Scam Revealed: Is Your Mining Machine Really Mining?

Source: Zhihu, author: Li Chaoyang, IBM software engineer

Recently, I received a consultation from a friend that led me to discover a new type of scam.
In the following days, I found that three more friends had been scammed. Their experiences of being cheated were extremely similar to the scammers' methods. They all bought mining machines on a second-hand trading platform, and the computing power suddenly disappeared after a week of normal mining. It is very likely that they were scammed by the same group of scammers.
I think I should do something.

Strange glitch

On this day, Mr. A consulted me that the 20 graphics card mining machines he bought suddenly could not mine.

The specific fault manifestation is: the mining pool shows that the mining machine is offline.

▼Due to the lack of computing power for a long time, when Mr. A consulted me, the mining machine was already shown as invalid.

As someone who has helped many newbies, I have some experience. I asked him to feel the temperature of the air outlet of the mining machine with his hand.

▼This is the power consumption of normal mining

▼This is the power consumption when no load

It can be found that if the mining machine is not mining, the power consumption of the graphics card will be significantly reduced, and the temperature should be basically undetectable at the air outlet.

A quickly replied to me that the air outlet was hot, no different from before.

Obviously, the miners are working.

Since the machine is working, we can directly rule out the network and mining pool as the causes.

Because if there is a problem with the connection to the mining pool, the mining software will stop mining and the graphics card power consumption will also be reduced.

There seems to be only one possible explanation: the machine was hacked and the computing power was cut to someone else's address.

Since the system has been hacked, the best way to be on the safe side is to reinstall it.

Experience tells me that for a hacked system, reinstalling it is the most time-saving and labor-saving method. Who knows what tricks the hackers will play, and the mining machine has no data to keep.

Under my guidance, Mr. A successfully installed minerOS, a system customized for mining.

Then, something really confused me: the graphics card could not be detected! !

▼The minerOS backend does not recognize any graphics card

For a mining machine that can insert 8 cards, the motherboard must use various tricks to increase the PCIE slot.

Common methods include: PCIE switch, reducing bandwidth to 1x, using PCIE 2.0 protocol, etc. The compatibility and stability are indeed average, and it is common to lose one or two cards occasionally.

However, this is the first time I have seen someone lose all 8 cards.

Transition

A and I struggled with this for hours but to no avail.

Just when I was about to give up remote debugging and planned to ask A to send the machine to me, A complained: It's too hot.

This sentence woke me up, and I asked A to check the temperature of the air outlet again, and it was still hot.

It seems that the machine is still mining, but it can’t even recognize the graphics card.

So A simply turned off the mining machine but kept the power on. After a while, A checked the air outlet and found it was still hot.

That's a bit strange, isn't it?

I decided to go all out and asked Mr. A to get a screwdriver and dismantle the machine, regardless of the anti-tampering sticker on the machine.

It doesn't matter that this demolition was done, it was really shocking.

There is only a small industrial control board, a few heating wires, a small power supply, and some bricks in the machine, and there are powerful fans on both sides of the chassis.

▼Here, A disagrees with the use of his mining machine picture. Please imagine the scene yourself based on this diagram.

Needless to say, Mr. A was cheated.

I have to say that the liar has a very rich imagination.

The bricks in the case are for counterweights, and the heating wires are apparently used to generate heat to make you think the machine is working.

Just flash the system into the industrial control board, add a power supply, and you're done.

Puzzled

Mr. A thought he was careful enough because he went through a second-hand trading platform and waited a week before confirming receipt of the goods.

A long time ago, there was a scam that tricked you into buying cloud computing power or so-called "mining machines." In fact, they could not mine at all. You could only connect to the so-called "mining pool" provided by the scammers, which would show you some computing power and give you some coins every day, saying that it was mining income.

The computing power is just a number on a website set up by the scammers. The profit is actually that the scammers take a little bit of the coins you use to buy cloud computing power or mining machines and transfer it to you.

Once enough people have been deceived, the scammers will run away with the money. The most famous scam of this type is "Snail Star".

In fact, this scam is easy to detect, as long as you require that you must be able to mine in a third-party mining pool.

Third-party mining pools will display the computing power fairly. Obviously, there is no real computing power in this scam, so it can be seen through.

A is aware of this scam, so he emphasized that the computing power must be displayed on F2Pool and the income must be paid by F2Pool, which at least ensures that the computing power is real.

After my inspection, the income received by A was indeed paid from the F2Pool address, which can be checked on the chain, and the relevant mining records can also be found on F2Pool.

Therefore, the computing power is real and genuine.

However, these things in the chassis cannot generate computing power. Where does the computing power come from?

Mr. A confirmed again and again that no one else had touched these machines after they were received, so there was no possibility of them being swapped.

I decided to take a closer look.

Since the system of this machine had been reinstalled, I asked A to find another machine.

