Facebook Breaks Up Cryptocurrency Mining Botnet 'Lecpetex'

Facebook has successfully dismantled a major bitcoin botnet operated by a small team of cyber criminals based in Greece.

AccessTimeIconJul 9, 2014 at 6:30 p.m. UTC
Updated Sep 11, 2021 at 10:57 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Facebook has successfully dismantled a major bitcoin botnet operated by a small team of cyber criminals based in Greece.

The Lecpetex botnet managed to infect 250,000 computers. At its peak it compromised as many as 50,000 Facebook accounts.

Lecpetex propagated through the social media platform using spam messages with malicious code inserted into zipped attachments.

Each zip archive contained an embedded Java file that would download and install a litecoin miner. It would also steal cookies and gain access to the victim's friend list, using it to send out even more spam.

However, mining was not its only function. The botnet was also used to distribute more dangerous malware designed to steal banking details, passwords and bitcoins.

My big fat Greek botnet

Facebook detected the Lecpetex botnet months ago and it is believed that it first started spreading in December.

The social media giant says it tracked more than 20 distinct waves of spam sent out by the botnet between December 2013 and June 2014.

On 30th April, Facebook asked the Cybercrime Subdivision of the Greek Police for assistance. Greek investigators managed to catch up with the botnet's authors on 3rd July and they were detained on the same day.

Greek police told Facebook that the perpetrators were in the process of establishing a ‘bitcoin mixing’ service that would enable them to launder the stolen bitcoins.

As Greek police started closing in on the operators, they left notes for them to find on compromised command and control servers.

One such message read:

“Hello people.. :) <!-- Designed by the SkyNet Team --> but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz [sic].”

Facebook published its findings on the botnet in an extensive blog post.

No word on damage caused

Although Facebook says it learned a few lessons while it dismantled the botnet, there is still no official information on the damage Lecpetex caused.

“Our analysis revealed two distinct malware payloads delivered to infected machines: the DarkComet RAT, and several variations of litecoin mining software. Ultimately the botnet operators focused on litecoin mining to monetize their pool of infected systems,” the company said.

Although the number of affected PCs is relatively low compared to many other botnets, it's likely that Lecpetex generated some litecoins, though the number is unknown. The ‘bitcoin mixing’ effort cited by Facebook also indicates that bitcoins were likely to have been stolen by the botnet.

According to Greek media reports, the operators of the botnet claimed they were using the data for "research purposes", not monetary gain. The pair were released from custody earlier this week.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.