Firmware Distribution as Attack Surface: A Security Study of ASIC Cryptocurrency Miners

Antoine Houssais; David Naccache; Hadrien Barral; Pierre Pouliquen; Thibaut Heckmann

arxiv: 2605.03770 · v2 · submitted 2026-05-05 · 💻 cs.CR · cs.SE

Firmware Distribution as Attack Surface: A Security Study of ASIC Cryptocurrency Miners

Pierre Pouliquen , Hadrien Barral , David Naccache , Thibaut Heckmann , Antoine Houssais This is my paper

Pith reviewed 2026-05-08 18:27 UTC · model grok-4.3

classification 💻 cs.CR cs.SE

keywords ASIC cryptocurrency minersfirmware securityattack surfacestatic analysisblockchain infrastructureStratum protocolfirmware phishingcryptocurrency mining

0 comments

The pith

Publicly available firmware for ASIC cryptocurrency miners reveals exploitable weaknesses that enable large-scale remote attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper argues that the way firmware for ASIC cryptocurrency miners is distributed and made public creates a fundamental security problem. By gathering and examining 134 firmware images from the main manufacturers, the authors show that these files alone let an analyst recover how the devices work internally, spot weaknesses, and map out full attack sequences. The study covers manufacturers responsible for over 99 percent of active mining hardware. The key point is that no physical device or live connection is needed to do this analysis. A reader would care because these machines convert electricity into the computational power that secures major blockchains, so widespread compromise could affect both economic value and network reliability.

Core claim

The paper claims that the firmware distribution ecosystem of ASIC cryptocurrency miners fundamentally challenges existing trust assumptions. Applying a methodology of collecting and statically analyzing 134 publicly distributed firmware images from manufacturers that account for over 99 percent of deployed devices, it demonstrates that these artifacts alone are sufficient to recover internal architecture, identify security weaknesses, and reconstruct complete attack paths. In particular, the analysis identifies vulnerabilities enabling realistic large-scale attack scenarios such as firmware phishing and the exploitation of miners still operating over Stratum V1. Validation performed on two真实

What carries the argument

A scalable methodology based on the collection and static analysis of publicly distributed firmware artifacts that requires neither device access nor runtime interaction.

Load-bearing premise

That the 134 collected public firmware images are representative of the software running on the vast majority of deployed devices and that the statically identified weaknesses translate directly into practical, remotely exploitable attacks without additional runtime or hardware-specific barriers.

What would settle it

Finding that the vulnerabilities identified through static analysis of the public firmware images do not exist or cannot be turned into working remote attacks when tested on actual deployed miners would disprove the central claim.

Figures

Figures reproduced from arXiv: 2605.03770 by Antoine Houssais, David Naccache, Hadrien Barral, Pierre Pouliquen, Thibaut Heckmann.

**Figure 1.** Figure 1: Layered software architecture of a cryptocurrency mining firmware. view at source ↗

**Figure 2.** Figure 2: Structured view of the attack pipeline linking entry points, vulnerabilities, capabilities, and attacker objectives. This figure does not aim to exhaustively view at source ↗

**Figure 3.** Figure 3: Attacker perspective: gaining access to the miner network and po view at source ↗

**Figure 4.** Figure 4: Distribution of commercially available ASIC miners models per view at source ↗

**Figure 6.** Figure 6: Distribution of collected firmware-related artifacts before filtering. view at source ↗

**Figure 7.** Figure 7: Warning displayed on the official Canaan support website in 2025, view at source ↗

**Figure 8.** Figure 8: Attacker pipeline from initial access to final objectives. view at source ↗

**Figure 9.** Figure 9: Analysis pipeline. 20 view at source ↗

read the original abstract

ASIC cryptocurrency miners are a core component of blockchain infrastructures, directly converting computation and energy into monetary value. Despite their economic importance, their security is rarely evaluated in a structured manner. In this paper, we show that the firmware distribution ecosystem of mining devices fundamentally challenges existing trust assumptions. We introduce a scalable methodology based on the collection and static analysis of publicly distributed firmware artifacts, requiring neither device access nor runtime interaction. Applying this approach, we reconstruct and analyze 134 firmware images spanning manufacturers that account for over 99% of deployed miners (Bitmain, MicroBT, Canaan, Iceriver). Our results reveal that firmware artifacts alone are sufficient to recover internal architecture, identify security weaknesses, and reconstruct complete attack paths leading to high-impact adversarial objectives. In particular, our analysis reveals vulnerabilities that enable realistic large-scale attack scenarios, including firmware phishing and the exploitation of miners still operating over Stratum V1. Validation on two real devices confirms that publicly distributed artifacts closely reflect deployed software and that these weaknesses translate into attack capabilities. Overall, our study shows that firmware distribution mechanisms themselves constitute a primary attack surface, significantly lowering the barrier to compromise in the ASIC mining ecosystem.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Public firmware artifacts for ASIC miners let attackers recover architectures and attack paths at scale, with solid collection but thin validation on just two devices.

