a Botnet herder mining Bitcoin


Someone is posting to reddit claiming to be a malware author, botnet operator, and that they use their Botnet to mine Bitcoin: ¹.

I asked them a question about the economics of using a Botnet for the Bitcoin distributed transaction-verification service ("Bitcoin mining"): ².

They haven't provided any proof of their claims, but on the other hand what they write and how they write it sounds plausible to me.


Here are my notes where I try to double-check their numbers and see if they make sense.

They in their initial post ¹ that they do 13-20 gigahashes/sec of work on the Bitcoin distributed transaction verification service.

The screenshot they provided ³ shows 10.6 gigahashes/sec (GH/s) in progress, and that they're using a mining pool named BTCGuild. According to this chart of mining pools ⁴, BTCGuild currently totals about 12.5% of all known hashing power, and according to ⁵ the current total hashing power on the network is about 12.5 terahashes/sec (TH/s), so BTCGuild probably accounts for about 1.5 TH/s.

They say that their Botnet has about 10,000 bots. The screen shot shows a count of "total bots" = 12,000 and "connected in the last 24 hours" = 3500. This ratio of total bots to bots connected in the last 24 hours is consistent with other reports I've read of Botnets ⁶, and also consistent with my experience in p2p networking. The number of "live bots" available at any one time for this Botnet herder should probably average out to somewhere between 350 and 550. Let's pick 500 as an easy number to work with. Does it makes sense that 500 bots could generate 10 GH/s? That's 20 MH/s per live bot. According to the Bitcoin wiki's page on mining hardware ⁷, a typical widely-available GPU should provide about 200 MH/s. Hm, so they are claiming only 1/10 the total hashpower that our back-of-the-envelope estimates would assign to them. Here is an answer they give to another person's question that sheds light on this: ⁸.

Q: "Isn't Bitcoin mining pretty resource intensive on a computer? Like to the point someone would notice something is up on their system form it slowing eveyrthing down?"

A: "My Botnet only mines if the computer is unused for 2 minutes and if the owner gets back it stops mining immidiatly, so it doesn't suck your fps at MW3. Also it mines as low priority so movies don't lag. I also set up a very safe threshold, the cards work at around 60% so they don't get overheated and the fans don't spin as crazy."

It sounds plausible to me that those stealth measures could cut the throughput by 10 compared to running flat-out 24/7. Also it isn't clear if the botnet counts computers that don't have a GPU at all, or don't have a usable one. Maybe such computers are rare nowadays? Anyway if they are counted in there then that would be another reason why the hashing throughput per bot is lower than I calculated.

In answer to another question ¹⁰, they said they get a steady $40/day from running the Bitcoin transaction-confirmation ("mining") service. According to this chart ¹¹ from ¹², the current U.S. Dollar value of Bitcoin mining is (or was a couple of days ago when they wrote that) about $0.33 per day for 100 MH/s. Multiplying that out by their claim of 10.6 GH/s results in $35/day. So that adds up, too.

(Note that it sounds like their primary business is stealing and selling credit card numbers, and the Bitcoin transaction-verification service is a sideline.)

I don't see a reason to doubt that they really generate about 10.6 GH/s of the Bitcoin distributed transaction verification service.

My primary question is: if this is profitable on a per-bot basis, then why don't they scale up their operation? Of course, the answer to this presumably sheds light on the related question of why competitors of theirs don't launch similar operations. Perhaps one limiting factor is that the larger your Botnet, the more likely you'll be arrested by police or extorted by competitors. That may be a limiting factor that this person doesn't yet know about or doesn't like to think about. They mentioned ⁹ that most of their fellow cybercriminals are "too inexperienced to accept Bitcoin", so it may be that this person is just ahead of the curve and more people will launch operations like this in the future.

That's the question that I asked them on reddit—why don't they scale up? They haven't yet replied to my question, but they earlier mentioned in response to a different question ⁹:

Q: "How many botted machines do you typically gain per month or per campaign."

A: "about 500-1000 a day, weekends more. I'm thinking about just buying them in bulks and milking them for bitcoins. Asian installs are very cheap, 15$/1000 installs and have good GPUs."

If they're really gaining 500 to 1000 new bots per day but they have a total of only 12,000 then either their operation is rapidly expanding, or the attrition rate is similarly high as the acquisition rate.

the bottom line and my take

I don't see any reason to doubt that this is real, and that this person with their Botnet is responsible for about 0.08% (i.e. less than 1/1000 — not 8%!) of the total Bitcoin distributed transaction-verification service, and that they profit for it at the rate of about $35 per day.

