ASIC Miner Virus Prevention & Removal: Complete Security Guide

ASIC Miner Malware: The Threat Nobody Talks About

Your ASIC miner is a computer. It runs Linux, connects to the internet, has an SSH server, and often ships with default credentials. It is also, by design, connected to something extremely valuable: your Bitcoin mining rewards. This makes it a target. And unlike your laptop or phone, your miner has no antivirus software, no automatic security updates, no app store with vetted software, and often no firewall between it and every other device on your network.

ASIC miner malware is not theoretical. It is not rare. It is a documented, persistent, and growing threat that has been circulating in the mining ecosystem since at least 2018. The most common attack is brutally simple: compromised firmware silently modifies your pool configuration to redirect a percentage of your hashrate — typically 1-5%, sometimes up to 50% — to an attacker’s wallet. You keep mining. Your dashboard looks normal. But a portion of every hash you compute lines someone else’s pockets. And the worst variants do not stop there — they scan your local network for other miners, exploit SSH with default passwords, and spread laterally until every miner on your LAN is compromised.

The problem is compounded by how miners are typically deployed. Home miners plug in a machine, configure their pool, and forget about it. They run default passwords on SSH because the web interface works fine and who would bother hacking a miner? They buy used hardware from marketplace sellers and connect it straight to their home network without verifying firmware integrity. They download firmware updates from the first Google result without checking the domain. Every one of these behaviors is an open invitation.

This guide is the definitive resource for understanding, detecting, preventing, and removing ASIC miner malware. We cover every major attack vector, provide step-by-step detection procedures, walk through complete malware removal for both Antminer and Whatsminer platforms, and lay out the network security architecture that makes reinfection virtually impossible. Whether you are running a single S9 space heater or a fleet of S21s, your miners need the same security discipline you apply to your Bitcoin wallet — because ultimately, they are guarding the same thing.

How ASIC Miner Malware Works

Understanding the attack is the first step to defending against it. ASIC miner malware exploits the fundamental architecture of these machines: they are single-purpose Linux computers with network connectivity, SSH access, and direct control over where mining rewards are sent. An attacker who gains control of the firmware gains control of the revenue stream.

Attack Vectors

There are four primary ways malware gets onto your miner. Each requires a different defense strategy:

1. Network-Based Exploitation (The SSH Worm). This is the most common and most dangerous vector. The attacker — or more precisely, an already-infected miner — scans IP ranges for devices with open SSH on port 22. When it finds a miner, it attempts login using default credentials (root / root for Antminer, or other known defaults). If login succeeds, the malware copies itself to the target, modifies the firmware to redirect hashrate, and begins scanning for the next victim. The entire process takes seconds and requires zero human interaction. One infected miner on your LAN can compromise every other miner within minutes.

2. Firmware Supply Chain Compromise. Trojaned firmware files are distributed through fake download sites that impersonate Bitmain, MicroBT, or third-party firmware projects. The firmware looks legitimate, installs normally, and operates your miner as expected — except it includes a hidden payload that redirects a percentage of hashrate to the attacker’s pool. Some sophisticated variants even modify the web interface to display your legitimate pool address while the miner actually alternates between your pool and the attacker’s pool.

3. Pre-Infected Hardware. Miners purchased from untrusted sellers — especially used hardware from marketplaces, liquidation sales, or anonymous sellers — may arrive with malware already installed. The previous owner may have been infected without knowing, or worse, the seller may have intentionally installed compromised firmware. The miner appears to work perfectly, and if you never audit the firmware, you will never know a cut is being taken.

4. Physical/Local Access. Less common for home miners, but relevant in shared hosting environments: someone with physical access to your miner can insert a malicious SD card (see our SD card firmware recovery guide for clean flashing procedures), use the reset button to restore a compromised firmware image, or connect via USB to flash modified software. This is primarily a concern for colocation/hosted miners.

What Compromised Firmware Does

Once malware is installed, it typically performs some or all of these actions:

• Hashrate redirection: The primary payload. The firmware adds a hidden pool configuration that points to the attacker’s wallet address. This can be implemented as a permanent redirect (all hashrate to attacker), a time-split (mine for attacker X% of the time), or a stratum proxy that selectively forwards high-difficulty shares to the attacker’s pool while passing low-difficulty shares to your pool — making the theft nearly invisible in your pool dashboard
• Web interface spoofing: Advanced variants modify the web UI to display your configured pool settings while the actual mining process uses different settings. You log in, see your pool URL and worker name, and everything looks correct — but the underlying cgminer or bmminer process connects elsewhere
• Network scanning & propagation: The malware scans local network ranges (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12) for other miners with open SSH ports. It attempts default credentials and copies itself to any accessible machine. This is how one compromised miner becomes twenty compromised miners overnight
• Persistence mechanisms: The malware modifies startup scripts, cron jobs, or firmware partitions to survive reboots. Simply changing your pool configuration through the web interface does not help — the malware rewrites it on the next boot cycle
• SSH credential locking: Some variants change the SSH password and install the attacker’s SSH public key, locking the legitimate owner out of command-line access while maintaining the malware’s ability to update itself remotely
• Watchdog processes: Dedicated processes that monitor for cleanup attempts. If you kill the malware process or edit the configuration file, the watchdog restarts it within seconds

Types of ASIC Miner Malware

ASIC miner malware has evolved significantly since the first known variants appeared around 2018-2019. What started as simple configuration file modifications has grown into sophisticated, persistent, and self-propagating threats. Here are the major categories.

