Hacker Earns £365,000 Mining Dogecoin With NAS Boxes

This could be the most profitable illegal crypto-currency mining operation in history

An unidentified hacker has made at least $620,496 (£365,750) in Dogecoin virtual currency, after infecting thousands of Network Attached Storage (NAS) servers made by Taiwanese manufacturer Synology with Dogecoin-mining malware.

According to Dell subsidiary SecureWorks, the attacker was using known vulnerabilities in the DiskStation Manager (DSM) software. The company calls it the single most profitable illegitimate crypto-currency mining operation to date.

Synology launched an investigation into the matter in February, after a customer reported that he found a process entitled ‘PWNED’ using up all of his NAS system resources. He also discovered the relevant application files located in a folder under the same name.

Slave miners

NAS systems are simple file servers – essentially just boxes of networked hard drives equipped with their own CPU and RAM and managed by an embedded operating system, usually based on the Linux kernel.

Mining Shiba Inu - DogecoinSince January, Synology NAS users had started noticing that their systems were performing slowly while displaying very high levels of CPU usage, even during downtime.

As it turns out, the hacker was able to infect unpatched appliances using known vulnerabilities in its DSM Linux distribution. These vulnerabilities were disclosed by security researcher Andrea Fabrizi in September 2013, and subsequently patched by the company. However, not all users had applied the patches, leaving the door open for the attacker.

An investigation by SecureWorks identified the malware as CPUMiner, compiled specifically for the Synology platform. By following the workload as it was uploaded from the enslaved NAS boxes to the attacker’s server, investigators established that the botnet was used to mine Dogecoin.

Dogecoin started as a joke – a crypto-currency based on the (allegedly) popular Internet meme – but it soon grew into an online payment tool with a current market cap of around $30 million.

Now, the joke is on the owners of Synology NAS boxes – since the middle of January, the hacker had mined at least 500 million Doge, worth around £365,750 on the open market.

A major drawback of mining crypto-currencies using CPU as opposed to specialised ASIC chips is it doesn’t make financial sense – miners would spend more money on electricity than what they would get back in Bitcoin or Dogecoin. But obviously, that was not a concern for the attacker.

One of the users on the Synology Facebook page suggested that the operation could have remained undetected much longer if the hacker didn’t name the folder ‘PWNED’.

Removal of the malware has been discussed at length in the Synology forums.

Last month DogeVault, a popular online virtual currency wallet for Dogecoin, was attacked by hackers who stole almost all of its Doge and “destroyed” the internal systems. It currently aims to repay 25 percent of account balances.

An earlier version of the story erroneously claimed the hacker had made £365 million in Dogecoin.

What do you know about Bitcoin? Take our quiz!