CoinBot: A Covert Botnet in the Cryptocurrency Network

Cryptocurrencies are a new form of digital asset and are being widely used throughout the world. A variety of cryptocurrency-based botnets have been proposed and developed to utilize cryptocurrencies as new command and control (C&C) platforms. Most existing cryptocurrency-based botnets are bonded with the cryptocurrency client, which generates abnormal P2P traffic that can be easily detected and blocked. In addition, the commands embedded in transaction records can be easily traced, since the transaction records in a cryptocurrency network are usually publicly available. In this paper, we propose CoinBot, a novel botnet that based on the cryptocurrency networks. CoinBot is characterized by low cost, high resilience, stealthiness, and anti-traceability. Different from other cryptocurrency-based botnet, CoinBot utilizes Web2.0 services to achieve a dynamic addressing service for obtaining commands. As such, there is no need to run a cryptocurrency wallet application and hardcode a botmaster’s sensitive information in CoinBot, and the communications between the botmaster and the bots are hidden under legitimate HTTP/S traffic. Furthermore, we propose a cleaning scheme to prevent commands from being permanently recorded in the blockchain, thereby decreasing the risk of channel exposure. CoinBot is a generic model that can be applied to different kinds of cryptocurrency networks. We believe this model will be highly attractive to botmasters and could pose a considerable threat to cybersecurity. Therefore, we provide defensive suggestions to mitigate similar threats in the future.