read the letter

The main thing to know is that this paper shows public firmware for the dominant ASIC miners is enough to map out real attack paths, including things like firmware phishing and Stratum V1 issues, based on 134 images from makers covering 99% of the market. They did the work without initial device access, which keeps the barrier low for this kind of study. Validation on two real devices backs up that the artifacts match deployed code for those cases and that some weaknesses can be turned into attacks. That empirical angle is the useful part here. What is new is the structured, large-scale static analysis applied to this specific ecosystem. Prior work has looked at individual miner security, but pulling together firmware from Bitmain, MicroBT, Canaan, and Iceriver and showing how artifacts alone suffice for architecture recovery and attack reconstruction has not been reported at this breadth. The methodology is straightforward and reproducible from public sources, which is a plus for a security study. The soft spot is the validation. Two devices out of 134 images and four manufacturers is a narrow base for claiming that the identified weaknesses enable practical, remotely exploitable attacks across the board. Hardware differences, runtime configs, or firmware variants could block some paths, so the large-scale scenarios rest on an assumption that does not get fully tested. The stress-test note is right on this point. This is for readers working on embedded security, supply-chain attacks, or cryptocurrency hardware. Someone focused on firmware analysis or blockchain infrastructure would pick up concrete examples and a workable approach. It deserves a serious referee because the data collection is substantial and the claims are testable with more device checks. I would send it to peer review rather than desk reject.

Referee Report

1 major / 0 minor

Summary. The paper claims that the firmware distribution ecosystem for ASIC cryptocurrency miners constitutes a primary attack surface. Through collection and static analysis of 134 publicly available firmware images from manufacturers (Bitmain, MicroBT, Canaan, Iceriver) representing over 99% of deployed devices, the authors recover internal architectures, identify security weaknesses, and reconstruct complete attack paths (including firmware phishing and Stratum V1 exploitation) without requiring device access. Validation on two real devices is presented as confirming that public artifacts reflect deployed software and that the weaknesses enable practical attacks.

Significance. If the central claims hold, the work is significant for empirically demonstrating how publicly distributed firmware artifacts alone suffice to map and exploit vulnerabilities in a critical blockchain infrastructure component at scale. The broad market coverage, concrete reconstruction of high-impact attack scenarios, and use of real-device validation provide actionable insights that could influence firmware security practices and trust models in the ASIC mining ecosystem.

major comments (1)

[Abstract and validation description] Abstract and validation description: the assertion that analysis of the 134 images plus validation on two devices confirms representativeness for >99% market coverage and direct translation of static weaknesses into remotely exploitable attacks is load-bearing for the central claim. The small validation sample does not address potential hardware-specific barriers, runtime configurations, or firmware variants across manufacturers, leaving generalizability of the reconstructed attack paths (e.g., large-scale Stratum V1 exploitation) incompletely demonstrated.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback and positive evaluation of the work's significance. We address the single major comment below, providing clarification on our methodology and validation approach while proposing targeted revisions to improve the manuscript.

read point-by-point responses

Referee: [Abstract and validation description] Abstract and validation description: the assertion that analysis of the 134 images plus validation on two devices confirms representativeness for >99% market coverage and direct translation of static weaknesses into remotely exploitable attacks is load-bearing for the central claim. The small validation sample does not address potential hardware-specific barriers, runtime configurations, or firmware variants across manufacturers, leaving generalizability of the reconstructed attack paths (e.g., large-scale Stratum V1 exploitation) incompletely demonstrated.