Hashrate Hijacking Malware

The most common type. The malware’s entire purpose is to redirect mining revenue to the attacker. Implementation varies in sophistication:

• Simple pool swap: Replaces your pool configuration entirely. Easy to detect — just check your miner’s pool settings
• Percentage split: Mines to the attacker’s pool for a percentage of time (often 2-5%). Hard to detect because your pool stats show almost the expected hashrate. You lose 5% and attribute it to normal variance
• Share-level theft: The most sophisticated variant. A stratum proxy intercepts the communication between your miner and your pool. High-value shares (those that contribute more to finding a block) are selectively forwarded to the attacker’s pool, while routine shares go to yours. Your reported hashrate looks correct, but your effective contribution — and earnings — are diminished
• Dev fee hijacking: Targets miners running third-party firmware that includes a developer fee (like Braiins OS+ or VNish). The malware modifies the dev fee destination to the attacker’s address instead of the legitimate developer. The firmware operator loses revenue they are owed, and the user may never notice since they expected some hashrate to go elsewhere anyway

Network-Propagating Worms (hAnt / Antminer Virus)

Named after the notorious hAnt malware family first widely reported in 2019, these are the most destructive category. The malware does not just infect one miner — it actively hunts for others. The typical infection chain:

1. Initial infection via compromised firmware download, SSH brute force, or pre-infected hardware
2. Malware scans the local network for devices with open port 22 (SSH), port 80/443 (web interface), and Antminer-specific API ports
3. Attempts login with a database of default credentials: root:root, root:admin, admin:admin, and manufacturer-specific defaults
4. On successful login, uploads the malware payload via SCP or wget from a command-and-control server
5. Modifies startup scripts on the new victim to ensure persistence
6. The newly infected miner begins scanning for additional targets

Early hAnt variants were crude — some even displayed a ransom message demanding Bitcoin payment and threatening to “burn” the miner’s hardware (an empty threat, since firmware cannot damage ASIC chips). Modern variants are silent and stealthy, designed for long-term passive revenue extraction rather than extortion.

Fake Firmware Trojans

These are not worms — they do not spread on their own. Instead, they rely on miners downloading and manually installing compromised firmware files. The distribution channels:

• Fake manufacturer websites: Domain names like bitmain-firmware.com, antminer-download.net, or subtly misspelled variations of legitimate sites
• Forum/chat links: Posted in Telegram groups, Discord servers, Reddit threads, or mining forums — often by accounts that appear helpful and knowledgeable
• SEO poisoning: Fake firmware sites optimized to appear in search results for queries like “Antminer S19 firmware download” or “Whatsminer M30 latest firmware
• Fake “custom firmware” projects: Promising overclocking capabilities, efficiency improvements, or removed dev fees. The firmware works — but it includes a hidden payload

The trojaned firmware installs and operates normally. Your miner hashes, reports to your pool, and shows correct temperatures. The only difference is the hidden configuration that siphons a percentage of your work to the attacker. Some even pass basic integrity checks by only activating the payload after a delay period (days or weeks after installation), making it harder to associate the infection with the firmware change.

Supply Chain Compromise

This category covers miners that arrive already infected. Sources include:

• Used hardware marketplaces — miners that were infected during their previous deployment and never cleaned
• Liquidation/wholesale lots — bulk hardware from failed operations, potentially compromised
• Shady resellers — intentionally installing compromised firmware before shipping
• Refurbished units — hardware that was “refurbished” with modified firmware
• Manufacturing interception — in rare cases, compromise during transit from factory to buyer

Signs Your Miner Is Infected

Malware authors are increasingly sophisticated about hiding their tracks. A well-designed payload operates below the noise floor of normal mining variance. That said, no infection is perfectly invisible — especially if you know what to look for. These are the indicators of compromise, ranked from most obvious to most subtle.

