Skip to main content
The known_crypto() function tests your network’s ability to detect and block connections to known cryptocurrency mining domains. Unauthorized cryptomining (cryptojacking) uses organizational resources to mine cryptocurrency without permission.

Data Source

This module uses a curated list of cryptomining domains:
  • Mining Domains List - https://gist.githubusercontent.com/asluppiter/88aa3cb285948e4f982dd94218e5baf3/raw/bffe8bb462eb8b3fb6cd647be65d67de059cb789/mining
This list contains domains associated with cryptocurrency mining pools and browser-based mining scripts commonly used in cryptojacking attacks.

How It Works

1

Download Mining Domains List

Downloads the latest list of known cryptomining domains from the GitHub Gist repository.
urls = 'https://gist.githubusercontent.com/asluppiter/88aa3cb285948e4f982dd94218e5baf3/raw/bffe8bb462eb8b3fb6cd647be65d67de059cb789/mining'
response = requests.get(urls)
if response.status_code == 200:
    file_name = urls.split("/")[-1]
    with open(file_name, "w") as f:
        f.write(response.text)
2

Random Sampling

Randomly selects 15 domains from the cryptomining list.
for file in saved_files:
    with open(file, 'r') as f:
        lines = f.readlines()
        for _ in range(15):
            randomIP = random.choice(lines)
            sampleMining.append(randomIP)
sampleMining = [x.strip() for x in sampleMining]
3

HTTP Connection Testing

Attempts HTTP GET requests to each cryptomining domain with a 5-second timeout.
for x in sampleMining:
    try:
        downloader = requests.get(x, timeout=5)
        if downloader.status_code == 200:
            # Log successful connection
    except Exception as e:
        continue
4

Results Logging

Logs all connection attempts with timestamps to Mining_Results.txt.
5

Cleanup

Removes temporary downloaded files after testing completes.

Output Format

Results are saved to Mining_Results.txt with the following format: 
Timestamp:14:40:15 URL:http://mining-pool.com test SUCCESFULL
Timestamp:14:40:20 URL:http://cryptominer.xyz test FAILED
Timestamp:14:40:25 URL:http://coinhive-alternative.com test SUCCESFULL

def known_crypto():
    urls = 'https://gist.githubusercontent.com/asluppiter/88aa3cb285948e4f982dd94218e5baf3/raw/bffe8bb462eb8b3fb6cd647be65d67de059cb789/mining'
    saved_files = []
    print("Downloading Samples")
    response = requests.get(urls)
    if response.status_code == 200:
        file_name = urls.split("/")[-1]
        with open(file_name, "w") as f:
            f.write(response.text)
            saved_files.append(file_name)
    sampleMining = []
    for file in saved_files:
        with open(file, 'r') as f:
            lines = f.readlines()
            for _ in range(15):
                randomIP = random.choice(lines)
                sampleMining.append(randomIP)
    sampleMining = [x.strip() for x in sampleMining]
    myFile = open("Mining_Results.txt", mode="a+")
    for x in tqdm(sampleMining, desc="Testing samples, Results saved at Mining_Results.txt"):
        try:
            downloader = requests.get(x, timeout=5)
            if downloader.status_code == 200:
                current_time = time.strftime("%X")
                result = f"Timestamp:{str(current_time)} URL:{str(x)}" + " test SUCCESFULL\n"
            else:
                current_time = time.strftime("%X")
                result = f"Timestamp:{str(current_time)} URL:{str(x)}" + " test FAILED\n"
            myFile.write(result)
        except Exception as e:
            current_time = time.strftime("%X")
            result = f"Timestamp:{str(current_time)} URL:{str(x)}" + " test FAILED\n"
            myFile.write(result)
            continue
    for file_name in saved_files:
        os.remove(file_name)

What to Monitor

Network Traffic

Monitor for sustained outbound connections to mining pools, which indicate active cryptomining.

CPU/GPU Usage

Unusual spikes in processor usage across multiple systems may indicate cryptojacking malware.

Web Filtering

Web security gateways should categorize and block cryptomining domains.

DNS Queries

DNS security should prevent resolution of known mining pool domains.

Cryptojacking Attack Vectors

Malicious JavaScript embedded in compromised websites that mines cryptocurrency using visitors’ browsers. Common libraries:
  • Coinhive (defunct but variants exist)
  • CoinImp
  • Crypto-Loot
Detection: Web filtering, JavaScript blocking, browser extensions
Dedicated cryptomining malware installed on systems:
  • XMRig miners
  • Monero mining trojans
  • Fileless cryptominers
Detection: Endpoint protection, network traffic analysis, CPU monitoring
Compromised cloud resources used for mining:
  • Hijacked AWS/Azure instances
  • Kubernetes cluster compromise
  • Container escape attacks
Detection: Cloud security monitoring, unusual resource consumption alerts
Cryptominers embedded in software supply chain:
  • Compromised npm/PyPI packages
  • Modified container images
  • Infected software installers
Detection: Software composition analysis, integrity verification

Common Mining Pools

The test may include connections to pools mining various cryptocurrencies:
  • Monero (XMR) - Most common due to CPU mining capability
  • Ethereum (ETH) - GPU-based mining pools
  • Bitcoin (BTC) - Large mining pool operators
  • Zcash (ZEC) - Privacy-focused cryptocurrency
Successful connections to mining pools indicate potential cryptojacking activity or inadequate web filtering. Unauthorized cryptomining:
  • Degrades system performance
  • Increases electricity costs
  • Reduces hardware lifespan
  • May violate acceptable use policies

Testing Workflow

# Run Somnium and select option 5
python main.py
# Choose: #5 Test connection to known Cryptomining domains

# Review results
cat Mining_Results.txt

# Check for cryptomining indicators
# - Network connections to mining pools
# - Unusual CPU/GPU usage patterns
# - DNS queries to mining domains
# - Firewall blocks to mining ports (3333, 8333, etc.)

Detection Strategies

1

Network Layer

Block known mining pool domains and IP addresses at the firewall and DNS level.
2

Application Layer

Use web filtering to block cryptomining scripts and mining pool connections.
3

Endpoint Layer

Deploy endpoint detection tools that identify cryptomining malware and excessive CPU usage.
4

Behavioral Analysis

Monitor for unusual network traffic patterns characteristic of mining activity.

Security Controls to Validate

  • Web Application Firewalls (WAF) - Block mining scripts in web traffic
  • DNS Filtering - Prevent resolution of mining pool domains
  • Secure Web Gateways (SWG) - Categorize and block cryptomining sites
  • Endpoint Protection - Detect and remove cryptomining malware
  • Network Analysis - Identify Stratum protocol traffic to mining pools
  • Cloud Security - Monitor resource consumption anomalies
This test attempts connections to 15 random cryptomining domains. Some may be offline or blocked at the infrastructure level, which is expected and will show as FAILED.

Performance Impact Indicators

Signs of active cryptomining in your environment:
  • Sustained high CPU/GPU usage (70-100%)
  • Increased system temperature and fan noise
  • Degraded application performance
  • Higher than normal electricity consumption
  • Network traffic to known mining pools
  • Processes named similar to legitimate system services

Build docs developers (and LLMs) love

Get started for freeTalk to us