Under the Dark: A Systematical Study of Stealthy Mining Pools (Ab)use in the Wild

Abstract

Cryptocurrency mining is a crucial operation in blockchains, andminers often join mining pools to increase their chances of earningrewards. However, the energy-intensive nature of PoW cryptocurrency mining has led to its ban in New York State of the UnitedStates, China, and India. As a result, mining pools, serving as acentral hub for mining activities, have become prime targets for regulatory enforcement. Furthermore, cryptojacking malware refersto self-owned stealthy mining pools to evade detection techniquesand conceal profit wallet addresses. However, no systematic research has been conducted to analyze it, largely due to a lack offull understanding of the protocol implementation, usage, and portdistribution of the stealth mining pool. To the best of our knowledge, we carry out the first large-scaleand longitudinal measurement research of stealthy mining pools tofill this gap. We report 7,629 stealthy mining pools among 59 countries. Further, we study the inner mechanisms of stealthy miningpools. By examining the 19,601 stealthy mining pool domains and IPs, our analysis reveals that stealthy mining pools carefully crafttheir domain semantics, protocol support, and lifespan to provideunderground, user-friendly, and robust mining services. What’sworse, we uncover a strong correlation between stealthy miningpools and malware, with 23.3% of them being labeled as malicious.Besides, we evaluate the tricks used to evade state-of-the-art miningdetection, including migrating domain name resolution methods,leveraging the botnet, and enabling TLS encryption. Finally, weconduct a qualitative study to evaluate the profit gains of maliciouscryptomining activities through the stealthy pool from an insiderperspective. Our results show that criminals have the potential toearn more than 1 million USD per year, boasting an average ROIof 2,750%. We have informed the relevant ISPs about uncoveredstealthy mining pools and have received their acknowledgments.