Obvious Indicators

• Unknown pool addresses in configuration: Log into your miner’s web interface and check all three pool slots. If you see a pool URL or worker name you did not configure, your miner is compromised. Pay special attention to Pool 2 and Pool 3 — malware often leaves your Pool 1 intact and inserts attacker pools in the backup slots
• Cannot access SSH / password changed: If your known SSH credentials no longer work but the miner is otherwise operational, malware may have changed the password to lock you out
• Miner configuration resets after changes: You change the pool settings through the web interface, save, reboot — and the old (malicious) settings come back. This is a classic sign of persistent malware overwriting your configuration on boot
• Ransom screen or unusual messages: Early hAnt variants displayed a ransom message. While modern malware is typically silent, any unexpected message on the web interface is a red flag

Subtle Indicators

• Hashrate slightly below expected: Your S19j Pro should average 100 TH/s but consistently reports 95-97 TH/s at the pool. You chalk it up to chip degradation, ambient temperature, or bad luck — but a 3-5% deficit sustained over weeks is exactly what a percentage-split hijack looks like
• Pool-reported hashrate lower than miner-reported: The miner’s web interface shows 100 TH/s, but your pool dashboard reports 92 TH/s average. Some variance is normal, but a persistent gap beyond 5% over 24+ hours warrants investigation
• Unusual network activity: Your miner should only communicate with your configured pool’s IP addresses. If network monitoring shows connections to unknown IPs — especially on port 3333, 8332, 8333, or 25 — that is suspicious
• High outbound connection count: A healthy miner maintains 1-3 pool connections. If your miner has dozens of active connections, especially to addresses on your local subnet on port 22, it is scanning for other miners to infect
• Unexplained reboots: If the miner reboots at odd hours (often during low-monitoring periods), malware may be updating itself, cycling between your pool and the attacker’s pool, or attempting to hide its network scanning activity
• Unexpected DNS queries: Malware may resolve command-and-control domains, pool domains, or use DNS as a covert communication channel. If your DNS logs show your miner resolving domains unrelated to your configured pool, investigate

Detection Methods: Auditing Your Miners

Suspicion is not enough — you need systematic detection procedures. Here is how to audit your miners for compromise, from the simplest checks to deep firmware analysis.

1. Pool Configuration Audit

Start with the most basic check: verify that your miner is mining where you told it to mine.

Web interface method: Log into your miner’s web interface (typically http://MINER_IP). Navigate to the pool configuration page (Miner Configuration on Antminers, Pool Settings on Whatsminers). Verify all three pool slots contain only URLs and worker names you configured. Check for:

• Unknown pool URLs in any slot
• Your worker name with subtle modifications (extra characters, different suffix)
• Pool URLs using IP addresses instead of domain names (legitimate pools use domains; attackers often hardcode IPs to avoid DNS monitoring)
• Unusual port numbers that differ from your pool’s documented ports

SSH method (Antminer): The web interface can be spoofed by malware. SSH access gives you the actual running configuration:

# SSH into the miner (default: root / root)
ssh root@MINER_IP

# Check bmminer configuration file directly
cat /config/bmminer.conf

# Check running process arguments
ps | grep bmminer

# Look for any pool configuration in all config files
grep -r "stratum" /config/ /tmp/ /etc/

# Check for cron jobs that may reset configuration
crontab -l
cat /etc/crontab
ls -la /etc/cron.d/

Compare the pools listed in /config/bmminer.conf against what the web interface displays. If they differ, your web interface is being spoofed by malware.

2. Network Traffic Analysis

The most reliable detection method. Malware can spoof the web interface, it can lie about configuration files, but it cannot hide the actual network connections it makes. If your miner is sending hashrate to an attacker’s pool, those packets must traverse your network.

# List all active network connections on the miner
netstat -tunap

# Alternative: list established connections with process info
netstat -tunap | grep ESTABLISHED

# Look specifically for mining-related ports (stratum)
netstat -tunap | grep -E ':3333|:8332|:8333|:25|:443'

# Count outbound connections to different IPs
netstat -tunap | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn

A healthy miner should show established connections only to your configured pool’s IP addresses. Resolve your pool’s domain name separately (using nslookup stratum.mypool.com) and verify the IPs match. Any connections to unknown IPs on stratum ports are indicators of compromise.

From your router/firewall: If your router supports connection logging or you have a dedicated firewall, monitor all traffic from your miners’ IP addresses. Capture destination IPs and ports. Cross-reference every destination against your known pool addresses.

# Monitor all traffic from a specific miner IP using tcpdump
# (run this on a machine that can see network traffic, e.g., your router or a mirrored port)
sudo tcpdump -i eth0 host 192.168.1.100 -nn

# Filter for stratum/mining traffic only
sudo tcpdump -i eth0 host 192.168.1.100 and '(port 3333 or port 8332 or port 8333 or port 25 or port 443)' -nn

# Capture to file for analysis
sudo tcpdump -i eth0 host 192.168.1.100 -w miner_traffic.pcap

# Check for SSH scanning (miner connecting to port 22 on other hosts)
sudo tcpdump -i eth0 src host 192.168.1.100 and dst port 22 -nn

3. Firmware Hash Verification

If you have access to a known-good firmware image, you can compare it against what is currently running on your miner. This is the gold standard for firmware integrity verification, but it requires technical comfort with SSH and file checksums.