There's one open question in my mind about whether this particular operator is currently rapidly expanding (adding 1000 bots per day to their network of 12,000 bots) or if the attrition rate of bots departing from the 12,000-node network is close to 1000 per day.

If the $35/day revenue is really mostly profit (i.e., they don't have to spend so much time maintaining their 12,000-node Botnet that they forego more profitable activities, like stealing more credit cards or finishing their homework), I would expect them and others like them to turn more and more bots to this purpose.

However, the nature of Bitcoin is that all providers of distributed transaction-confirmation service are in competition with one another. In the two weeks since this post went up on reddit, people around the globe deployed about 2 TH/s more hash power (see this graph of aggregate Bitcoin hash power ⁵), which cut the profitability of this one person's operation from $35.00/day to $30.00/day. If more and more Botnet operators get into the Bitcoin mining game, they will reduce the profitability of Bitcoin mining. (As well as competing with each other for access to victim computers, which has got to be a limited resources, right? Right? Or is there just a practically infinite supply of vulnerable computers waiting to be tapped if only someone can find a way to profit from them?)

In parallel, the legitimate Bitcoin miners appear to be continuing to roll out new distributed transaction-verification service on their own hardware. Here is a recent post by "Bitcoinminer" about commercial Bitcoin farms based on GPU: ¹³. The operation spotlighted in that post apparently delivers 100 GH/s (about 10X that of our Botnet herder). At the same time, sales of FPGA-based Bitcoin devices appear to be booming. I wrote a post about that: ¹⁴. You'll have to scroll down through extensive discussion to find where I summarized the numbers, but in summary it appears that people are in the process of investing half a million USD in Bitcoin FPGA which, when all deployed, will deliver around 430 GH/s.

I think there may be a kind of "Game of Chicken" going on: if someone makes a convincing show of investing in Bitcoin mining then they may deter other people from getting into the game and dividing up the profits. That may be the subtext of Bitcoinminer's blog post—he may be trying to discourage competitors. An interesting thing about "Game of Chicken" is that large upfront costs can actually be an advantage because they demonstrate your commitment! If people are spending half a million dollars on FPGA Bitcoin miners, then their competitors had better believe they're really going to keep running them, even if competition drives down profitability.

See, to deploy 10 GH/s of Bitcoin hash power using FPGA would require you to purchase about $10,000 worth of hardware which has no resell value except to other Bitcoin miners. To deploy 10 GH/s using GPU would require an outlay on about $5000 of hardware, which you could later resell for gaming (or whatever other uses GPUs have nowadays -- CAD/CAM?). To deploy 10 GH/s using a Botnet requires an unknown-to-me outlay of time, money, skill, or risk of personal harm, but at least the marginal cost of adding another few MH/s seems much lower than in the hardware-based approach. Our Botnet herder on reddit said he could buy access to Asian PCs with good GPUs for $15 for 1000 PCs. If that's true then it should cost a piddling $180 to set up a new network as big as his current 10 GH/s network.

However, if he is considering doing something else with his time and money, then the fact that people have convincingly committed to large-scale FGPA mining may deter him, because no matter how well he does at competing with them, they've already paid a sunk cost, and their marginal cost for electricity is low, so they won't quit. (Unless competition swells to such a level that it drives revenue below their cost of electricity, which seems like a distant prospect at this point.) Thus they might win at the Game of Chicken and persuade him to spend his time and money on different projects (such stealing more credit cards or doing a better job on his homework).

(There are also several organizations who are loudly proclaiming that they're developing custom ASIC chips for Bitcoin mining. I haven't yet seen hard evidence of any of them having really spent substantial money on it or having demonstrable progress on the engineering and manufacturing.)

last word

I'm delighted to see such vigorous and varied competition for contributing to the distributed, planet-wide transaction-confirmation service. I especially like the "sunk-cost" people such as the FPGA miners with their low electricity requirements, because they seem likely to be long-term, always-on contributors.

¹ http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/

² http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/c4mu8oj

³ https://lafsgateway.zooko.com/file/URI:CHK:sdk72a5zmncihhmhdsremrglem:ez25wwqy3lkpefd7e4tujr2tc5mhezmguql7vensxysl2yhkqefa:1:1:516308//named=/yxMDx.jpg







¹⁰ http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/c4g235t

¹¹ http://bitcoinx.com/charts/chart_large_lin_30d.png

¹² http://bitcoinx.com/charts/

¹³ http://www.bitcoinminer.com/post/22769728108/commercial-mining-farms

¹⁴ https://plus.google.com/108313527900507320366/posts/2ztAhLnXQK
Shared publiclyView activity