How Unsuspecting Homeowners Helped Hackers Mine 500 Million Dogecoins

New details have emerged regarding the illicit mining of roughly half a billion dogecoins in the winter and early spring of 2014, which mainly targeted unsuspecting homeowners and may have affected thousands of customers of Taiwan-based manufacturer Synology.

Earlier this week it came to light that an as-yet unidentified hacker or hackers gained administrator access to network attached storage (NAS) servers sold by Synology. This resulted in the creation of roughly 500 million dogecoins over a several month-long period, with activity peaking in February.

The malware attempt first came to the company’s attention in September, prompting a quick response and the development of a software fix within four days of initial discovery. A follow-up fix was announced in February. However, some customers failed to update their NAS servers. As a result, those involved with the hack were able to exploit security vulnerabilities and create a botnet that mined bitcoin and dogecoin.

Many of the customers involved were homeowners who largely remained unaware of the problem until it had already been addressed by Synology. Thadd Weil, public relations specialist for Synology America Corp., told CoinDesk that the event was the first time that a digital currency-focused cyber attack successfully impacted their customers.

However, he said that attempts to do so have happened before and are likely to take place again, stating:

Weil explained that in mid-September, the company’s security response teams were alerted to fraudulent activity taking place. He added that the discovery was part of Synology’s routine scanning activities. Within four days of discovering the malicious files embedded in the NAS servers – contained in folders entitled “PWNED” – Synology was able to generate a patch that nullified the effects of the software.

The company later released another update, announced in a February press statement, that outlined the problems and identified the malicious data involved. This response was published after some users took to social media platforms to alert Synology about sluggish performance of their NAS boxes and unusually high CPU usage.

However, the vulnerability remained unaddressed for most users because the fix was not announced on a broad enough scale. Weil acknowledged that the company could have done a better job communicating with customers who may have been at risk, explaining:

Weil continued by saying that prior to the incident, Synology did not directly upgrade the NAS server software. As a result, some customers never addressed the security flaw, which enabled those behind the hack to repurpose the NAS servers for bitcoin and dogecoin mining.

Synology now issues automatic upgrades to its customers as a result of the patch protocol flaw.

Weil added that Synology has been keeping track of the issue since mining activity on its hardware spiked, with the most recent update coming out this week.

Another part of the problem was that the most common targets in this case were homeowners who don’t nearly use the bandwidth capacities of their NAS servers. Because of this, many customers weren’t even aware of the problem unless they were using significant processing power.

The choice of targeting Synology’s products mirrors attacks on mobile devices and with the intention of creating a botnet. By pooling the resources of many small devices, a hacker or hackers can generate enough hashing power to successfully mine digital currency, whether its bitcoin or dogecoin.

As in those cases, the NAS servers don’t generate much computing power – “it’s kind of like assigning a calculator to do 3D rendering,” as Weil explained – but, on a broad scale, are capable of significant hashing power when used for mining.

Weil was unable to provide a specific number on the amount of customers that were affected, but he speculated that it must have been “in the thousands”.