Cryptocurrencies, 51% and a Look at the Future of Botnets

This week saw two relatively large cryptocurrencies get hit by so called 51% attacks leading to millions of dollars worth of stolen coins and heavy crashes in cryptocurrency valuation altogether. In this briefing we will take a look at the attacks experienced by Verge and Bitcoin Gold, what 51% attacks are, and how they are likely to affect how botnets (centrally managed collections of compromised computers) are monetized in the near future.


What is a 51% attack?

The core challenge of all cryptocurrencies is how to verify a transaction without a central arbitrator. In traditional financial networks, this role is taken on by the bank or the payment processor (e.g. PayPal). The central arbitrator tracks and manages all transactions and can thus make the ultimate decision on who owns what assets. If necessary, this decision may be challenged in courts.

Cryptocurrencies aim to eliminate the need for a central authority. To do so, various mechanisms have been designed and adapted. However virtually all major current cryptocurrencies rely on some form of consensus between all participants in the network. And in most of those implementations, consensus is defined as “what 51% of miners believe”.

Since miners are performing the actual cryptographic calculations that authenticate the blocks the currency is based on and since mining power represents a strong investment, this approach is very reasonable, as long as the mining power split between many individuals.


Centralization vs. Decentralization

The original idea behind consensus based blockchains was that if millions of people across the world were to mine for coins, it would be virtually impossible to convince all of them to agree to make bad transactions such as spending the same coin twice. After all, such transactions would be against their self-interest.

However, the large financial incentives associated with cryptocurrency mining have lead to more and more mining power being controlled by fewer and fewer individuals. For example, 75% of Bitcoin mining power is split between merely 6 mining pools and in 2014 a pool named briefly controlled 51% of all mining power by itself.

The situation is even more dire for smaller coins with significantly less total mining power. The smaller the currency is, the less investment is required by an attacker to gain control of 51% of mining power and take over the currency. Once 51% control is achieved, transactions can be blocked, doubled or potentially redirected. The payoff is thus very large from an attacker’s perspective.


51% and Organized Crime

Monetizing compromised computers has always been a tricky challenge for criminals. While personal and financial information may be stolen, doing so is somewhat tedious and results in limited financial gain requiring sophisticated money laundering structures in the process.

The rise of cryptocurrencies at first led to the widespread adoption of ransomware and mining malware. Extorting victims for money in exchange for access to their data greatly simplified monetization strategies for attackers. Malware that directly mined cryptocurrencies for the criminals is an even more streamlined process. However abusing victim machines in 51% attacks may result in significantly greater payoffs.

Tens of thousands of PCs infected by malware contain tens of thousands of CPUs (central processing units) and thousands of GPUs (graphic processing units). This amount of mining power is enough to overwhelm many smaller cryptocurrencies with only a few thousand miners. Once the attacker gains 51% control of the network, he or she can duplicate transactions and exchange the “forged” coins into more stable currencies before the attack is detected and the minor currency crashes.

The profits can then be invested to buy access to even more compromised machines or to directly purchase mining power on legitimate exchanges like NiceHash. Such increased mining power could then be used to attack a slightly larger cryptocurrency in the same way.

A determined, technically versed attacker might thereby leverage a moderately sized botnet into profits much larger than what he or she could currently expect.



Cryptocurrencies continue to affect how criminals monetize compromised computers. While so far the most common adaptations are ransomware and mining malware, abusing botnets to stage 51% attacks may prove more profitable to attackers in the near future.

The more profit can be extracted from a hack, the more resources can be invested into the hack by criminals. As novel ways to monetize compromised computers - through cryptocurrencies or otherwise - are developed, we will therefore see upticks in outbreaks of malware and targeted attacks.

We advise all organizations and private individuals to remain vigilant and employ antivirus software in combination with common sense to protect themselves and their machines from attackers as the criminal marketplace continues to develop.