Infiltrate Security Conference OPEN CFP


Hacking Bitcoin mining for fun and profit: subverting the Stratum protocol.

Vulnerability Research

Mainstream research has studied a wide range of attacks in order to evaluate the security posture of Bitcoin related protocols. From time-jacking, and double spending to block withholding and eclipsing attacks, the Bitcoin ecosystem has been able to hold its ground. However, no previous efforts have focused on the protocols that enable Bitcoin’s mining activity. Stratum is the de-facto pooled mining protocol for Bitcoin and virtually every other active cryptocurrency. In this research, we exploit Stratum's lack of encryption to develop passive and active attacks with important implications on the mining processes. Specifically, we introduce passive attacks that infer miner earnings even in the presence of correctly implemented encryption. In addition, we develop BiteCoin, a MITM tool that surreptitiously steals computational resources and its associated payouts from its victims. We build BiteCoin by leveraging WireGhost, a general-purpose middleware, that we develop to perform transparent TCP hijacking with active sequence re-synchronization. Our attacks reveal that securing Stratum through pervasive encryption is not only undesirable (due to large overheads), but also ineffective. Instead, we devise Bedrock, a minimalistic Stratum extension that protects the privacy and security of mining participants. Bedrock leverages the concept of a “mining cookie” that introduces a secret shared by a miner and its pool mining server. Careful inclusion of this secret in the mining computation process effectively prevents the aforementioned attacks with minimal impact over the mining infrastructure.

Back to Open CFP



Mick Ayzenberg, while at Deja Vu, did a lot of great work fuzzing stratum. CVE-2014-4502 CVE-2014-4503 He also gave an awesome talk at Toorcamp in 2014 talking about these bugs along with several protocol weaknesses, like tricking clients into following pool redirects.


It seems the 2014 talk was different focus. In this talk, we do not attack the mining software but rather the protocol itself, so the vulnerabilities are applicable no matter what mining software you use. Also, note that pool redirects and the use of proxies are very easily detectable. We present an active attack that is fully undetectable by the use of a general purpose MITM tool that actively re-synchronizes TCP sequence numbers. In addition, we present an attack that leaks the user's mining earnings even in the presence of correctly applied encryption by studying network protocol metadata.

Interested in Speaking?

We are pleased to announce the Call For Papers for INFILTRATE 2018 is now open. If you would like to present and have an offense-focused-fresh-content presentation, please submit an abstract, Bio and headshot to This information will be included on our Open CFP site, here, where the public can vote on which presentations they are most interested in seeing at INFILTRATE. Call for papers will close on December 14th, 2017. Shortly after this date, the winning speakers will be notified.

Some of the benefits of speaking at INFILTRATE are: