Facebook Breaks Up Cryptocurrency Mining Botnet 'Lecpetex'

Facebook has successfully dismantled a major bitcoin botnet operated by a small team of cyber criminals based in Greece.

AccessTimeIconJul 9, 2014 at 6:30 p.m. UTC
Updated Aug 18, 2021 at 3:08 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Facebook has successfully dismantled a major bitcoin botnet operated by a small team of cyber criminals based in Greece.

The Lecpetex botnet managed to infect 250,000 computers. At its peak it compromised as many as 50,000 Facebook accounts.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • Lecpetex propagated through the social media platform using spam messages with malicious code inserted into zipped attachments.

    Each zip archive contained an embedded Java file that would download and install a litecoin miner. It would also steal cookies and gain access to the victim's friend list, using it to send out even more spam.

    However, mining was not its only function. The botnet was also used to distribute more dangerous malware designed to steal banking details, passwords and bitcoins.

    My big fat Greek botnet

    Facebook detected the Lecpetex botnet months ago and it is believed that it first started spreading in December.

    The social media giant says it tracked more than 20 distinct waves of spam sent out by the botnet between December 2013 and June 2014.

    On 30th April, Facebook asked the Cybercrime Subdivision of the Greek Police for assistance. Greek investigators managed to catch up with the botnet's authors on 3rd July and they were detained on the same day.

    Greek police told Facebook that the perpetrators were in the process of establishing a ‘bitcoin mixing’ service that would enable them to launder the stolen bitcoins.

    As Greek police started closing in on the operators, they left notes for them to find on compromised command and control servers.

    One such message read:

    “Hello people.. :) <!-- Designed by the SkyNet Team --> but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz [sic].”

    Facebook published its findings on the botnet in an extensive blog post.

    No word on damage caused

    Although Facebook says it learned a few lessons while it dismantled the botnet, there is still no official information on the damage Lecpetex caused.

    “Our analysis revealed two distinct malware payloads delivered to infected machines: the DarkComet RAT, and several variations of litecoin mining software. Ultimately the botnet operators focused on litecoin mining to monetize their pool of infected systems,” the company said.

    Although the number of affected PCs is relatively low compared to many other botnets, it's likely that Lecpetex generated some litecoins, though the number is unknown. The ‘bitcoin mixing’ effort cited by Facebook also indicates that bitcoins were likely to have been stolen by the botnet.

    According to Greek media reports, the operators of the botnet claimed they were using the data for "research purposes", not monetary gain. The pair were released from custody earlier this week.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.



    Read more about