Shared publicly  - 
UPDATE: see also the later article "a Botnet herder mining Bitcoin":

CORRECTION: I thought that the Symantec blog and screenshot was showing a single machine renting for $200-$400 per week. Re-reading it, I see that it is advertising a botnet of an unspecified number of machines (probably in the 10,000's). So that number was off by a few orders of magnitude in my original post. --Zooko

Are botnets a significant part of global Bitcoin mining?

+Perry Metzger wrote something about Bitcoin-mining malware. I've heard of such malware. I first heard about them a few months ago. I doubt they are very important to the overall Bitcoin hashing ecosystem to date since they haven't been using GPUs. (Note: below I realize that I was wrong about this -- they have been using GPUs.)

Let's see... Here's Symantec describing how such malware would be possible but not claiming to have seen any in the wild, back in June: .

The author does a bit of testing and arithmetic to estimate how much money the Botnet herder could earn from doing mining on the bot CPU, and comes to the conclusion that it would be more profitable for the Botnet herder to use it for DoS than for mining Bitcoin.

They say that a typical profit for renting a high-end machine for DoS, to be used for a few hours a week, would be about $400 per week -- showing a screenshot of an advertisement offering to rent such machines for such service at that price. They say that a single CPU can mine about 1 Mhash/sec (which is pretty consistent with the CPU results from ). Using the difficulty factor at that time (around 500,000) and the $/ⓑ price (around 20.00), they figure that the bot machine, running at 100% of one CPU 24/7, would earn only $0.24 worth of Bitcoin in a week!

The difficulty factor today is about 1.2 million, so that more than halves the profit right there, and the price of $/ⓑ is currently around 3.00, so the profit of mining 24/7 on a single CPU core today is probably only about $0.02 per week. (Generated by .)

In August Symantec reported a malware that did Bitcoin mining: . (If anybody has a reference to an earlier citing, please post it here.)

Even though the price of $/ⓑ rose from 20.00 and peaked around 30.00 in the first half of June ( ), it still seems like it would not have been worth it to Botnet herders to risk exposure and therefore loss of that Bot machine.

The increasing mining rate during those months was almost certainly due to more and more GPUs being deployed as miners. According to , a GPU card costing about $150 can do about 200 Mhash/sec.


I see that I haven't been paying close enough attention, and the malware announced back in August already used the GPU if available. A high-end GPU (e.g. ATI Radeon 5970, retail around $500) can do about 650 Mhash/sec. Back in August the price of Bitcoin was around 10.00 $/ⓑ ( ) and the difficulty was around 1.75 million ( ), so the profitability of running a Bitcoin miner full-blast on such as high-end GPU was about $26/wk. Now that might have been worth it! And apparently some malware operators thought so. Even the more common $150 card would have been able to generate $8/wk.

Now what about today? The difficulty has fallen from about 1.75 M in August to about 1.2 M today, and the price has fallen from about 10.00 $/ⓑ then to about 3.00 $/ⓑ, so a ATI Radeon 5970 should yield about $11/wk and one of those other cards that cost only $150 should yield about $3.50/wk.

Note that Botnet operators don't pay for the costs of capital or the electricity used. The Radeon 5970 running full blast 24/7 probably costs about $0.70 per week in electricity (estimating price of $0.10/kWh for USA-style price of electricity). The cheaper cards maybe $0.40 per week. That's the just card itself. Running the rest of the computer that the card is housed in also drinks electricity.

Okay, I think I was wrong. I assume that a profit of a few dollars per week per bot is worth the cost of deploying the GPU-based mining malware. Possibly this is wrong if you really can rent good bots for $400/wk to do DoS'es, and if running a miner on it endangers its continued usefulness for DoS'ing, but it might be right. If it is profitable then Botnet miners might indeed be an important part of the Bitcoin mining ecology. There might be tens of millions of Bots ( ). If we make the wild guess that there are 100,000 bots that have useful GPUs (let's say each one can do 200 Mhash/sec) and that 10% of them are tasked with Bitcoin mining, then that would aggregate to 2 Thash/sec. The estimated revenue of such a network of 10,000 GPU-equipped bots would be $35,000 per week.

The current total of all miners working on Bitcoin is about 7.5 Thash/sec ( ), so this could be a significant factor!

On the other hand, about half of all mining power -- more than 7.5 Thash/sec worth of miners -- ceased operation from the peak at August 11 to the present. If that 7.5 Thash/sec of miners had been making a substantial profit then they would presumably not have ceased operation. I conclude that either those 7.5 Thash/sec worth of miners were not bots, or that there are other costs to mining on bots (such as displacing other profitable uses of the bots or causing them to be detected).

Bottom line: you should either not own a GPU, or if you're going to own a GPU you should run a Bitcoin miner on it and be careful not to let it be taken over by malware. :-)

Very interesting! Thanks for stimulating me to investigate.


Trevor Stone's profile photoZooko Wilcox-O'Hearn's profile photoSean Reifschneider's profile photoLarry Reaves's profile photo
Why are running DoS and mining bitcoins mutually exclusive? I'd think the former would mostly be network intensive and the latter is focused on [CG]PU.
From looking at the difficulty graphs, it would seem that bitcoin mining has decreased rather than increased, so it's hard to say that this is widespread...
Or mining bots were temporarily redirected to other more profitable tasks.
+Trevor: they aren't necessarily mutually exclusive, but they may compete with each other to some degree. I think the main issue is increasing the risk of detection. Perhaps running the GPU lighter would reduce the chance that the legitimate user notices that something is wrong, at a cost of reducing the mining output. If botnets rent out entire computers to one renter at a time, then they may be rented to someone who doesn't do Bitcoin mining because that isn't their business, and they are busy working on increasing their profit from their business (which may be spam, DoS, etc.). This is all speculation on my part. I would be interested in learning more facts about those sorts of operations.

+Sean: that was my point about 7.5 Thash/sec having ceased operation recently. That suggests to me that those folks (which constituted about half of the peak mining power) were paying their own capital, power, and system administration costs. :-) Mind you, I'm not asserting that the remaining 7.5 Thash/sec are mostly bots! I would really doubt that. Rather, I'm thinking of it as an upper bound -- it suggests that during the peak mining period, less than half of the miners were bots.
Fair enough. We are still running mining most because we're too lazy to take it down and it's still covering the cost to do it.
Ever since bitcoin became associated with botnets, every few days Comcast decides to bombard me with "you're infected" html injections on all unencrypted http connections. :(
Add a comment...