Bitcoin miner

Dutch security researcher Victor Gevers has discovered 2,893 Bitcoin miners left exposed on the Internet with no passwords on their Telnet port.

Gevers told Bleeping Computer in a private conversation that all miners process Bitcoin transactions in the same mining pool and appear to belong to the same organization.

"The owner of these devices is most likely a state sponsored/controlled organization part of the Chinese government, " Gevers says, basing his claims on information found on the exposed miners and IP addresses assigned to each device.

Miners taken offline shortly after

Gevers is also the chairman of the GDI Foundation, a non-profit organization that coordinates vulnerability disclosures and works to secure exposed devices. For the past two days, Gevers has been investigating the incident and was planning to reach out to the affected organization.

This will not be necessary anymore as it appears that someone from the affected party saw Gevers' tweets and secured the exposed devices shortly after.

"Most of the miners are now not available anymore via Telnet," Gevers told Bleeping Computer. "Just a few are left, and I am keeping an eye out for those."

"At the speed they were taken offline, it means there must be serious money involved," Gevers added. "A few miners is not a big deal, but 2,893 [miners] working in a pool can generate a pretty sum."

According to a Twitter user, the entire network of 2,893 miners Gevers discovered could generate an income of just over $1 million per day, if mining Litecoin.

Based on firmware details Gevers found on the devices, the researcher believes that most are ZeusMiner THUNDER X3 Bitcoin miners.

Some devices infected with malware, backdoors

The expert is still investigating to see how long were these devices left exposed online without a Telnet password.

"I have proof of other visitors on the boxes where they tried to install a backdoor or malware," Gevers said.

According to another researcher who also took a look over the miners, they also appeared to be participating in a bandwidth sharing scheme run via Chinese service Xunlei.

Last week, Gevers worked to secure thousands of smart devices that were still running default Telnet credentials. IP addresses, usernames, and passwords were leaked online via a list uploaded on Pastebin. One of the IP addresses included on that list belonged to one of the Bitcoin miners and this is how Gevers discovered the whole mining network.

UPDATE [September 4, 2017, 03:55 ET]: Gevers said in a tweet that someone is adding the miners he discovered to a Mirai botnet.

Related Articles:

Cybercriminals Go Phishing For Jaxx Wallet Users

Atlas Quantum Cryptocurrency Investment Platform Suffers Data Breach

Fraudster Targets Cryptocurrency Wallets with a Variety of Info Stealers

Tumblr Fixes Security Bug that Leaked Private Account Info

Researcher Livestreams 51% Attack on Altcoin Blockchain