# Check firmware version string
cat /etc/bitmain-pub.pem 2>/dev/null
cat /usr/bin/compile_time

# Generate MD5 hash of key system files
md5sum /usr/bin/bmminer
md5sum /usr/bin/cgminer
md5sum /etc/init.d/boot.sh
md5sum /etc/shadow

# List recently modified files (malware often touches these)
find / -mtime -7 -type f 2>/dev/null | head -50

# Check for suspicious scripts in startup
ls -la /etc/init.d/
cat /etc/init.d/rcS

# Look for unauthorized SSH keys
cat /root/.ssh/authorized_keys

If /root/.ssh/authorized_keys contains keys you did not add, an attacker has persistent SSH access to your miner regardless of password changes. If files in /etc/init.d/ have been modified recently (check timestamps against your last known firmware flash), malware may have inserted itself into the boot process.

4. Diagnostic Tool Scanning

Several tools exist specifically for detecting ASIC miner malware:

• Braiins OS+ Scanner: The BOS Toolbox includes a fleet scanning feature that can identify miners running non-standard firmware. While designed for Braiins deployment, it serves double duty as a firmware auditing tool
• Antminer Virus Checker scripts: Community-developed scripts that SSH into miners and check for known malware indicators — modified startup scripts, unauthorized SSH keys, suspicious cron entries, and known malicious file hashes
• Network scanning with Nmap: A quick network scan can reveal miners with unexpected open ports or services that indicate compromise

# Scan your mining subnet for open SSH ports
nmap -p 22 192.168.1.0/24

# More detailed scan — service versions and OS detection
nmap -sV -O 192.168.1.100

# Check for unusual open ports on a specific miner
nmap -p 1-65535 192.168.1.100

# Quick check for miners with default SSH access
nmap -p 22 --script ssh-auth-methods 192.168.1.0/24

Network Security for Miners

Proper network architecture is your most effective defense. Even if a miner gets infected, good network segmentation prevents the malware from spreading and makes detection trivial. Most home miners skip this because it sounds complicated — but the basic setup takes 30 minutes and can be the difference between one compromised miner and a compromised fleet.

VLAN Isolation

The single most important thing you can do: put your miners on a separate network from your computers, phones, and other devices. A VLAN (Virtual LAN) creates a logical network boundary that miners cannot cross. Even if a miner is infected with a scanning worm, it can only see other devices on its VLAN — not your personal devices, NAS, cameras, or anything else.

If your router supports VLANs (most prosumer routers like UniFi, pfSense, OPNsense, MikroTik, or OpenWrt do):

• Create a dedicated “Mining” VLAN (e.g., VLAN 10, subnet 10.10.10.0/24)
• Assign a dedicated Ethernet port or WiFi SSID to this VLAN
• Connect all miners to this VLAN only
• Configure firewall rules to control what traffic can flow between the Mining VLAN and your main LAN

If your router does not support VLANs: Use a separate physical router/switch for your miners. Connect the mining router’s WAN port to your main router. This gives your miners internet access through NAT while keeping them on a completely separate subnet. Simple, effective, and requires no advanced configuration.

Firewall Rules for Mining VLANs

A properly configured firewall should enforce the principle of least privilege: miners should be able to reach only what they need, and nothing else.

Rule 5 is critical: it prevents an infected miner from SSH-ing into other miners on the same VLAN. Rule 7 blocks outbound SSH entirely, which stops scanning worms dead. The only SSH connections to miners should come from your admin PC (Rule 4), never from one miner to another.

SSH Key Management & Credential Hardening

Default SSH credentials are the single biggest enabler of ASIC miner malware. Every Antminer ships with root:root. Every person who has ever worked with a miner knows this. Every piece of mining malware tries it first.

Minimum requirements:

• Change the root password on every miner immediately after setup. Use a unique, strong password. Yes, it is tedious for a fleet — but it is the single most effective thing you can do
• Use SSH key authentication where possible: generate a keypair on your admin machine, install the public key on each miner, and disable password authentication. This makes brute-force SSH attacks impossible
• Check for unauthorized SSH keys regularly: inspect /root/.ssh/authorized_keys on your miners. If you see keys you did not add, the miner is compromised
• Do not reuse passwords across miners — if one miner is compromised and you use the same password everywhere, the attacker has access to every machine

# SSH into the miner
ssh root@MINER_IP

# Change the root password
passwd

# Verify the change took effect — disconnect and reconnect with new password
exit
ssh root@MINER_IP

Prevention Best Practices

Prevention is always cheaper than cleanup. These practices, applied consistently, make your mining operation resistant to the vast majority of ASIC malware threats.

Firmware Source Verification

Only download firmware from verified, official sources. Never trust links from forums, Telegram groups, random search results, or third-party aggregator sites.

Checksum verification procedure: After downloading any firmware file, calculate its SHA256 hash and compare it against the hash published by the manufacturer. If they do not match, delete the file — it has been modified.

# On Linux/macOS
sha256sum firmware-file.tar.gz

# On Windows (PowerShell)
Get-FileHash firmware-file.tar.gz -Algorithm SHA256

# Compare the output hash against the manufacturer's published hash
# They must be IDENTICAL — a single character difference means the file is modified

New Miner Isolation Protocol

Every new or used miner — without exception — should go through an isolation and verification process before being added to your production mining network.

