What Is Botnet Mining?

Cryptocurrency mining botnets are making millions for their creators by secretly infecting various devices across the globe. The botnets steal CPUs on infected machines to mine the coins, which can be worth tens of thousands of dollars apiece.

In late January 2018, for example, the security firm TrendMicro reported that Alphabet Inc’s Google's (GOOGL) DoubleClick ad services were used to distribute cryptocurrency mining malware to a number of users in Europe and Asia. The next month, more than half a million computing devices were hijacked by a cryptocurrency miner botnet called Smominru. The botnet forced the machines to mine nearly 9,000 Monero cryptocoins without the device owners' knowledge, according to technology portal ZDNet.

More recently, a cryptojacking botnet named Sysrv-hello has been making the rounds since December 2020. Sysrv-hello targets enterprise web applications and is deployed on both Windows and Linux systems. Like other botnets, it continuously evolves to stay ahead of security researchers and law enforcement. Extremely aggressive, Sysrv contains a component that hunts for and shuts down other crypto-mining botnets.

Key Takeways

  • A botnet is a piece of malware that infects computers to carry out commands under the remote control of the attacker, known as the bot-herder.
  • Cryptocurrency botnets make money for their creators by discreetly infecting various devices around the world and forcing them to mine cryptocurrencies.
  • Cryptocurrency botnets use multiple wallets linked to numerous mining pools to store illegally earned cryptocurrencies.
  • Crypto mining bots can generate millions of dollars a year, or even per month.

What Is a Botnet?

Welcome to the malicious world of botnets: a collection of various internet-connected computing devices that are maliciously infected and controlled by a common type of malware. The devices include desktops, servers, handheld mobile devices, and devices compatible with Internet of Things (IoT). The working mechanism of such botnets ensures that the device owners remain mostly unaware that a botnet has infected—and now controls—their system.

The word "botnet" is a portmanteau of the words robot and network. Botnets that target cryptocurrencies are called botnet miners. These systems allow their creators to rake in crypto cash at the expense of unsuspecting device owners who have no idea their machines are being used to mine cryptocoins.

How do Botnets Work?

A botnet system is akin to standard computer malware. Computer malware is like any other computer program, but it is designed to use computers for nefarious activities—such as corrupting systems, destroying and/or stealing data, and using them for illegal activities. These illicit pursuits, of course, can have a detrimental effect on the device, data, and network.

Unless caught by anti-virus/anti-malware programs installed on the device, such malware continues to run without the owner’s knowledge and is capable of replicating itself to the other connected devices on the network.

Similarly, botnets are automated programs developed as lines of code by their creators and made to sneak onto a user’s device. Botnets use the machine’s processing power, electricity, and Internet bandwidth to perform specific functions. Common botnet actions include:

Botnet mining is used to steal cryptocurrencies. This type of botnet is usually released on a private network of interconnected computers so that the cumulative power of the devices results in more computational power for mining cryptocurrency. This can boost mining output and the corresponding rewards for the botnet creators.

Smominru Mining Botnet

The Smominru mining botnet that was created around May 2017 had successfully mined around 9,000 Monero tokens worth around $3.6 million by February 2018. Researchers at cybersecurity company Proofpoint claim that the botnet includes “more than 526,000 infected Windows hosts, most of which we believe are servers.”

After its investigations and analysis, Proofpoint requested that a prominent Monero mining pool, MineXMR, ban the address linked to Smominru. Though this resulted in the operators apparently losing control over one-third of the botnet, they quickly registered new domains and started mining to a new address on the same pool.

Due to its resilient nature and ability to keep regenerating itself, it has been a difficult task to contain its spread despite all the efforts to take it down. Geographically, the nodes of the Smominru miner botnet are observed to be distributed across the globe; the bulk of them are found in Russia, India, and Taiwan.

Monero seems to be the hot favorite cryptocurrency to be mined through such botnets, owing to its anonymity and privacy-rich features, which make it difficult to track the destination address to which the mined tokens are transferred.

Smominru—aka MyKings, DarkCloud, and Hexmen—is still alive and making "massive amounts" of money for its operators.

Botnets Getting Stronger

The methods of mining various cryptocurrencies are becoming more and more complicated and resource-intensive. The operators of such botnets flourish by abusing all available modes to expand their botnet across more and more devices, concentrating their efforts and energies on developing such pre-programmed systems. Additionally, they continue to devise multiple ways to make the botnet more robust.

Given the significant profit promised by such botnets, their number and ill-effects are expected to grow.

“Taking down the botnet is very difficult given its distributed nature and the persistence of its operators. For businesses, preventing infection through robust patching regimens and layered security is the best protection from potentially disruptive impacts on critical infrastructure,” ProofPoint’s VP of Threat Operations Kevin Epstein, told News.com.au.

What Is a Botnet?

A botnet (derived from "robot network") is a large group of internet-connected devices that are infected with malware and controlled by a single operator. Criminals use botnets to launch large-scale attacks to disrupt services, steal login credentials, and gain unauthorized access to systems.

What Is Botnet Mining?

Botnet mining is when a botnet is used to mine cryptocurrencies. The botnets steal CPUs on infected machines to mine the coins, which can be worth tens of thousands of dollars each. Botnet miner creators make money at the expense of unsuspecting device owners who have no idea their machines are being used to mine cryptocoins.

The Bottom Line

While the cryptocurrency infrastructure is still evolving, such threats loom large over nascent networks. Though it may be difficult to contain the menace at the individual user level, regular monitoring of the various processes running on individual devices may help.

Investing in cryptocurrencies and Initial Coin Offerings ("ICOs") is highly risky and speculative, and this article is not a recommendation by Investopedia or the writer to invest in cryptocurrencies or ICOs. Since each individual's situation is unique, a qualified professional should always be consulted before making any financial decisions.

Article Sources

Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. ZDNet. "A giant botnet is forcing Windows servers to mine cryptocurrency." Accessed Jan. 26, 2022.

  2. RISKIQ. "The Sysrv-hello Cryptojacking Botnet: Here's What's New." Accessed Jan. 26, 2022.

  3. Palo Alto Networks. "What is a Botnet?" Accessed Jan. 26, 2022.

  4. PPC Protect. "How Do Botnets Make Money From Your Ads?" Accessed Jan. 26, 2022.

  5. SC Media. "Nearly $25M stolen by long-running MyKings botnet." Accessed Jan. 26, 2022.