Authors: We appreciate the referee highlighting the need for stronger justification of representativeness and generalizability. The >99% market coverage claim is grounded in independent industry reports on manufacturer deployment shares (Bitmain, MicroBT, Canaan, Iceriver), not in the number of physically validated devices. Our dataset of 134 firmware images was collected directly from the public distribution channels of these manufacturers and includes multiple versions and models per vendor, providing broad coverage of the firmware variants in circulation. The two-device validation was designed to confirm that publicly released artifacts accurately mirror deployed software and that statically identified weaknesses are practically exploitable, with devices selected from different manufacturers to offer limited cross-vendor insight. We agree that the validation sample size limits strong claims about every possible hardware-specific barrier or runtime configuration. Firmware phishing attacks, for example, depend primarily on distribution mechanisms rather than hardware details. Stratum V1 support is a protocol-level issue present across many collected images. We will revise the abstract, validation section, and discussion to (a) explicitly separate the market-share basis for coverage from the validation sample, (b) detail device selection criteria, and (c) add an explicit limitations paragraph addressing potential variations in runtime behavior and firmware variants. These changes will temper the generalizability language without altering the core empirical contribution. revision: partial

Circularity Check

0 steps flagged

No circularity: purely empirical collection and static analysis

full rationale

The paper performs an empirical security study by collecting 134 publicly available firmware images from four manufacturers and applying static analysis to recover architecture and identify weaknesses. No mathematical derivations, equations, fitted parameters, or predictions appear in the provided text. Validation on two physical devices serves as external confirmation rather than a self-referential loop. No self-citations are invoked as load-bearing uniqueness theorems or ansatzes. The central claims rest on direct observation of external artifacts, making the work self-contained against benchmarks with no reduction of outputs to inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on two domain assumptions: that publicly distributed firmware accurately represents deployed software and that static analysis can reliably identify exploitable weaknesses and attack paths. No free parameters or invented entities are introduced.

axioms (2)

domain assumption Publicly distributed firmware artifacts accurately reflect the software running on deployed mining devices.
Invoked when generalizing from 134 images to the broader ecosystem; partially supported by validation on two devices.
domain assumption Static analysis of firmware binaries is sufficient to recover architecture and reconstruct practical attack paths.
Core premise of the scalable methodology that requires neither device access nor runtime interaction.

pith-pipeline@v0.9.0 · 5517 in / 1348 out tokens · 44133 ms · 2026-05-08T18:27:45.504672+00:00 · methodology

Review history (3 revisions) →

discussion (0)

Reference graph

Works this paper leans on

80 extracted references · 80 canonical work pages

[1]

Bibliometric analysis of scientific publications on blockchain research and applications,

L. Bao, J. Yang, X. Yang, and C. Rong, “Bibliometric analysis of scientific publications on blockchain research and applications,” 2025. [Online]. Available: https://arxiv.org/abs/2504.13387

work page arXiv 2025
[2]

SoK: Research perspectives and challenges for bitcoin and cryptocurrencies,

J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. Felten, “SoK: Research perspectives and challenges for bitcoin and cryptocurrencies,” in2015 IEEE Symposium on Security and Privacy. Los Alamitos, CA, USA: IEEE, 2015, pp. 104–121

work page 2015
[3]

A study of the impact of cryptocurrency price volatility on the stock and gold markets,

X. Zhang, Z. Chen, and S. Wang, “A study of the impact of cryptocurrency price volatility on the stock and gold markets,”Finance Research Letters, vol. 69, p. 106114, 2024. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1544612324011437

work page 2024
[4]

Cambridge digital mining industry report: Global operations, sentiment, and energy use,

Cambridge Centre for Alternative Finance, “Cambridge digital mining industry report: Global operations, sentiment, and energy use,” https: //www.jbs.cam.ac.uk/wp-content/uploads/2025/04/2025-04-cambridge -digital-mining-industry-report.pdf, Apr. 2025, university of Cambridge, Judge Business School, First Edition

work page 2025
[5]

firmwar: An imminent threat to the foundation of comput- ing,

V . Babkin, “firmwar: An imminent threat to the foundation of comput- ing,” Black Hat Asia 2023 Briefings, Singapore, May 2023, presentation slides

work page 2023
[6]

A Large-Scale analysis of the security of embedded firmwares,

A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti, “A Large-Scale analysis of the security of embedded firmwares,” in23rd USENIX Security Symposium (USENIX Security 14). San Diego, CA, USA: USENIX Association, Aug. 2014, pp. 95–110. [Online]. Available: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/ presentation/costin

work page 2014
[7]