1. Initial connection on isolated network only. Never plug a new/used miner directly into your mining LAN. Use a separate switch connected to a standalone router, or a dedicated “quarantine” VLAN
2. Power on and access the web interface. Check all pool configurations, firmware version, and SSH access
3. Flash clean firmware immediately. Even if the miner appears clean, perform a clean firmware flash from a verified source. This is non-negotiable for used hardware
4. Change all passwords. SSH root password and web interface password (if separate)
5. Check SSH authorized_keys. Remove any keys that are not yours
6. Monitor network traffic for 24 hours. Watch for unexpected outbound connections before moving to production
7. Move to production network. Only after verification, transfer to your mining VLAN

Ongoing Monitoring Discipline

• Compare pool-reported hashrate against miner-reported hashrate weekly. Track the gap over time
• Periodically SSH into miners and check pool configurations directly (do not trust the web UI alone)
• Monitor your network firewall logs for blocked outbound SSH (port 22) from miners — any attempt means infection
• Keep a record of each miner’s firmware version, last flash date, and expected hashrate. Deviations from baseline trigger investigation
• Set up automated alerts for hashrate drops beyond your defined threshold (we cover this in the monitoring system section)

Removing Malware from Antminers

If your Antminer is compromised, the only reliable cleanup is a complete firmware reflash. Attempting to manually remove malware scripts is unreliable — sophisticated variants have watchdog processes, modified system binaries, and persistence mechanisms across multiple filesystem locations. A clean flash wipes everything and starts from a known-good state.

Method 1: SD Card Clean Flash (Recommended)

The SD card method writes a complete firmware image to the miner’s control board, overwriting everything — including any malware persistence mechanisms. This is the most reliable method and works even if the malware has changed the SSH password or locked out web interface access.

What you need:

• A MicroSD card (2-16 GB, Class 10 or better — avoid high-capacity cards, some control boards reject them)
• A MicroSD card reader for your computer
• The correct clean firmware image for your specific miner model and control board type
• Balena Etcher or Rufus (for writing the SD card image on Windows) or dd on Linux/macOS
• An Ethernet cable (for the isolated network setup)

Step-by-step procedure:

1. Download clean firmware from the official Bitmain support site (service.bitmain.com) or D-Central’s Firmware Download Center. Verify the SHA256 checksum
2. Write the firmware image to the SD card. Open Balena Etcher, select the firmware image file, select the SD card, and flash. Wait for the verification step to complete — do not skip it
3. Power off the miner completely. Unplug the PSU power cable. Wait 10 seconds
4. Insert the SD card into the miner’s SD card slot:
   • S9: External MicroSD slot on the control board, accessible without opening the miner
   • S17/T17: External SD slot near the Ethernet port
   • S19 (Xilinx): External slot next to Ethernet port
   • S19 (BeagleBone): Internal slot — you must open the miner enclosure to access it
5. Connect to your isolated network (not your production mining LAN). Use a separate router or switch
6. Power on the miner. The control board will boot from the SD card and begin flashing the internal storage. Do NOT power off during this process — interrupting the flash can brick the control board
7. Wait for the process to complete. This typically takes 5-15 minutes. The miner’s LEDs will flash during the process. On some models, the miner will automatically reboot when finished; on others, it will show a steady green LED
8. Power off and remove the SD card. Power off the miner, remove the SD card, then power on again. The miner should boot from the freshly flashed internal firmware
9. Access the web interface on the isolated network. Verify the firmware version matches the file you flashed
10. Immediately change the SSH password and configure your pools

For detailed model-specific SD card procedures including control board identification and LED indicator meanings, see our Antminer Firmware Update Guide.

Method 2: Web Interface Firmware Upload

If you still have access to the miner’s web interface and the malware has not locked you out, you can flash clean firmware through the browser. This method is faster than SD card but has a limitation: if the malware has modified the web interface upload mechanism itself, the “update” may appear to succeed while actually preserving the malware. For confirmed infections, the SD card method is always preferred.

1. Log into the miner’s web interface on your isolated network
2. Navigate to System > Firmware Upgrade (exact path varies by firmware version)
3. Select your verified clean firmware file
4. Check “Keep Settings” OFF — you want a complete clean flash, not one that preserves potentially compromised configuration
5. Click Upgrade and wait for the process to complete (do not close the browser or navigate away)
6. The miner will reboot automatically. Verify the firmware version, change passwords, and configure pools on the isolated network

Method 3: Braiins OS+ Toolbox (SSH-Based)

The BOS Toolbox can install Braiins OS+ over any existing Antminer firmware — including malware-compromised firmware — via SSH. This simultaneously cleans the malware and installs a superior firmware. This method requires that SSH is still accessible (default credentials or your known credentials).

