If that's
>true then it should cost a piddling $180 to set up a new network as
>big as his current 10 GH/s network.
>However, if he is considering doing something else with his time and
>money, then the fact that people have convincingly committed to
>large-scale FGPA mining may deter him, because no matter how well he
>does at competing with them, they've already paid a sunk cost, and
>their marginal cost for electricity is low, so they won't quit.
>(Unless competition swells to such a level that it drives revenue
>below their cost of electricity, which seems like a distant prospect
>at this point.) Thus they might win at the Game of Chicken and
>persuade him to spend his time and money on different projects (such
>stealing more credit cards or doing a better job on his homework).
>(There are also several organizations who are loudly proclaiming that
>they're developing custom ASIC chips for Bitcoin mining. I haven't yet
>seen hard evidence of any of them having really spent substantial
>money on it or having demonstrable progress on the engineering and
>=== last word ===
>I'm delighted to see such vigorous and varied competition for
>contributing to the distributed, planet-wide transaction-confirmation
>service. I especially like the "sunk-cost" people such as the FPGA
>miners with their low electricity requirements, because they seem
>likely to be long-term, always-on contributors.
>¹ http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/
>² http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/c4mu8oj
>³ https://lafsgateway.zooko.com/file/URI:CHK:sdk72a5zmncihhmhdsremrglem:ez25wwqy3lkpefd7e4tujr2tc5mhezmguql7vensxysl2yhkqefa:1:1:516308//named=/yxMDx.jpg
>¹⁰ http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/c4g235t
>¹¹ http://bitcoinx.com/charts/chart_large_lin_30d.png
>¹² http://bitcoinx.com/charts/
>¹³ http://www.bitcoinminer.com/post/22769728108/commercial-mining-farms
>¹⁴ https://plus.google.com/108313527900507320366/posts/2ztAhLnXQK
>cryptography mailing list
>cryptography at randombit.net

More information about the cryptography mailing list