Automated dynamic firmware analysis at scale: A case study on embedded web interfaces,

A. Costin, A. Zarras, and A. Francillon, “Automated dynamic firmware analysis at scale: A case study on embedded web interfaces,” in Proceedings of the 11th ACM Asia Conference on Computer and Communications Security. New York, NY , USA: Association for Computing Machinery, 2016, pp. 437–448

work page 2016
[8]

FIRM-AFL: High-Throughput greybox fuzzing of IoT firmware via augmented process emulation,

Y . Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “FIRM-AFL: High-Throughput greybox fuzzing of IoT firmware via augmented process emulation,” in28th USENIX Security Symposium (USENIX Security 19). Santa Clara, CA, USA: USENIX Association, Aug. 2019, pp. 1099–1114. [Online]. Available: https://www.usenix.o rg/conference/usenixsecurity19/present...

work page 2019
[9]

P2IM: Scalable and hardware- independent firmware testing via automatic peripheral interface modeling,

B. Feng, A. Mera, and L. Lu, “P2IM: Scalable and hardware- independent firmware testing via automatic peripheral interface modeling,” in29th USENIX Security Symposium (USENIX Security 20). Virtual Event, USA: USENIX Association, Aug. 2020, pp. 1237–1254. [Online]. Available: https://www.usenix.org/conference/usenixsecurity 20/presentation/feng

work page 2020
[10]

A survey on iot and embedded device firmware security: Architecture, extraction techniques, and vulnerability analysis frameworks,

S. U. Haq, Y . Singh, A. Sharma, R. Gupta, and D. Gupta, “A survey on iot and embedded device firmware security: Architecture, extraction techniques, and vulnerability analysis frameworks,”Discover Internet of Things, vol. 3, no. 1, p. 17, 2023. [Online]. Available: https://doi.org/10.1007/s43926-023-00045-2

work page doi:10.1007/s43926-023-00045-2 2023
[11]

A review of iot firmware vulnerabilities and auditing techniques,

T. Bakhshi, B. Ghita, and I. Kuzminykh, “A review of iot firmware vulnerabilities and auditing techniques,”Sensors, vol. 24, no. 2, p. 708, Jan. 2024

work page 2024
[12]

Hardening stratum, the bitcoin pool mining protocol,

R. Recabarren and B. Carbunar, “Hardening stratum, the bitcoin pool mining protocol,” 2017. [Online]. Available: https://arxiv.org/abs/1703 .06545

work page 2017
[13]

Disappeared coins: Steal hashrate in stratum secretly,

X. Liu, R. Chong, Y . Huang, Y . Zhang, and Q. Zhou, “Disappeared coins: Steal hashrate in stratum secretly,” Black Hat Asia 2021, 2021, conference presentation

work page 2021
[14]

On the security and performance of proof of work blockchains,

A. Gervais, G. Karame, K. W ¨ust, and V . Glykantzis, “On the security and performance of proof of work blockchains,” Financial Cryptography and Data Security, 2016, used as a reference for Stratum-related attack surface discussion

work page 2016
[15]

The unbearable lightness of bitcoin mining,

L. Luuet al., “The unbearable lightness of bitcoin mining,” ACM CCS, 2015, reference used for mining-pool attack surface discussion

work page 2015
[16]

Routing attacks on cryptocurrency mining pools,

M. Tran, T. von Arx, and L. Vanbever, “Routing attacks on cryptocurrency mining pools,” in2024 IEEE Symposium on Security and Privacy (SP). Los Alamitos, CA, USA: IEEE, 2024, pp. 3805–

work page 2024
[17]

Do you play it by the books? a study on incident response playbooks and influencing factors,

[Online]. Available: https://doi.org/10.1109/SP54263.2024.00254

work page doi:10.1109/sp54263.2024.00254 2024
[18]

Blind signatures for untraceable payments,

D. Chaum, “Blind signatures for untraceable payments,” inAdvances in Cryptology, D. Chaum, R. L. Rivest, and A. T. Sherman, Eds. Boston, MA, USA: Springer US, 1983, pp. 199–203

work page 1983
[19]

Bitcoin: A peer-to-peer electronic cash system,

S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” https: //bitcoin.org/bitcoin.pdf, 2008, white paper

work page 2008
[20]