# Download BOS Toolbox from braiins.com (verify the download source!)
# Run the installer targeting the compromised miner
./bos-toolbox install MINER_IP --user root --password root

# If the malware changed the password and you know the new one:
./bos-toolbox install MINER_IP --user root --password KNOWN_PASSWORD

# For multiple miners (batch clean):
./bos-toolbox install --batch miners.csv

After Braiins OS+ installation, immediately configure your pools and set a new SSH password through the Braiins web interface. For complete Braiins OS+ configuration, see our Braiins OS+ Setup Guide.

Removing Malware from Whatsminers

Whatsminer (MicroBT) hardware uses a different architecture and firmware update process than Antminers. Whatsminers use the WhatsMinerTool application for fleet management and firmware updates, and their firmware is digitally signed by MicroBT — which provides somewhat better supply-chain security than Bitmain’s unsigned firmware images (though it is not foolproof).

Method 1: WhatsMinerTool Clean Flash

1. Download WhatsMinerTool from the official MicroBT site (whatsminer.com). Verify you are on the real site — check the domain carefully
2. Download the latest firmware for your specific Whatsminer model from the official site
3. Connect the compromised miner to your isolated network
4. Open WhatsMinerTool and scan for the miner on your isolated network
5. Select the miner in the device list
6. Go to Firmware Update and select the clean firmware file
7. Select “Force Update” or “Recovery Mode” if available — this overwrites all existing firmware data
8. Wait for the update to complete. WhatsMinerTool will show progress and automatically reboot the miner
9. After reboot: Change the web interface and API password. Configure your pools. Verify network connections before moving to production

Method 2: Hardware Reset Button

Whatsminer devices have a physical reset button on the control board. Holding it during power-on forces the miner into recovery mode, which restores the factory-default firmware from a protected partition. This is the nuclear option — it wipes everything and returns the miner to factory state.

1. Power off the miner completely
2. Locate the reset button on the control board (consult your model’s documentation — location varies)
3. Hold the reset button and then power on the miner
4. Continue holding the reset button for 10-15 seconds after power-on
5. Release the button. The miner will enter recovery mode and restore factory firmware
6. After the process completes (several minutes), access the web interface and reconfigure

Securing After Cleanup

A clean firmware flash is only half the job. If you do not harden the miner after cleanup, it will get reinfected the moment it reconnects to a network with compromised devices — or the next time someone downloads firmware from a shady link. Post-cleanup hardening is not optional.

Immediate Steps (Do These Now)

1. Change the SSH password on every cleaned miner. Use strong, unique passwords. Do not use the default root:root — ever, not even temporarily
2. Change the web interface password if the miner supports separate web credentials
3. Remove any unauthorized SSH keys: SSH into the miner and empty /root/.ssh/authorized_keys (or replace it with only your key)
4. Verify pool configuration one more time — via SSH, not just the web interface
5. Document the miner’s firmware version, date of flash, and IP address for your records
6. Update your router/firewall rules to block outbound SSH from the mining VLAN (Rule 7 from the firewall section)

Fleet-Wide Audit After Any Infection

If one miner was infected, you must assume others may be compromised too — especially if the infected miner had any period of network access before detection. Audit every miner on the network:

• SSH into each miner and check pool configurations against your records
• Check /root/.ssh/authorized_keys on each miner for unauthorized keys
• Compare firmware versions — if a miner’s firmware version does not match your records, it may have been overwritten by malware
• Review firewall logs for any blocked SSH scanning attempts from other miners
• If in doubt, reflash every miner. The time investment is far less than the cost of ongoing hashrate theft

Buying Used Miners Safely

Used ASIC miners are a smart way to enter Bitcoin mining at a lower cost — but they are also the highest-risk source for pre-installed malware. A used miner is a computer that ran on someone else’s network, with someone else’s firmware, for months or years. You have zero visibility into what happened during that time. Treating every used miner as potentially compromised is not paranoia — it is operational discipline.

Pre-Purchase Assessment

• Buy from reputable sources. Established companies with a physical presence, return policies, and verifiable reviews. D-Central’s shop ships every miner with verified clean firmware — we do not sell hardware we have not inspected
• Be skeptical of below-market prices. If a deal looks too good, the hardware may be stolen, damaged, or intentionally compromised to create a hashrate botnet
• Ask about firmware: Was the miner factory reset before sale? What firmware version is installed? Has it ever been flashed with third-party firmware?
• Inspect physically if possible: Look for signs of tampering — modified control boards, SD cards left in slots, unusual stickers or labels

Receiving & Inspection Protocol

When a used miner arrives, follow this procedure before it ever touches your production network:

