Infected ASICs: How to Detect, Remove, and Prevent ASIC Miner Malware

Your ASIC miner is a purpose-built machine that does one thing extraordinarily well: compute SHA-256 hashes at blistering speed. But that singular focus comes with a trade-off. These machines run minimal embedded Linux systems with limited security tooling, often sit on flat networks with default credentials, and their owners rarely think of them as attack surfaces. Cybercriminals have noticed. In 2026, with Bitcoin’s network hashrate exceeding 800 EH/s and the block reward at 3.125 BTC, every terahash represents real money — and infected ASICs have become one of the most persistent, under-discussed threats in Bitcoin mining.

This is not a theoretical problem. It is happening right now, across home mining setups and industrial farms alike. If you run ASIC hardware, you need to understand how these infections work, how to detect them, and how to eliminate them. D-Central has been repairing and reflashing ASIC miners since 2016 — we have seen every variant of firmware malware, cryptojacking payload, and rootkit that has targeted this hardware. Here is what we know.

What Makes ASIC Miners Vulnerable

To understand why ASIC malware is so effective, you need to understand what an ASIC miner actually is under the hood. Strip away the heatsinks and fans, and you have a control board running a stripped-down Linux distribution (typically based on OpenWrt or a custom Buildroot image) connected to one or more hashboards via SPI or I2C. The control board runs a web interface for configuration, an SSH daemon, and the mining software itself (typically cgminer, bmminer, or a proprietary fork).

Here is where the problems begin:

• Default credentials are universal. Most Antminers ship with root/root. Whatsminers use admin/admin. Many operators never change these, and even if they do, firmware updates can reset them.
• No package manager or AV tooling. These are embedded systems, not desktop computers. There is no apt-get, no antivirus, no endpoint detection. The attack surface is small but the defenses are nearly nonexistent.
• Flat network topology. Most mining operations — especially home setups — place all miners on the same subnet with no segmentation. Compromise one device and you can scan the entire fleet.
• Firmware is a black box. Unless you are running open-source firmware like Braiins OS, you are trusting the manufacturer’s binary blob. And if you bought a used miner, you are trusting whoever had it before you.
• Always-on, always-connected. ASIC miners run 24/7 with persistent network connections. They are the perfect persistent foothold.

The combination of weak authentication, minimal monitoring, and high-value output makes ASIC miners ideal targets. In many ways, they are more attractive to attackers than traditional servers — the payoff is direct and denominated in Bitcoin.

How ASIC Malware Works: Attack Vectors and Payloads

ASIC malware has evolved significantly since the early days of the hAnt ransomware scare. Modern infections are stealthier, more persistent, and harder to remove. Here are the primary attack vectors and payload types we see in 2026.

Attack Vectors

Payload Types

Hashrate hijacking (devfee manipulation). The most common and most insidious payload. The malware modifies the mining software configuration to redirect a percentage of hashrate to the attacker’s pool and wallet. Sophisticated variants do this intermittently — perhaps 5-10% of the time — making detection extremely difficult. Your miner appears to work normally. Your pool dashboard shows slightly lower-than-expected shares. You attribute it to variance. Meanwhile, the attacker collects a steady stream of sats from hundreds or thousands of compromised machines.

Wallet address replacement. A simpler variant that replaces your configured wallet address with the attacker’s. This is easier to detect if you monitor your pool dashboard, but some malware re-applies the change after every reboot or configuration save, making it persistently annoying to fix without a full reflash.

Rootkit persistence. Advanced malware writes itself into the NAND flash at the firmware level, surviving standard factory resets. Some variants modify the bootloader or replace the SD card image entirely. These require a physical reflash using an SD card programmer or UART connection to remove — a standard factory reset through the web interface will not touch them.

Ransomware. Less common in 2026 than it was during the hAnt era, but still present. The malware locks the miner’s web interface and displays a ransom demand. Some variants threaten to “burn out” the hashboards by disabling thermal protection. While the hardware damage threat is largely bluster (thermal cutoffs are implemented in hardware on modern ASICs, not just software), the operational disruption is real.