A next-generation smart contract and decentralized appli- cation platform,

V . Buterin, “A next-generation smart contract and decentralized appli- cation platform,” https://ethereum.org/en/whitepaper/, 2014

work page 2014
[21]

Asic design for bitcoin mining,

Y . Sun, H. Yang, W. Zhang, and Y . Gu, “Asic design for bitcoin mining,” University of Michigan, Tech. Rep., 2021, eECS 570 Final Report. [Online]. Available: https://zwtaoumich.github.io/paper/EECS5 70 Final Report.pdf

work page 2021
[22]

Bitmain official website,

Bitmain Technologies Ltd., “Bitmain official website,” https://www.bi tmain.com, 2025

work page 2025
[23]

Whatsminer official website,

MicroBT Mining, “Whatsminer official website,” https://www.whatsm iner.com, 2025

work page 2025
[24]

Canaan official website,

Canaan Creative Co., Ltd., “Canaan official website,” https://www.cana an.io, 2025

work page 2025
[25]

Adaptive overclocking mining algorithm selection approach in the cryptocurrency 14 mining pool,

M.-C. Yuen, K.-M. Lau, C.-W. Yung, and K.-F. Ng, “Adaptive overclocking mining algorithm selection approach in the cryptocurrency 14 mining pool,” inProceedings of the 2022 5th International Conference on Blockchain Technology and Applications, ser. ICBTA ’22. New York, NY , USA: Association for Computing Machinery, 2023, pp. 50–56. [Online]. Available: h...

work page doi:10.1145/3581971.3581978 2022
[26]

Enisa threat landscape report 2018: 15 top cyberthreats and trends,

European Union Agency for Cybersecurity (ENISA), “Enisa threat landscape report 2018: 15 top cyberthreats and trends,” ENISA, Tech. Rep., Jan. 2019, accessed 2026-01-26. [Online]. Available: https://www.enisa.europa.eu/sites/default/files/publications/WP2018%2 0O.1.2.1%20-%20ENISA%20Threat%20Landscape%202018.pdf

work page 2018
[27]

Crypto miners on the rise: Kaspersky experts report more than 230% growth in the number of malicious mining programs,

Kaspersky, “Crypto miners on the rise: Kaspersky experts report more than 230% growth in the number of malicious mining programs,” https: //www.kaspersky.com/about/press-releases/crypto-miners-on-the-rise-k aspersky-experts-report-more-than-230-growth-in-the-number-of-mal icious-mining-programs, Nov. 2022, kaspersky press release, accessed 2026-01-26

work page 2022
[28]

Miner malware targets iot, offered in the underground,

F. Merces, “Miner malware targets iot, offered in the underground,” https://www.trendmicro.com/en us/research/18/e/cryptocurrency-minin g-malware-targeting-iot-being-offered-in-the-underground.html, May 2018, trend Micro Research, accessed 2026-01-26

work page 2018
[29]

Demystifying cryptocurrency mining attacks: A semi-supervised learning approach based on digital forensics and dynamic network characteristics,

A. Zimba, M. Chishimba, C. Ngongola-Reinke, and T. F. Mbale, “Demystifying cryptocurrency mining attacks: A semi-supervised learning approach based on digital forensics and dynamic network characteristics,” 2021. [Online]. Available: https://arxiv.org/abs/2102.1 0634

work page 2021
[30]

Exploiting cryptocurrency miners with OSINT techniques,

A. Sari and S. Kilic, “Exploiting cryptocurrency miners with OSINT techniques,”Transactions on Networks and Communications, vol. 5, no. 6, pp. 1–9, Dec. 2017

work page 2017
[31]

Inside the mirai botnet,

Cloudflare, “Inside the mirai botnet,” https://blog.cloudflare.com/ins ide-mirai-the-infamous-iot-botnet-a-retrospective-analysis/, 2016, large-scale IoT botnet and DDoS attacks

work page 2016
[32]

New malware targets linux devices for ddos and crypto mining,

SC Media, “New malware targets linux devices for ddos and crypto mining,” https://www.scworld.com/brief/new-malware-targets-linux-n etwork-devices-for-ddos-crypto-mining, 2026, condiBot and Monaco malware

work page 2026
[33]

Aussie researcher claims antminer bitcoin devices can be hijacked,

D. Pauli, “Aussie researcher claims antminer bitcoin devices can be hijacked,” https://www.theregister.com/2016/07/12/aussie writes app to hijack scores of pricey antmine bitcoin miners/, 2016, accessed 2026

work page 2016
[34]