1. Physical inspection: Check for SD cards in the slot (remove any found). Inspect the control board for modifications. Look for additional USB devices or modules that should not be there
2. Connect to isolated network only. Dedicated switch/router, separate from everything else
3. Power on and immediately check the web interface:
   • Note the firmware version — is it a legitimate Bitmain/MicroBT version?
   • Check all three pool slots — are they empty, or configured for someone else’s pools?
   • Check the miner’s system log for unusual entries
4. SSH in and check for indicators of compromise:
   • Check /root/.ssh/authorized_keys for unauthorized keys
   • Check crontab -l for suspicious scheduled tasks
   • Check netstat -tunap for unexpected connections
   • Check startup scripts in /etc/init.d/
5. Flash clean firmware regardless of inspection results. Do not trust what is currently installed. Use the SD card method for maximum confidence
6. After flashing: Change all passwords, configure pools, monitor network traffic for 24 hours
7. Only then move to your production mining VLAN

Setting Up a Monitoring System

Detection is only as good as the monitoring system behind it. A properly configured monitoring setup catches infections within hours instead of weeks — the difference between losing a day’s revenue and losing a month’s.

Hashrate Monitoring

The simplest and most effective monitor: compare miner-reported hashrate against pool-reported hashrate continuously.

• Pool dashboards: Most pools provide per-worker hashrate tracking. Set up email or Telegram alerts for when any worker’s hashrate drops below a threshold (recommended: 90% of expected hashrate for more than 2 hours)
• Miner web API polling: Antminer and Whatsminer both expose JSON APIs on port 4028 (cgminer/bmminer API). A simple script can poll each miner every 5 minutes and log the reported hashrate to a database or spreadsheet. Any sudden drop triggers investigation
• Farm management tools: Braiins Farm Monitor, Foreman.mn, Awesome Miner, and Minerstat all provide fleet-wide hashrate monitoring with alerting capabilities. These are worth the investment for operations with 5+ miners

Automated Pool Address Verification

A script that periodically SSHes into each miner and verifies the pool configuration matches your expected settings. If a miner’s pool address changes without your action, you have an immediate indicator of compromise.

#!/bin/bash
# Pool Configuration Audit Script
# Run this periodically (cron) to detect unauthorized pool changes

MINERS=("192.168.10.101" "192.168.10.102" "192.168.10.103")
EXPECTED_POOL="stratum+tcp://pool.example.com:3333"
SSH_USER="root"
SSH_PASS="your_password"  # Use SSH keys instead in production

for MINER in "${MINERS[@]}"; do
  POOLS=$(sshpass -p "$SSH_PASS" ssh -o StrictHostKeyChecking=no 
    "$SSH_USER@$MINER" "cat /config/bmminer.conf 2>/dev/null | grep url")

  if echo "$POOLS" | grep -qv "$EXPECTED_POOL"; then
    echo "ALERT: $MINER has unexpected pool configuration!"
    echo "Found: $POOLS"
    # Add your alerting mechanism here (email, Telegram, webhook)
  else
    echo "OK: $MINER pool config verified"
  fi
done

Network Traffic Alerts

Configure your router/firewall to alert on specific traffic patterns from your mining VLAN:

• Outbound SSH (port 22) from any miner: Immediate alert — this is scanning/worm activity
• Connections to non-whitelisted IPs on stratum ports: Your miners should only talk to your pools. Any new destination is suspicious
• Unusually high connection counts from a single miner: Healthy miners maintain 1-3 connections. Dozens of connections suggest scanning
• DNS queries for unknown domains: If you run a local DNS resolver, log and monitor miner DNS queries for domains unrelated to your pools

For routers running pfSense or OPNsense, configure Suricata or Snort IDS rules to flag these patterns automatically. For simpler routers, even basic traffic logging to a syslog server gives you audit trail data for post-incident investigation.

Advanced Threat Mitigation

For miners with larger operations or those who take security seriously (which should be everyone pointing hashrate at the Bitcoin network), these additional measures add defense in depth.

DNS-Based Protection

Configure your mining VLAN to use a DNS resolver that only resolves your whitelisted pool domains. All other DNS queries from miners return NXDOMAIN (domain not found). This prevents malware from resolving command-and-control servers or attacker pool addresses, even if the firmware is compromised.

Implementation: Run Pi-hole, AdGuard Home, or a custom DNS resolver on your mining network. Create an allowlist containing only your pool’s domains and any domains required for firmware updates. Block everything else.

Egress IP Whitelisting

Instead of (or in addition to) DNS filtering, create firewall rules that allow outbound connections from miners only to specific IP addresses — your pool’s known IPs. All other outbound traffic is blocked. This is the strictest possible protection: even if malware is present, it literally cannot send hashrate anywhere except your pool because the network layer blocks it.

Limitations: Pool IPs can change when pools add or remove servers. You will need to update your whitelist periodically. Most pools publish their IP ranges, or you can resolve their domains and maintain the list.

Firmware Version Pinning

Maintain a manifest of expected firmware versions for each miner. Periodically (daily or weekly), SSH into each miner and check the firmware version string against your manifest. Any unexpected change triggers investigation and potential reflash.

Physical Security Considerations

For home miners, physical security is usually not a concern — your miners are in your house. But if you colocate miners at a hosting facility, you should be aware that physical access enables firmware modification. Inquire about your host’s physical security measures, access logging, and whether they have a policy on firmware modifications.