Botnet recruitment. Infected miners are enrolled into botnets for DDoS attacks, credential stuffing, or as proxy nodes. This does not necessarily affect your hashrate, but it consumes bandwidth, creates legal liability, and marks your IP addresses as malicious — which can get you banned from mining pools.

Real-World ASIC Malware: Cases We Have Seen

At D-Central’s ASIC repair facility, we have dealt with hundreds of infected machines over the years. Here are the patterns that keep showing up.

The hAnt Legacy

The hAnt malware, first discovered in 2019 targeting Bitmain Antminer S9 and T9 units, was one of the first widely publicized ASIC-specific threats. It displayed a graphic of an ant with a ransom demand, threatening to overheat the hardware unless the operator paid 10 BTC or helped spread the malware to other miners. While the overheat threat was largely empty (the S9’s thermal protection would trigger first), hAnt demonstrated that ASIC miners were a viable malware target. Variants of hAnt persisted for years and we still occasionally see them on used S9 units that come in for repair.

The Devfee Skimmer Epidemic

The most common infection we see in 2026 is what we call the “devfee skimmer” — malware that masquerades as a legitimate development fee (many aftermarket firmware projects charge a 1-2% devfee) but actually redirects 5-15% of hashrate. These are particularly prevalent on machines running unofficial firmware downloaded from unverified sources. The malware hooks into the stratum proxy layer and intermittently substitutes the pool’s work assignments with the attacker’s, making detection through casual observation nearly impossible.

Supply Chain Infections on Used Hardware

This is the one that catches people off guard. You buy a “tested and working” used Antminer from a marketplace or auction. It hashes, it connects to your pool, everything looks fine. But buried in the firmware is a persistent redirect that skims a percentage of your hashrate. We have seen this on machines purchased from every major resale channel. The previous owner may not even have known — they might have bought it already infected. This is why every used ASIC should be completely reflashed with verified manufacturer firmware before it touches your network.

Detection: How to Know If Your ASIC Is Infected

Detection is where most miners fail. ASIC malware is designed to be invisible. You will not see a popup or a warning. You need to actively look for it. Here is how.

Network-Level Detection

This is the most reliable method. Monitor the network traffic leaving your miners and look for:

• Connections to unknown stratum endpoints. Your miner should only connect to the pools you configured. If you see stratum+tcp connections to IP addresses or domains you do not recognize, that is a red flag. Use a tool like tcpdump, Wireshark, or a firewall with logging to inspect outbound connections.
• DNS queries for unknown domains. Run a DNS server or Pi-hole on your mining network and log all queries. Malware needs to resolve its command-and-control or pool addresses, and those domain lookups will show up in your logs.
• Unexpected traffic volume or patterns. If a miner is sending data to destinations outside your configured pool endpoints, investigate immediately.

Pool-Side Verification

Compare what your miner reports locally versus what your pool reports:

• Check your effective hashrate on the pool dashboard. If your S19j Pro is rated at 104 TH/s but your pool consistently shows 90-95 TH/s effective after accounting for variance, something is diverting shares.
• Verify your wallet address on the pool. Log into your pool account and confirm the payout address matches what you configured. Some malware swaps the address at the stratum level, so the miner’s web UI shows your address while the actual submitted shares credit a different wallet.
• Monitor share rejection rates. A sudden increase in stale or rejected shares can indicate that the miner is intermittently submitting work to a different pool.

Firmware-Level Inspection

For the technically inclined:

• SSH into the miner and inspect running processes. Look for unexpected processes, unusual cron jobs, or modifications to /etc/shadow, /etc/passwd, or the mining software binaries.
• Check file hashes. Compare the MD5/SHA256 hashes of critical system files against known-good images from the manufacturer. Any discrepancy indicates tampering.
• Inspect the cgminer/bmminer configuration. Look at the actual running configuration (not just what the web UI shows) for pool URLs and wallet addresses you did not set.
• Check for persistence mechanisms. Look for modified init scripts, unauthorized SSH keys in /root/.ssh/authorized_keys, or changes to the NAND flash partitions.

