Shared publicly  - 
a Botnet herder mining Bitcoin


Someone is posting to reddit claiming to be a malware author, botnet operator, and that they use their Botnet to mine Bitcoin: ¹.

I asked them a question about the economics of using a Botnet for the Bitcoin distributed transaction-verification service ("Bitcoin mining"): ².

They haven't provided any proof of their claims, but on the other hand what they write and how they write it sounds plausible to me.


Here are my notes where I try to double-check their numbers and see if they make sense.

They in their initial post ¹ that they do 13-20 gigahashes/sec of work on the Bitcoin distributed transaction verification service.

The screenshot they provided ³ shows 10.6 gigahashes/sec (GH/s) in progress, and that they're using a mining pool named BTCGuild. According to this chart of mining pools ⁴, BTCGuild currently totals about 12.5% of all known hashing power, and according to ⁵ the current total hashing power on the network is about 12.5 terahashes/sec (TH/s), so BTCGuild probably accounts for about 1.5 TH/s.

They say that their Botnet has about 10,000 bots. The screen shot shows a count of "total bots" = 12,000 and "connected in the last 24 hours" = 3500. This ratio of total bots to bots connected in the last 24 hours is consistent with other reports I've read of Botnets ⁶, and also consistent with my experience in p2p networking. The number of "live bots" available at any one time for this Botnet herder should probably average out to somewhere between 350 and 550. Let's pick 500 as an easy number to work with. Does it makes sense that 500 bots could generate 10 GH/s? That's 20 MH/s per live bot. According to the Bitcoin wiki's page on mining hardware ⁷, a typical widely-available GPU should provide about 200 MH/s. Hm, so they are claiming only 1/10 the total hashpower that our back-of-the-envelope estimates would assign to them. Here is an answer they give to another person's question that sheds light on this: ⁸.

Q: "Isn't Bitcoin mining pretty resource intensive on a computer? Like to the point someone would notice something is up on their system form it slowing eveyrthing down?"

A: "My Botnet only mines if the computer is unused for 2 minutes and if the owner gets back it stops mining immidiatly, so it doesn't suck your fps at MW3. Also it mines as low priority so movies don't lag. I also set up a very safe threshold, the cards work at around 60% so they don't get overheated and the fans don't spin as crazy."

It sounds plausible to me that those stealth measures could cut the throughput by 10 compared to running flat-out 24/7. Also it isn't clear if the botnet counts computers that don't have a GPU at all, or don't have a usable one. Maybe such computers are rare nowadays? Anyway if they are counted in there then that would be another reason why the hashing throughput per bot is lower than I calculated.

In answer to another question ¹⁰, they said they get a steady $40/day from running the Bitcoin transaction-confirmation ("mining") service. According to this chart ¹¹ from ¹², the current U.S. Dollar value of Bitcoin mining is (or was a couple of days ago when they wrote that) about $0.33 per day for 100 MH/s. Multiplying that out by their claim of 10.6 GH/s results in $35/day. So that adds up, too.

(Note that it sounds like their primary business is stealing and selling credit card numbers, and the Bitcoin transaction-verification service is a sideline.)

I don't see a reason to doubt that they really generate about 10.6 GH/s of the Bitcoin distributed transaction verification service.

My primary question is: if this is profitable on a per-bot basis, then why don't they scale up their operation? Of course, the answer to this presumably sheds light on the related question of why competitors of theirs don't launch similar operations. Perhaps one limiting factor is that the larger your Botnet, the more likely you'll be arrested by police or extorted by competitors. That may be a limiting factor that this person doesn't yet know about or doesn't like to think about. They mentioned ⁹ that most of their fellow cybercriminals are "too inexperienced to accept Bitcoin", so it may be that this person is just ahead of the curve and more people will launch operations like this in the future.

That's the question that I asked them on reddit—why don't they scale up? They haven't yet replied to my question, but they earlier mentioned in response to a different question ⁹:

Q: "How many botted machines do you typically gain per month or per campaign."

A: "about 500-1000 a day, weekends more. I'm thinking about just buying them in bulks and milking them for bitcoins. Asian installs are very cheap, 15$/1000 installs and have good GPUs."