Common Mistakes in Malware Cleanup

We see these repeatedly at our repair facility. Avoid them.

• Changing pool settings without reflashing firmware. If the malware is in the firmware, your pool settings will be overwritten on the next boot or by a watchdog process. A settings change is not a cleanup — a full firmware flash is a cleanup
• Reflashing from the web interface on a confirmed-infected miner. If the malware has modified the web interface firmware upload handler, your “update” may silently fail while reporting success. Use the SD card method for confirmed infections
• Cleaning one miner and connecting it back to the infected network. If other miners on the network are still compromised, the clean miner will be reinfected within minutes. Clean ALL miners before reconnecting any of them
• Not changing passwords after cleanup. If the malware used default credentials to get in, and you reflash but leave default credentials, the same attack vector is wide open
• Downloading “clean” firmware from unverified sources. The irony: miners get reinfected during cleanup because they download replacement firmware from a fake site. Only use official sources and verify checksums
• Trusting the web interface as proof of cleanup. Always verify via SSH after cleanup. The web interface only shows you what the firmware decides to display
• Forgetting about the SD card. If you used an SD card to flash, remove it after the process completes. Leaving it in can cause the miner to boot from the SD card instead of internal storage on subsequent power cycles, potentially causing confusion or issues

Real-World Attack: How a Typical Infection Unfolds

To make the threat concrete, here is how a typical ASIC miner malware infection plays out — based on patterns we have seen at D-Central’s repair facility.

Day 1: A miner buys a used Antminer S19j Pro from an online marketplace. Great price. The seller says it is “factory reset and ready to mine.” The buyer plugs it directly into their home network alongside their two other miners.

Day 1, hour 1: The used miner powers on. Its firmware contains a dormant network worm. The worm activates after boot, scans the local subnet (192.168.1.0/24), finds the two other miners on ports 22, attempts login with root:root. The other miners still have default credentials. Login succeeds. The worm copies itself to both miners in under 60 seconds.

Day 1, hour 2: All three miners are now running compromised firmware. The malware configures a secondary stratum connection that activates for 3% of mining time, directed to the attacker’s pool. The web interfaces on all three miners display the owner’s legitimate pool configuration — the malware intercepts the web UI rendering to hide the secondary pool.

Day 1 through Day 45: The owner mines normally. Everything looks fine. The pool dashboard shows hashrate slightly below expected, but the owner attributes it to ambient temperature or normal variance. In reality, 3% of every hash across all three miners is being sent to the attacker.

Day 45: The owner reads an article about ASIC miner malware (hopefully this one). They SSH into their miners for the first time and discover unauthorized SSH keys in /root/.ssh/authorized_keys, a suspicious cron job, and network connections to an unknown IP on port 3333.

Revenue impact over 45 days: At 3% hashrate theft across 3 miners, the attacker earned 45 days of stolen hashrate. Multiplied across potentially hundreds of victims running the same malware variant, the attacker’s botnet generates substantial passive income — all from a single used miner sold online.

The lesson: isolation and clean flash before network access. Every time. No exceptions.

Frequently Asked Questions

Why D-Central for Malware-Free Mining

D-Central Technologies has been Canada’s Bitcoin mining security experts since 2016. We are not just a hardware retailer — we are a full-service mining operation that has processed over 2,500 miners through our repair facility in Laval, Quebec. Malware-infected hardware crosses our workbench regularly, and our technicians have developed systematic procedures for detection, removal, and hardening that go beyond what any guide can fully convey.

What makes D-Central different:

• Every miner we sell ships clean. New or refurbished, every unit that leaves our facility has been flashed with verified firmware, credentials changed, and functionality tested. When you buy from D-Central, you skip the entire isolation-and-flash procedure because we have already done it
• Professional malware removal service. Ship us your infected miner. We perform complete firmware reflash, credential hardening, functional verification including hashrate testing, and ship it back ready for deployment. We have the tools, firmware archives, and experience to handle every model from the S9 to the S21
• Canadian-based, Canadian-trusted. Your hardware stays in Canada, serviced by Canadian technicians, with Canadian accountability. No offshore intermediaries, no anonymous sellers, no question marks about what happened to your miner in transit
• Mining Hackers who care about security. We are bitcoiners who mine Bitcoin. We understand that mining security is not just about your revenue — it is about the integrity of the hashrate you contribute to the network. Compromised miners weaken Bitcoin’s decentralization by giving attackers control over hashrate distribution. Cleaning up mining malware is not just good business — it is good for Bitcoin

Your hashrate is your contribution to Bitcoin’s security. Keep it clean. Keep it yours.

Questions about ASIC miner security? Need help with malware removal or want to schedule a fleet security audit? Contact D-Central at 1-855-753-9997 or visit our ASIC Repair page. For kernel-level diagnostics, see our Kernel Log Reading Guide. For firmware procedures, see the Antminer Firmware Update Guide.