Quick Detection Checklist

Removing ASIC Malware: The Nuclear Option and Beyond

Once you have confirmed an infection, the remediation approach depends on the severity. Here is the hierarchy from least to most aggressive.

Level 1: Configuration Reset

If the malware only modified pool/wallet settings without deep persistence, a factory reset through the web interface followed by reconfiguration may be sufficient. This is rarely enough for real malware, but it is worth trying first.

Level 2: Clean Firmware Reflash

This is the standard remediation for most infections. Download verified firmware directly from the manufacturer’s official website — never from a third-party link, forum post, or Telegram group. Verify the firmware file’s checksum against the manufacturer’s published hash. Flash it through the web interface or via SD card. This overwrites the entire filesystem and eliminates most malware.

Level 3: SD Card / UART Reflash

For rootkit-level infections that survive a standard reflash, you need to go deeper. This involves writing a clean firmware image directly to the control board’s NAND flash using an SD card programmer or UART serial connection. This bypasses any boot-level persistence mechanisms. This is a procedure that requires technical skill and the right tools — D-Central’s repair team performs this routinely on machines that come in with persistent infections.

Level 4: Control Board Replacement

In rare cases where the NAND flash itself is damaged or the infection has corrupted the bootloader beyond recovery, replacing the control board entirely is the most reliable path. This guarantees a clean start. D-Central stocks replacement control boards and parts for most major ASIC models.

Post-Remediation Steps

After cleaning an infected machine, do not just plug it back in and forget about it. Follow this post-remediation protocol:

1. Change all credentials — root password, web UI password, API keys. Use unique, strong passwords for each device.
2. Scan every other miner on the network. If one was infected, assume the malware attempted lateral movement. Check every device.
3. Audit your network. Review firewall rules, segment your mining network from your main network, and restrict outbound connections to only your configured pool endpoints.
4. Verify firmware checksums on every device, not just the one that was infected.
5. Monitor for 48-72 hours. Watch pool hashrates, network connections, and device behavior closely for any signs of reinfection.

Hardening Your ASIC Fleet: Prevention That Actually Works

Prevention is not about buying fancy security software — ASIC miners do not run endpoint protection agents. Prevention is about architecture, discipline, and verification.

Network Architecture

• Isolate your mining network. Put your miners on a dedicated VLAN or separate physical network from your home/office network. Use a firewall to restrict traffic between segments.
• Restrict outbound connections. Configure your firewall to only allow outbound connections from miners to your specific pool IP addresses and ports. Block everything else. This single step defeats the majority of hashrate-hijacking malware, which needs to reach the attacker’s pool to function.
• Use a dedicated DNS resolver. Run a local DNS server that logs and filters queries. This gives you visibility into what your miners are trying to reach.
• Disable UPnP. Universal Plug and Play can expose miner management interfaces to the internet. Disable it on your router.

Firmware Hygiene

• Only install firmware from verified sources. Manufacturer websites and trusted open-source projects (Braiins OS, for example) with verifiable checksums. Never flash firmware from a random link someone posted in a chat group.
• Reflash every used miner before deployment. This is non-negotiable. Every used ASIC that enters your operation gets a clean flash with verified firmware before it connects to your network.
• Keep firmware updated. Manufacturers patch vulnerabilities. Apply updates promptly, but always verify the update’s authenticity first.

Access Control

• Change default passwords immediately. Every miner, every time. Use unique passwords per device if possible.
• Disable SSH if you do not need it. If you do need it, change the port and use key-based authentication instead of passwords.
• Restrict management interface access. Only allow connections to the miner’s web UI from specific IP addresses on your management workstation.

Monitoring and Auditing

• Monitor pool-side metrics daily. Track effective hashrate per device. A consistent 5-10% shortfall is the classic signature of a devfee skimmer.
• Run periodic firmware integrity checks. SSH into devices and verify file hashes against known-good baselines.
• Log and review network traffic. Automated alerts for connections to non-whitelisted destinations can catch infections within hours instead of months.