If they're really gaining 500 to 1000 new bots per day but they have a total of only 12,000 then either their operation is rapidly expanding, or the attrition rate is similarly high as the acquisition rate.

the bottom line and my take

I don't see any reason to doubt that this is real, and that this person with their Botnet is responsible for about 0.08% (i.e. less than 1/1000 — not 8%!) of the total Bitcoin distributed transaction-verification service, and that they profit for it at the rate of about $35 per day.

There's one open question in my mind about whether this particular operator is currently rapidly expanding (adding 1000 bots per day to their network of 12,000 bots) or if the attrition rate of bots departing from the 12,000-node network is close to 1000 per day.

If the $35/day revenue is really mostly profit (i.e., they don't have to spend so much time maintaining their 12,000-node Botnet that they forego more profitable activities, like stealing more credit cards or finishing their homework), I would expect them and others like them to turn more and more bots to this purpose.

However, the nature of Bitcoin is that all providers of distributed transaction-confirmation service are in competition with one another. In the two weeks since this post went up on reddit, people around the globe deployed about 2 TH/s more hash power (see this graph of aggregate Bitcoin hash power ⁵), which cut the profitability of this one person's operation from $35.00/day to $30.00/day. If more and more Botnet operators get into the Bitcoin mining game, they will reduce the profitability of Bitcoin mining. (As well as competing with each other for access to victim computers, which has got to be a limited resources, right? Right? Or is there just a practically infinite supply of vulnerable computers waiting to be tapped if only someone can find a way to profit from them?)

In parallel, the legitimate Bitcoin miners appear to be continuing to roll out new distributed transaction-verification service on their own hardware. Here is a recent post by "Bitcoinminer" about commercial Bitcoin farms based on GPU: ¹³. The operation spotlighted in that post apparently delivers 100 GH/s (about 10X that of our Botnet herder). At the same time, sales of FPGA-based Bitcoin devices appear to be booming. I wrote a post about that: ¹⁴. You'll have to scroll down through extensive discussion to find where I summarized the numbers, but in summary it appears that people are in the process of investing half a million USD in Bitcoin FPGA which, when all deployed, will deliver around 430 GH/s.

I think there may be a kind of "Game of Chicken" going on: if someone makes a convincing show of investing in Bitcoin mining then they may deter other people from getting into the game and dividing up the profits. That may be the subtext of Bitcoinminer's blog post—he may be trying to discourage competitors. An interesting thing about "Game of Chicken" is that large upfront costs can actually be an advantage because they demonstrate your commitment! If people are spending half a million dollars on FPGA Bitcoin miners, then their competitors had better believe they're really going to keep running them, even if competition drives down profitability.

See, to deploy 10 GH/s of Bitcoin hash power using FPGA would require you to purchase about $10,000 worth of hardware which has no resell value except to other Bitcoin miners. To deploy 10 GH/s using GPU would require an outlay on about $5000 of hardware, which you could later resell for gaming (or whatever other uses GPUs have nowadays -- CAD/CAM?). To deploy 10 GH/s using a Botnet requires an unknown-to-me outlay of time, money, skill, or risk of personal harm, but at least the marginal cost of adding another few MH/s seems much lower than in the hardware-based approach. Our Botnet herder on reddit said he could buy access to Asian PCs with good GPUs for $15 for 1000 PCs. If that's true then it should cost a piddling $180 to set up a new network as big as his current 10 GH/s network.

However, if he is considering doing something else with his time and money, then the fact that people have convincingly committed to large-scale FGPA mining may deter him, because no matter how well he does at competing with them, they've already paid a sunk cost, and their marginal cost for electricity is low, so they won't quit. (Unless competition swells to such a level that it drives revenue below their cost of electricity, which seems like a distant prospect at this point.) Thus they might win at the Game of Chicken and persuade him to spend his time and money on different projects (such stealing more credit cards or doing a better job on his homework).