Antminer has remote shutdown flaw (antbleed),

R. Chirgwin, “Antminer has remote shutdown flaw (antbleed),” https: //www.theregister.com/2017/04/27/prospect of trouble in bitcoin wor ld major miner vulnerable/, 2017, accessed 2026

work page 2017
[35]

Infected asics: A growing menace for crypto miners,

D-Central Technologies, “Infected asics: A growing menace for crypto miners,” https://d-central.tech/infected-asics-a-growing-menace-for-cry pto-miners-everywhere/, 2025, industry report

work page 2025
[36]

Cryptocurrency asic miners security and hacking audit,

J. A. Chambers, “Cryptocurrency asic miners security and hacking audit,” https://jamesachambers.com/cryptocurrency-asic-miners-sec urity-and-hacking-audit/, 2022, security analysis blog

work page 2022
[37]

Attacks on isp networks allows to steal $83,000 from bitcoin mining pools,

Security Affairs, “Attacks on isp networks allows to steal $83,000 from bitcoin mining pools,” https://securityaffairs.com/27448/cyber-crime/bit coin-mining-pools-hack.html, 2014, bGP hijacking of mining traffic

work page 2014
[38]

Satori coin robber malware analysis,

Netlab 360, “Satori coin robber malware analysis,” https://blog.netla b.360.com/botnets-never-die-satori-refuses-to-fade-away-en/, 2018, wallet replacement attack on mining software

work page 2018
[39]

hant asic malware targeting miners,

D-Central, “hant asic malware targeting miners,” https://d-central.tec h/infected-asics-a-growing-menace-for-crypto-miners-everywhere/, 2019, ransomware targeting Antminer devices

work page 2019
[40]

Bitcoin mining pools targeted in wave of ddos attacks,

CoinDesk, “Bitcoin mining pools targeted in wave of ddos attacks,” https://www.coindesk.com/markets/2015/03/12/bitcoin-mining-pools -targeted-in-wave-of-ddos-attacks, 2015, dD4BC attacks on mining pools

work page 2015
[41]

ASIC Miner Value,

“ASIC Miner Value,” https://www.asicminervalue.com, 2025

work page 2025
[42]

MinerStat Mining Hardware Database,

“MinerStat Mining Hardware Database,” https://minerstat.com/hardwa re/asics, 2025

work page 2025
[43]

WhatToMine ASIC Mining Database,

“WhatToMine ASIC Mining Database,” https://whattomine.com/miners, 2025

work page 2025
[44]

Canaan creative public source code repositories,

Canaan Creative, “Canaan creative public source code repositories,” ht tps://github.com/orgs/Canaan-Creative/repositories, 2020, accessed: 2026-01-28

work page 2020
[45]

Bitmainfirmwareunpacker,

VladTheJunior, “Bitmainfirmwareunpacker,” https://github.com/Vla dTheJunior/BitmainFirmwareUnpacker, 2025, community tool for unpacking Bitmain proprietary .bmu firmware images

work page 2025
[46]

iceriver-oc: Iceriver overclocking firmware,

rdugan, “iceriver-oc: Iceriver overclocking firmware,” https://github.c om/rdugan/iceriver-oc, 2024

work page 2024
[47]

cpuminer-multi: Multi-threaded cpu miner,

T. Pruvot and contributors, “cpuminer-multi: Multi-threaded cpu miner,” https://github.com/tpruvot/cpuminer- multi, 2026, gPLv2-licensed GitHub repository

work page 2026
[48]

Cpuminer,

Lucas Jones, “Cpuminer,” https://github.com/lucasjones/cpuminer-multi, 2014, original CPUMiner fork

work page 2014
[49]

cgminer: Multi-threaded multi-pool fpga and asic miner for bitcoin,

Kano and contributors, “cgminer: Multi-threaded multi-pool fpga and asic miner for bitcoin,” https://github.com/kanoi/cgminer, 2026, gitHub repository, fork of ckolivas/cgminer, accessed 2026-04-20

work page 2026
[50]

Cve-2018-10058: cgminer and bfgminer remote management api authenticated code execution,

MITRE Corporation, “Cve-2018-10058: cgminer and bfgminer remote management api authenticated code execution,” https://cve.mitre.org/cg i-bin/cvename.cgi?name=CVE-2018-10058, 2018, stack-based buffer overflow in cgminer ¡= 4.10.0

work page 2018
[51]