The Open-Source Advantage: Why Firmware Transparency Matters

One of the strongest defenses against firmware-level malware is firmware transparency. Closed-source, proprietary firmware is a black box — you have no way to verify what it is actually doing. Open-source alternatives like Braiins OS allow the community to audit the code, verify builds, and confirm that the firmware does exactly what it claims to do and nothing more.

This is the same principle that makes Bitcoin itself trustworthy: do not trust, verify. When you run proprietary firmware, you are trusting the manufacturer. When you run auditable open-source firmware, you are verifying. For home miners who take sovereignty seriously — and if you are reading this on D-Central, you probably do — firmware transparency should be a factor in every hardware purchasing decision.

The open-source mining hardware movement, including the Bitaxe ecosystem that D-Central has been pioneering since its inception, extends this philosophy to the hardware level. When both the hardware design and firmware are open-source, the attack surface for supply chain infections drops dramatically. You can build it, inspect it, and verify it yourself. That is the Mining Hacker way.

Special Considerations for Home Miners

If you are running one or two ASICs at home — maybe an Antminer heating your garage or a Bitaxe solo mining on your desk — the threat model is different from a large farm but the risks are still real.

Used hardware is the biggest risk. Home miners often buy used equipment to save money. Understandable, but every used miner should be treated as potentially compromised until proven otherwise. Reflash it before connecting it to your home network.

Your home network is the attack surface. Unlike a dedicated mining facility, your home network also has your personal devices, smart home gadgets, and family members’ computers. An infected miner on your home network is a foothold into everything else. Use network segmentation — even a cheap managed switch with VLAN support and a basic firewall rule set makes a massive difference.

Do not expose management interfaces to the internet. It sounds obvious, but we see it constantly. Miners with their web UIs port-forwarded through the router, accessible from anywhere. That is an open invitation. If you need remote management, use a VPN or SSH tunnel — never direct exposure.

Monitor your power bill and pool payouts. Home miners are often “set and forget” operators. Check your pool dashboard weekly at minimum. If your miner’s effective hashrate is consistently lower than expected, investigate.

When to Call in Professional Help

Not every miner has the skills or tools to perform a UART reflash or diagnose a rootkit-level infection. And that is fine — this is specialized work. Here is when it makes sense to send your hardware to a professional repair service:

• The infection survives a standard firmware reflash through the web interface
• The miner’s web UI is locked or inaccessible
• You suspect the bootloader has been compromised
• Multiple miners on your network are infected and you cannot identify the initial vector
• You purchased used hardware and want it professionally verified before deployment

D-Central has been repairing and reflashing ASIC miners since 2016. Our technicians have the UART programmers, SD card tools, diagnostic equipment, and experience to handle infections that consumer-level remediation cannot touch. We handle everything from simple reflashes to full control board replacements, and we verify firmware integrity on every machine before it leaves our facility.

The Bigger Picture: ASIC Security and Bitcoin’s Decentralization

ASIC malware is not just a nuisance for individual miners — it is a threat to Bitcoin’s decentralization. When malware redirects hashrate from hundreds of independent miners to a single attacker-controlled pool, it artificially concentrates hashpower. At scale, this undermines the very network security model that proof-of-work provides.

For the cypherpunk-minded miner, securing your ASICs is not just about protecting your sats. It is about maintaining the integrity of the network you are helping to secure. Every hash that reaches your intended pool — and not some attacker’s redirect — is a vote for the Bitcoin network’s health and decentralization. Running clean firmware on properly secured hardware is a fundamental responsibility of participating in Bitcoin’s consensus mechanism.

This is why D-Central’s mission — decentralization of every layer of Bitcoin mining — extends beyond just making hardware accessible. It means ensuring that hardware runs clean, that miners have the knowledge to secure their operations, and that professional help is available when threats exceed individual capability. We are Bitcoin Mining Hackers, and security is part of the craft.