(There are also several organizations who are loudly proclaiming that they're developing custom ASIC chips for Bitcoin mining. I haven't yet seen hard evidence of any of them having really spent substantial money on it or having demonstrable progress on the engineering and manufacturing.)

last word

I'm delighted to see such vigorous and varied competition for contributing to the distributed, planet-wide transaction-confirmation service. I especially like the "sunk-cost" people such as the FPGA miners with their low electricity requirements, because they seem likely to be long-term, always-on contributors.








David Sterry's profile photoWes Felter's profile photoJeff Garzik's profile photoS DaggeX's profile photo
Hm, we should be able to do some upper-bound estimate based on this data point. This person has a 10,000-node Botnet, right? And with it they operate about 10 GH/s, which is about 0.08% of the current total Bitcoin network's transaction-confirmation service, and they make a profit of roughly $35/day.

Okay, so how big can that scale up? Could there be one hundred million bots operating on the Internet at the same time? That seems like a reasonable guess at an upper bound to me -- one hundred million PCs with GPUs attached that are set to the task of Bitcoin mining. Surely it won't be much more than that anytime soon.

Extrapolating from this herder's report, that would generate about 100 TH/s, compared to the current network's 12.5 TH/s. That would cut the profitability of any individual miner to 1/8 as much as today, causing all miners who use GPUs and pay for their own electricity to shut down.

So, yes, that could have a major impact on Bitcoin! The only remaining miners in that case would be Botnet herders, FPGA miners, and any future innovations such as ASIC miners or advertising-based miners ( ).

At the time, it would also cut the profitability of other Botnet-based miners. So our reddit participant for example, with this 10,000-bot network would earn around $4/day instead of around $30/day.
What's the end game? I remember you saying there's a maximum number of discoverable bitcoins. If all the bots in the world were focused on bitcoin mining for a year, would the bitcoin mines run dry?
AMD/ATI publishes sales data for their GPUs; you can use that to estimate upper bounds. IIRC someone calculated that fewer than 1% of GPUs are currently being used for mining.
I said something stupid right here. I called CoinLab "advertising-based mining", but that's backwards. CoinLab is what you get if you take the modern advertising-based model for consumer apps on the Internet, and swap in Bitcoin mining in place of the advertising. So it is not at all "advertising-based mining", but more like "mining-instead-of-advertising based consumer Internet".
I need to call out an unspoken assumption in what I wrote about possible future developments. Those numbers were all assuming that the value of Bitcoin (i.e., how many U.S. Dollars, or Euros, or Yen, etc. you can get in exchange Bitcoin) stays constant. I think it extremely unlikely that it will stay constant for long! I think it will skyrocket. If the value of Bitcoin multipled by one hundred, then all of the analysis above would need to be revisited. Our small-time Bot herder from reddit would be making $3000/day instead of $30/day. GPU miners would be willing to stay in the game even if 100 million bots joined. And presumably the flow of capital investment into FPGA miners would greatly increase.

On the other hand if the value were to drop to 1/10 of current then the reverse would happen -- GPU miners would shut down right away, but FPGA miners would stay afloat (barely).

Finally, of course, some terrible catastrophe could wipe out all confidence that everyone has in the value of Bitcoin and cause everyone to simultaneously give up on it. It pains me to even imagine such a disaster, but it is unfortunately a possibility, especially with the current ubiquitous reliance on a single C++ codebase that is being frequently updated.
I find it interesting that someone who operates botnets and deals in credit card theft and other forms of fraud has trouble finding ways to spend bitcoin. Wouldn't someone like that be an ideal bitcoin use case?
@Trevor, no, difficulty would scale up in something less than two weeks until Bitcoins were still only being released at a rate of about one block every 10 minutes, no matter how much mining power was thrown at the problem.