Semgrep: Lightweight static analysis for many lan- guages,

Semgrep, Inc., “Semgrep: Lightweight static analysis for many lan- guages,” https://github.com/semgrep/semgrep, 2026, version 1.150.0

work page 2026
[52]

Cve-2018- 11220: Bitmain antminer remote code execution,

National Institute of Standards and Technology (NIST), “Cve-2018- 11220: Bitmain antminer remote code execution,” https://nvd.nist.g ov/vuln/detail/CVE-2018-11220, 2018, nVD

work page 2018
[53]

Cve-2022-36604: Canaan avalon authentication bypass,

——, “Cve-2022-36604: Canaan avalon authentication bypass,” https: //nvd.nist.gov/vuln/detail/CVE-2022-36604, 2022, nVD

work page 2022
[54]

Cve-2022-24659: Goldshell path traversal,

——, “Cve-2022-24659: Goldshell path traversal,” https://nvd.nist.gov /vuln/detail/CVE-2022-24659, 2022, nVD

work page 2022
[55]

Cve-2022-24660: Goldshell debug interface exposure,

——, “Cve-2022-24660: Goldshell debug interface exposure,” https: //nvd.nist.gov/vuln/detail/CVE-2022-24660, 2022, nVD

work page 2022
[56]

Cve-2022-24657: Goldshell hardcoded credentials,

——, “Cve-2022-24657: Goldshell hardcoded credentials,” https://nvd. nist.gov/vuln/detail/CVE-2022-24657, 2022, nVD

work page 2022
[57]

S19 xp flashing sd card instruction,

Bitmain Technologies Ltd., “S19 xp flashing sd card instruction,” https: //support.bitmain.com/hc/en-us/articles/10202973537177-S19-XP-Flash ing-SD-card-Instruction, 2024

work page arXiv 2024
[58]

Antminer s19/s21 firmware installation,

“Antminer s19/s21 firmware installation,” https://support.awesomemin er.com/support/solutions/articles/35000189959-awesome-miner-antmi ner-s19-s21-firmware-installation, 2024

work page arXiv 2024
[59]

Whatsminer sd card flashing program,

Zeus Mining International Co., Ltd., “Whatsminer sd card flashing program,” https://www.zeusbtc.com/firmware-download/details/47 09-whatsminer-sd-card-flashing-program-download, 2024

work page 2024
[60]

WhatsMiner Series Firmware,

“WhatsMiner Series Firmware,” https://bixbit.io/en/firmwares/whatsmi ner-series-m2x, 2024

work page 2024
[61]

WhatsMiner SD Card Flashing Tutorial,

“WhatsMiner SD Card Flashing Tutorial,” https://www.youtube.com/wa tch?v=WxqchyZvQkA, 2024

work page 2024
[62]

Whatsminer Firmware Upgrade Toolkit,

Hitsxx, “Whatsminer Firmware Upgrade Toolkit,” https://github.com/H itsxx/Whatsminer, 2018, public GitHub repository providing firmware packaging and remote upgrade scripts for Whatsminer ASIC miners

work page 2018
[63]

Avalonminer firmware,

Zeus Mining International Co., Ltd., “Avalonminer firmware,” https: //www.zeusbtc.com/firmware-download/avalonminer-firmware/, 2024

work page 2024
[64]

Iceriver miner firmware,

——, “Iceriver miner firmware,” https://www.zeusbtc.com/firmware-d ownload/iceriver-miner-firmware/, 2024

work page 2024
[65]

Canaan Official Notice on Impersonated Support,

“Canaan Official Notice on Impersonated Support,” https://www.canaan .io/support/, 2025

work page 2025
[66]

Notepad++ hijacked by state-sponsored hackers,

Notepad++ Project, “Notepad++ hijacked by state-sponsored hackers,” https://notepad- plus- plus.org/news/hijacked- incident- info- updat e/, Feb. 2026, security incident report describing an infrastructure-level compromise of the Notepad++ update distribution channel between June and December 2025

work page 2026
[67]

Bad leverage: A study of cryptocurrency mining malware,

R. Konothet al., “Bad leverage: A study of cryptocurrency mining malware,” IEEE Security & Privacy, 2018, reference used for malware and mining abuse discussion

work page 2018
[68]

