Resources Blog I Am A Serial Cryptominer: An Open Letter to Software ...

I Am A Serial Cryptominer: An Open Letter to Software Developers

Gluttony: (Latin: gula, derived from the Latin gluttire meaning "to gulp down or swallow") means over-indulgence and over-consumption of food, drink, or wealth items. In Christianity, it is considered one of the seven deadly sins if the excessive desire for food causes it to be withheld from the needy.


Dear Developer,

As speed to market beckoned, I was there for you.  You needed to develop faster, so I released my code as open source for you to drink.  You needed to deploy without hesitation, so I released my applications in easy to consume containers on which you could binge.  I have continuously quenched your quest for velocity.  Like 1989's  Young MC , in his breakout hit,  Bust a Move,  I've been chanting, "y ou want it, I got it ."

The path to today has been so good and so easy, you are now addicted to me.  You consume at will.  The taste is so sweet, you only crave more.  When something as good as open source based development and containerization comes along it’s hard not to over indulge.  I mean, just think about — why would anyone ever want to write anything from scratch when you’re free to borrow pre-assembled component parts  and containers from a community of respected developers?  

My open source components are now being consumed in the billions.  Your gluttony measures in at 87 billion download requests for java components last year.  Your gluttony weighs in at more 250 billion javascript downloads.  Your gluttony is exposed in more than 12 billion Docker container pulls.  Your thirst is unbridled.  Efficiency is off the charts.  You love it.  I love it.

Some would argue that you are over-indulging, but I say they just don't know you like I do.  They don't recognize your need to build, to deploy, to grow.  Believe me, I understand.  At this scale and efficiency, we're never going back.  But just as I serve you so freely, I too need something. And it (kind of) won't cost you a dime.  I just need a little portion of your CPU.  So little in fact, you won't even notice that I am here.

For example, in May 2017, I started with a new Docker Hub account.  I simply added a couple of popular application images up there to make it easier for you to deploy them.  As of today, I've served 5 million requests.  I have helped some people, and they have helped me.  With a little help from my friends, this one adventure has netted my cryptocurrency mining business USD $90,000 as I exploited known deserialization vulnerabilities in applications like Jenkins.  Even though "the man" has since removed my images from Docker Hub preventing others from joining us, I appreciate the working relationship that you and I have built.  We'll continue to prosper together (even if you've removed those images from your prod environment).

Screen Shot 2018-06-14 at 9.52.32 AM

As cravings continued, I helped a little more.  A few more folks noticed me back in December 2017 when I was borrowing your CPU for mining cryptocurrency using your vulnerable instances of the Struts web application framework -- yes, the same one implicated in the Equifax heist (but that wasn't me -- I promise).  They called me a "Zealot" then, and our open source vulnerability entwined journey netted me about USD $10,000.

I am so thankful to those organizations out there who continue to deploy vulnerable Struts instances in their public domains.  Last month Fortune magazine featured thousands of you who still rely on those versions. Sonatype highlighted the scale of my market opportunity earlier this Spring as it counted over 80,000 vulnerable Struts downloads every month over the past year. Thanks to your efforts, I can quickly deploy my mining operations across thousands of web applications.

Screen Shot 2018-06-14 at 11.43.28 AM

Another time you may have noticed me was in February 2018.  Around that time, I borrowed the credentials of an npm core contributor to help me get in touch with more of you.  I offered 11,000 of you free JavaScript packages with my Monero cryptominer tagging along, until "the man" shut me down after 36 hours.  I won't say how much I have profited since then, but I'll say that we make a good team.

That partnership worked so well that later that month, I exploited a vulnerability in Jenkins, a popular open source CI tool, to make $3 million by mining Monero.  You made your vulnerable Jenkins X instances so easy to find using Shodan, I could hardly resist. As they say, "teamwork makes the dream work".

Simon Mainwaring once quipped, "Gluttony might be innocuous were it not for the fact that gluttons tend to disregard whether their self-serving behaviors harm anyone else. We don't need to look far and wide to find examples of gluttonous behavior, as they are numerous throughout the history of capitalism."

To that end, eat, drink, and be merry.  We all need to make a living.  Right?

Yours truly,

Hack Overflow


Written by Hack Overflow