@Zooko: Your estimates for the amount of money going into FPGA mining are very low. Your ZTex estimate, for example, barely represents one of their customers who has come online on IRC and said so. The problem isn't if Botnets scale up to large mining: it is if Botnets scale up to larger than 50% mining and they effectively collaborate to deny access to transactions within Bitcoin, or unwind transactions they decide they don't like, or if large-scale Botnet participation becomes widely-known. That would hurt the value of Bitcoins, because electricity costs for Botnets are negligible, and people know this.
Trevor: as Brady and S wrote, the distribution of de novo Bitcoin is rate-limited, and that rate drops in half every four years or so:

There are two ways that Bitcoin miners/transaction-confirmers profit. First is the de-novo Bitcoin "reward". That's the thing that falls off logarithmically over time. Second is transaction fees paid by the sender of a transaction. Those are currently miniscule. On any given day there are about ⓑ7200 doled out in reward (due to drop to ⓑ3600 in December), and about...

somewhere between ⓑ4 and ⓑ14 in transaction fees.

Presumably in the happy future that a larger number of people are relying on Bitcoin for a larger amount of valuable transactions, those transaction fees will go up.

"I find it interesting that someone who operates botnets and deals in credit card theft and other forms of fraud has trouble finding ways to spend bitcoin. Wouldn't someone like that be an ideal bitcoin use case?"

Did he say that he had trouble spending Bitcoin? Why do you think someone who deals in credit card fraud would be a good bitcoin use case?
Wes: that's a good idea for estimating an upper bound! Where can I find those stats about ATI and Nvidia GPU shipments?
The comment "most of their fellow cybercriminals are "too inexperienced to accept Bitcoin"" made me think they had trouble spending it, though maybe it's just that their peers do.

Bitcoin seems ideal for fraudsters because payments don't go through intermediaries that would report money laundering or suspicious transactions to law enforcement. It also allows them to make purchases remotely without divulging identity.
I think by "accept" the botherder meant accept it as worthy of their time rather than the other meaning of accepting it for payment.

Btw, another great article Zooko.

I've come to the conclusion that GPU mining by individuals with previously sunk costs is highly underrated as a way for more people to get Bitcoin, understand it, and to provide greater price support.
Miners are definitely dumping GPUs, as FPGAs come online in number. Structured ASIC, then full ASIC, is next.

That moves bitcoin entirely outside the realm of commodity hardware (and botnets), invalidating ianG's thesis entirely.
Jeff: FPGA mining could displace mining using GPUs and paying for your own electricity costs (because FPGA has dramatically lower electricity costs per hash/second, even though it has higher capital hardware costs per hash/second).

But there's no reason why FPGA mining should displace Botnet mining, which apparently has a marginal cost per hash/second at least as low as FPGA mining does.


So Ian Grigg's thesis (which I think is fatally flawed in other ways, myself), when it predicts increasing deployment of Botnet miners, is not invalidated by FPGA miners.

For those who haven't read it, Ian Grigg posted this thesis on his blog and also started a discussion about it on the cryptography-at-randombit mailing list:
He wrote: 'About 20% of the users have good graphic cards, but are not sophisticated enough to install drivers, so my miner can't run. "Hur dur, farmville works and I can watch porn, no need for OpenCL drivers"'.
The GPU/FPGA tipping point in the near future seems similar to the CPU/GPU tipping point already experienced.

It is fair to ask why botnets are not, everywhere, doing CPU mining? My own developer workstation, a very modern quad core (w/ HT), will earn around $0.03/day doing CPU mining, if power and all other costs are zero.

But the problem with that calculation, and IMO ianG's thesis, is that the micro-focus on power cost ignores all the other costs that go into botnet herding, including time, opportunity cost (what the computer might otherwise be doing), and the cost of detection (doing bitcoin mining 24/7 will noticeably increase heat and noise, in addition to spiking the user's power bill).

There is also a notable cost-of-detection by bitcoiners: deepbit and other pools have been actively -- and successfully -- battling botnetters because they use a lot of pool server resources for very little return. Botnetters could respond by running their own pool -- we're pretty sure some already do -- but this increases the probability of detection again. already attempts to triangulate the origin of a transaction or block to a single IP address, making botnet pool filtering a realistic option (thereby increase botnet herd costs again).

The reddit botnetter recognized this and concluded that CPU mining revenue would fall below those other costs. 12000 bots * $0.03 == $360/day in revenue, using optimistic numbers. Obviously, using GPUs was far more lucrative versus CPUs for him, but he simply does not bother with CPU mining even though ianG's thesis assumes he would.

