Akamai has announced a significant advancement in the fight against illicit cryptomining, unveiling a pair of proactive techniques designed to disrupt and neutralize cryptominer botnets at scale.
These methods, detailed in the final installment of Akamai’s “Cryptominers’ Anatomy” series, leverage inherent weaknesses in both mining topologies and pool enforcement policies, offering defenders new options to decisively shut down malicious campaigns.
Innovative Approaches Target Mining Topologies
Traditional approaches to combating cryptomining threats such as requesting pool services to ban attacker accounts or attempting to dismantle attacker infrastructure are often slow, complex, and reliant on third parties.
According to the Report, Akamai’s new strategies sidestep these limitations by directly exploiting the operational mechanics of cryptominer networks, particularly those targeting Monero but applicable to other cryptocurrencies as well.
The first technique focuses on mining proxies, a common topology used by threat actors to aggregate and anonymize mining traffic.
By infiltrating the botnet as a miner and submitting deliberately malformed results, or “bad shares,” defenders can trigger automated bans at the mining pool level.
This tactic capitalizes on the fact that mining pools enforce strict penalties for repeated invalid submissions to protect against resource exhaustion.
When a proxy is banned, all miners funneled through it are simultaneously cut off, collapsing the botnet’s hashrate and revenue stream.
In a documented case, Akamai’s researchers reduced a six-year-old malicious operation’s hashrate from 3.3 million hashes per second to zero within seconds, erasing an estimated annual revenue of $26,000 for the attackers.
XMRogue Tool Demonstrates Real-World Impact
To operationalize this approach, Akamai developed “XMRogue,” a tool that impersonates legitimate miners, connects to malicious proxies, and systematically submits bad shares tailored to bypass proxy-level validation.
XMRogue’s effectiveness was demonstrated in live campaigns, where it not only forced proxy bans but also precipitated a 76% drop in annualized attacker revenue by targeting multiple proxies across the campaign’s infrastructure.
The second technique addresses scenarios where victims connect directly to public mining pools, bypassing proxies.
Here, Akamai identified that many pools enforce wallet-level bans if the number of simultaneous worker connections exceeds a threshold (typically 1,000).
By automating mass login attempts using the attacker’s wallet address, defenders can force the pool to temporarily ban the wallet, halting the mining operation.
While this method is not a permanent solution since the hashrate recovers once the login flood ceases it provides a powerful tool for immediate disruption and can be integrated into broader incident response workflows.
Akamai’s research underscores the importance of understanding mining protocol mechanics and pool enforcement logic in developing effective countermeasures.
By weaponizing the very policies designed to keep mining pools healthy, defenders can turn the tables on attackers, forcing them to either overhaul their infrastructure or abandon campaigns altogether.
Importantly, these techniques are designed to minimize collateral impact, as legitimate miners can quickly recover by reconfiguring their wallets or IP addresses, whereas botnet operators face a significantly higher operational burden.
The release of XMRogue and the publication of these techniques mark a pivotal moment in the ongoing battle against cryptomining malware.
As threat actors continue to evolve their tactics, the ability to proactively disrupt and dismantle their operations at the protocol level offers defenders a much-needed strategic advantage.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
