Monday, 25 December 2017

Is Bitcoin Mining using Botnets really Profitable?

In this post I wanted to discuss Profitability of Mining Bitcoins using a Botnet. As you might know, Bitcoin is the first Crypto Currency in the world which introduced the concept of Blockchain. Bitcoin uses a Proof of Work concept which is based on SHA256 algorithm to generate the coins.

With the rise in price of Bitcoin, it has caught the attention of several Cyber Crime Threat Groups as well. We often see these days modular malwares with one component specifically for mining Crypto Currency. However, is it really possible to generate a decent number of Bitcoins by mining through a Botnet which an attacker controls? I'd like to share my views on this. It is often mentioned in mainstream media and Popular Security Vendors' blogs that a particular malware is using a Botnet to mine Bitcoins however they do not really discuss the success an attacker can achieve with this method.

In the earlier days of Bitcoin, mining was possible with CPU and later on with GPUs. Reason being, the number of miners in the Network were still less and so the Difficulty of the Network was significantly low as compared to today.

What is Bitcoin Mining Difficulty?

Bitcoin Mining Difficulty is a concept programmed in the Bitcoin Protocol to adjust the Network according to dynamic variables involved. The variables in the Bitcoin Network are:

1. Number of Miners
2. Total Network Hash Rate

The difficulty adjustment algorithm is programmed in such a way that upon creation of every 2016 blocks, the difficulty of the Bitcoin Network is re-adjusted.

As per the original whitepaper of Satoshi, a block must be generated in 10 minutes in the Bitcoin Network.

Time taken to generate 2016 Blocks = 2016 * 10 minutes = 20160 minutes = 336 hours = 14 days.

This means that the Bitcoin Network is expected to generate 2016 blocks every 2 weeks. However, due to the variables involved in the Bitcoin Network, the time taken to generate 2016 blocks can vary.

So, the difficulty of the Network is adjusted as shown below:

1. If the time taken to generate 2016 blocks is less than 2 weeks then the difficulty of the Network is increased.

2. If the time taken to generate 2016 blocks is more than 2 weeks then the difficult of the Network is decreased.

At the time of writing this post, the latest instance of Difficulty Adjustment in the Bitcoin Network took place at: 2017-12-18 13:55:20 with a Block Height: 499968. The Difficulty of the Network at present is: 1,873,105,475,221.61 which is a 17.73% increase in Difficulty.

Since, difficulty adjustment takes place every 2016 blocks, it means that the total number of times the difficulty of Bitcoin Network has been adjusted is 248 (derived from: 499968/2016) times.

Now, let's discuss the variables involved in Bitcoin Network which determine Difficulty.

Network Hash Rate

This is the Sum of the total mining power in the Bitcoin Network. There are several factors which determine this value:

1. Price of Bitcoin: If the Price of Bitcoin decreases, the mining profitability can decrease and this may not be a sufficient incentive for the miners to continue mining. Since, most of the miners are mining Bitcoin for financial benefit. Miners often switch between multiple Crypto Currencies with their hardware based on the currency which is more profitable to mine.

2. The Latest Hardware Technology: In the earlier days, to mine Bitcoins quickly, people had setup GPU farms which was an array of the latest GPU hardware. This involved a lot of cost, heat generation, power consumption and maintenance. Soon, miners figured out a way to mine Bitcoins faster. They started using ASICs which leveraged implementation of SHA256 hardwired into the device.

At the time of writing this post, the fastest ASIC mining hardware is Antminer S9 with a mining speed of approximately 14 THashes/sec = 14,000,000 Million Hashes/second.

Botnet Mining Profitability (Best Possible Scenario)

Now, let's consider a scenario where a malware author has compromised a large number of computers and successfully got the Bitcoin Mining code running in background on the machines. Let us assume the following:

1. Each of these machines in the Network is running the latest and fastest instance of Intel i7 Quad Core Processors.
2. The machines are running 24 * 7, which means that the machines are running constantly at their optimal speed.
3. Bitcoin Mining code is using all the 4 cores and 100% CPU usage.
4. Botnet consists of 30 Million machines satisfying the above 3 conditions. I have considered the size to be 30 million since that was the size of Bredolab (the largest Botnet Known till date).

So, what would be the total mining Power generated using this Botnet?

1 Intel Core i7 3930k Processor generates a Mining speed of 66.6MHashes/second
Size of Botnet = 30 million

Total hashing power = 1998 THashes/second.

Now, the above conditions were considered to depict the Best Possible Scenario. However, that will not be possible in real world because of following reasons:

1. Malwares would ensure that their Bitcoin Mining Code does not leverage the complete CPU power to avoid suspicion and not impact the user experience. The goal of the attacker is to mine for as long as possible in a stealthy way.

2. It is not a realistic scenario that all the machines in the Network would be running the latest Intel i7 Quad Core Processor.

3. The machines in the botnet will not be running 24 * 7. Reason being, these machines belong to users who will switch off the machines at regular intervals. So, while the machines are powered down, the mining process will not run.

4. The size of the Botnet considered above was to depict the best case scenario.

Botnet Mining Profitability (Realistic Scenario)

Now, let's perform a realistic calculation:

1. Average Mining Speed - To calculate this value we can refer the Bitcoin Mining Benchmarks for CPU here: https://en.bitcoin.it/wiki/Non-specialized_hardware_comparison#Intel

Let us consider all the 17 Intel i7 Processors listed there and calculate the average Mining Speed.

This gives us an Average mining speed of 15.61 MHashes/Second

2. For stealthy mining, the attackers might use 60% of the Total processing power.

Effective Mining Speed = 9.36 MHashes/Second

3. Size of Botnet. Even in a realistic scenario, we have considered the latest Intel Processors. So, let us assume the size of the Botnet to be: 1 Million Machines with an average Mining Speed of 9.36 MHashes/Second.

Total Mining Speed of the Botnet: 9.36 * 1 Million Million Hashes/Second = 9.36 THashes/second

The Botnet Mining speed above is still less than the Mining Speed of a Single Antminer S9 ASIC device. This ASIC device costs 3000 USD.


Number of Bitcoins Generated with Botnet

Let us now calculate the Number of Bitcoins which will be generated by the Botnet. To do this calculation, we can use the Mining Profitability calculator here: https://www.coinwarz.com/calculators/bitcoin-mining-calculator

With a mining speed of 9.36 THashes/Second, the Botnet would only generate 0.45 Bitcoins in 1 Year.

And this is also assuming the following conditions:

1. Bitcoin Difficulty remains constant throughout the Year (which is not realistic. It will most likely increase a lot).
2. The machines in the Botnet are running throughout the Year (which is again not so realistic).

So, I hope with this post you can understand that even if an Attacker compromises a Large Botnet of machines running the latest CPUs with a consistent uptime, they would not even generate Half of a Bitcoin in 1 Year.

c0d3inj3cT