Thus my counter-theses to ianG would be:
1) Costs for botnetters are not zero as claimed. This invalidates a lot of the logic in ianG's paper.
2) As bitcoin difficulty rises, costs to botnetters increase while revenue decreases. Thus, and as IMO demonstrated by the reddit anecdotal example, there is a point at which costs exceed revenue, and not bitcoin mining is the logical choice.

There will always by "grab and go" irrational actors, who bitcoin mine via botnet until they are shut down. But I think the lifetime of an individual machine in those cases will be very small, requiring huge amounts of new infections to make it remotely worthwhile.

I have a lot more nits to pick with ianG's paper, and have been tempted to write a formal response, but this is what comes to mind at the moment vis a vis reddit.
Jeff: thanks for the detailed comment! I agree with your most fundamental point: the cost of a Botnet is not zero.

On the other hand, I'm not sure what the cost of starting a Botnet is, and I don't know whether it is greater or less than the cost of starting an FPGA farm.

And, it is probably necessary to distinguish the costs of starting an operation from the marginal costs of expanding an existing one. It seems intuitively obvious to me that the marginal cost of expanding a Botnet mining operation is very low, and much lower than the marginal cost of expanding any other kind of mining operation. However, empirically there must be some sort of cost or limit, or else why hasn't Botnet mining already driven out all other kinds of mining?


Our redditing Bot herder claims that his hash/sec has doubled:

"No, get your own botnet. Also the speed is now at 20-25GH/s lol."

He also attempted to answer my question of why he (and by extension other Bot herders) don't scale up their Bitcoin mining operations:

Reading between the lines a bit, my interpretation is that he doesn't really know why not. He hasn't tried scaling up his Bitcoin mining operation before now. He asserts that other cybercriminals are too unskilled and too ignorant of Bitcoin, and that sounds very plausible to me! But inasmuch as he just increased his profit from $35/day to $60/day after an outlay of an estimated $180.00, and this conversation is news on twitter, hackernews, and Russian news sites, then I would expect this ignorance among he and his competitors to fade fast.

My other guess is that there is very limited information-sharing among these people, and they may not know what happens to people who try to scale up their Botnet operations. Maybe that attracts unwanted attention? From law-enforcement, security companies, competitors, or erstwhile business partners. He says that he "knows" (i.e. pseudonymous, on-line-only chit-chat) people who operate networks of a million bots and who have not been reported in the press. ( )
The cost of owning & operating a botnet is not zero.

There is a constant battle between malware and antivirus companies (along with law enforcement agencies). At a size of ~10-20k, suspicious software tends to be looked at in depth by AV firms. It usually doesn't take long from that point until the infected machine has its miner removed.

That means there can be more work involved with maintaining a botnet than appears at first glance. Unlike what we're familiar with, install once and run anytime thereafter, it can be a struggle to keep suspect programs installed on a machine with up-to-date AV software.

It's also necessary to take into consideration the command & control (C&C) structure - is it a central server, or a distributed network? Do the bots communicate with C&C directly, via proxy redirection, through Tor, etc? Some methods are much more vulnerable to disruption than others.

The marginal cost of expanding a botnet depends upon the method as well. While acquiring control of already-compromised systems can be done for as little as $0.02 per install, it may only be necessary to do this the first time on a few hundred machines. If 1,000 installs are purchased for $50 and a worm is then used to spread the miner, there could be 100k miners in operation after a relatively short period of time.

In that situation, controlling all of the miners would be a very difficult endeavor without sophisticated C&C based on I2P/Tor and end-to-end encrypted communications. Making sure they remain functional would also necessitate a reliable method of distributing updates, possibly daily.

Unless developing the software for the above by oneself, it must be acquired. The price ranges are anywhere from $20 to $20,000 depending on quality and sophistication level. You won't currently be able to find a $20 program capable of setting up a distributed network.

On the plus side, there is little to no incentive to game the Bitcoin network itself, as the benefits of participation outweigh any serious effort to attack it and risk destabilizing the exchangeable value. The botnet operator has as much of an incentive to keep the network healthy as traditional businesses relying on any monetary system to remain functional.
Add a comment...