Uncover the secrets

After some investigation, I actually found the trick, and I couldn't help but admire how smart this scammer was.

▼This is the commonly used Ethereum mining tool lolMiner, right? I thought so at first.

▼ Check its size, it is only 48 bytes. You should know that the normal lolMiner executable file should be around 8MB.

▼Checking the content, this lolMiner is actually a script.

How do you start mining? Use this command, right?

./lolMiner.exe --algo ETHASH --pool mining pool address --user wallet address. Mining machine name

Because the lolMiner on this machine is not a real mining program, but a script, the above command line parameters will be completed in the script.

The command that is finally executed is actually this command:

ssh [email protected] "~/lolminer/lolMiner" --algo ETHASH --pool mining pool address --user wallet address. Mining machine name

What is the function of this command?

Remotely log in to the machine http://xxx.xxx.xxx.xxx, execute the mining program lolMiner on the remote machine, and transmit the output of the program to the local display. The mining is actually carried out on the real mining machine in the hands of the scammers.

The scammers also thoughtfully configured ssh private key login without password, making it truly indistinguishable from the real lolMiner operation.

I guess friends who don’t have a certain technical foundation must be dizzy after reading this. It doesn’t matter. Let’s draw a picture to sort it out.

▼Normal mining

▼ A person's "mining machine"

Do you see the difference?

In fact, the real mining machine in the hands of the scammer is the one that is actually mining, and the fake mining machine in the hands of A is just sending an instruction to the real mining machine. This is why the real mining machine in the hands of the scammer can know A's mining account.

The real mining machines in the hands of the scammers will transmit the mining logs back, which will be displayed on the fake mining machines in the hands of A, making it appear that the fake mining machines are mining.

Because the real mining machine in the hands of the scammer is mining at a certain address A, the mining pool will display it and will pay out profits.

Therefore, Mr. A will think that the fake mining machine in his hand is mining.

Heavy bricks are used as counterweights, fans blow out hot air, and coupled with the constantly jumping mining logs, the genuine mining pool computing power display, and the real money income, it is really a perfect scam!

have no choice

In a word, the rookie miner has a really hard life. He has just escaped from the tiger's den and fallen into the wolf's lair.

If it is possible to avoid the trap of "fake mining pool", it is difficult for newbies to avoid being deceived by the "fake mining machine with real computing power" scam.

Judging from the chat screenshots sent to me by A, the scammer was so sincere, patient in giving instructions, and replying to messages within seconds.

The scammer had a very high credit score on a second-hand platform, and the price of the mining machine he sold was so favorable, more than two thousand lower than the market price.

After you get the machine, it will be covered with anti-tampering stickers. If you remove them, they will justifiably say that you have swapped the parts and will not accept your refund or exchange.

Today it's a brick, maybe you can tell after you take it apart, but what if it's replaced with a scrapped graphics card tomorrow? You really can't tell from the outside.

Today this script is only a few dozen KB. What if someone compiles a binary file of similar size next time?

Apart from reverse engineering, you really have no way of knowing whether this program is actually using your mining machine to mine, which is obviously beyond the ability of a novice.

Even if you flash your own system, you have nothing to say if they say it is only compatible with the system provided.

After all, mining machine configurations vary greatly, and it is normal for system incompatibility to require additional debugging.

You only have 10 days. If they fool you for 10 days, the money will be in the hands of the scammers, and they can simply shut down the real mining machine and run away.

The scammer who sold the mining machine to Mr. A has now disappeared. He doesn't reply to messages or answer calls, and even his address is fake.

Implications

In this impetuous environment, everyone dreams of getting rich overnight, and scammers take advantage of this.

When you think you are profitable, be sure to ask yourself three questions:

1. Where does your money come from?

2. What advantages do you have compared to others? Why is it you who makes money from others instead of the other way around?

3. Do you really understand what you are investing in?

If A was not overconfident, but learned more about the mining circle, or tried one or two machines before purchasing a large number of them, or found a third party to check the mining machines, would he not be cheated?

The first thing many friends say when they add me on WeChat is: Teacher Li, is there any group I can learn from?

This reminds me of when I was a kid, I bought a lot of exercise papers, thinking that if I bought them, I would be able to do them and get high scores.

Is it really useful to join a lot of messy groups?

We live in an age of information overload. What you need to do is to find real and useful information from the massive amount of junk information, instead of immersing yourself in more junk information and imagining that you are also a great person.

Would information of great value appear in a group of hundreds of strangers?

Even if it is a piece of information that is originally valuable, does it still have value after appearing in such a group?

The essence of business is information asymmetry. For information that is well known to all, where is the information asymmetry? Where is the value?

Not to mention that there are all kinds of scams in the group. Someone A met a scammer in the group and was then deceived.

Inspired by the fact that someone A was cheated, I wrote several thousand words without realizing it.

The scam is still going on. If you are also a victim of the scam, please share your experience to prevent more people from being victimized.