Hopper: Modeling and detecting lateral movement,

G. Ho, M. Dhiman, D. Akhawe, V . Paxson, S. Savage, G. M. V oelker, and D. Wagner, “Hopper: Modeling and detecting lateral movement,” in30th USENIX Security Symposium (USENIX Security 21). Virtual Event, USA: USENIX Association, Aug. 2021, pp. 3093–3110. [Online]. Available: https://www.usenix.org/conference/us enixsecurity21/presentation/ho

work page 2021
[69]

ShadowMove: A stealthy lateral movement strategy,

A. Niakanlahiji, J. Wei, M. R. Alam, Q. Wang, and B.-T. Chu, “ShadowMove: A stealthy lateral movement strategy,” in29th USENIX Security Symposium (USENIX Security 20). Virtual Event, USA: USENIX Association, Aug. 2020, pp. 559–576. [Online]. Available: https://www.usenix.org/conference/usenixsecurity20/presentation/niakan lahiji

work page 2020
[70]

A secure token-based approach for dhcp client authentication and replay attack prevention,

A. Jony, M. N. Islam, and R. A. Talukder, “A secure token-based approach for dhcp client authentication and replay attack prevention,” in2024 27th International Conference on Computer and Information Technology (ICCIT). Los Alamitos, CA, USA: IEEE, 2024, pp. 855– 860. 15

work page 2024
[71]

‘Cybersecurity Issue’ forces systems shutdown at mgm hotels and casinos,

E. Medina, “‘Cybersecurity Issue’ forces systems shutdown at mgm hotels and casinos,” https://www.nytimes.com/2023/09/11/technol ogy/mgm-cyberattack.html, Sep. 2023, the New York Times

work page 2023
[72]

Unitedhealth hack: What you need to know,

J. Rundle and C. Stupp, “Unitedhealth hack: What you need to know,” https://www.wsj.com/articles/unitedhealth-hack-what-you-need-to-kno w-45efc28c, May 2024, the Wall Street Journal

work page 2024
[73]

Canaan creative official firmware download portal,

Canaan Creative, “Canaan creative official firmware download portal,” https://download.canaan-creative.com/, 2020, accessed: 2026-01-28

work page 2020
[74]

Platform firmware resiliency guidelines,

National Institute of Standards and Technology, “Platform firmware resiliency guidelines,” https://csrc.nist.gov/publications/detail/sp/8 00-193/final, 2018

work page 2018
[75]

The update framework (tuf),

R. Kuppusamyet al., “The update framework (tuf),” USENIX Security Workshop, 2017, workshop reference

work page 2017
[76]

Uptane: Securing software updates for automobiles,

——, “Uptane: Securing software updates for automobiles,” https://up tane.org, 2019

work page 2019
[77]

Good practices for supply chain cybersecurity,

ENISA, “Good practices for supply chain cybersecurity,” https://www. enisa.europa.eu/publications/good-practices-for-supply-chain-cybersecu rity, 2019

work page 2019
[78]

The minimum elements for a software bill of materials (sbom),

National Telecommunications and Information Administration, “The minimum elements for a software bill of materials (sbom),” https://www. ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom, 2021

work page 2021
[79]

Cyber security for consumer internet of things: Baseline require- ments,

ETSI, “Cyber security for consumer internet of things: Baseline require- ments,” https://www.etsi.org/deliver/etsi en/303600 303699/303645/02. 01.01 60/en 303645v020101p.pdf, 2020

work page 2020
[80]

Guide to computer security log management,

National Institute of Standards and Technology, “Guide to computer security log management,” https://csrc.nist.gov/publications/detail/sp/8 00-92/final, 2006. 16 APPENDIXA OPENSCIENCE This work contributes a reproducible methodology for large- scale security analysis of cryptocurrency mining firmware based on publicly accessible distribution artifacts. To...

work page 2006

[1] [1]

Bibliometric analysis of scientific publications on blockchain research and applications,

L. Bao, J. Yang, X. Yang, and C. Rong, “Bibliometric analysis of scientific publications on blockchain research and applications,” 2025. [Online]. Available: https://arxiv.org/abs/2504.13387

work page arXiv 2025

[2] [2]

SoK: Research perspectives and challenges for bitcoin and cryptocurrencies,

J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. Felten, “SoK: Research perspectives and challenges for bitcoin and cryptocurrencies,” in2015 IEEE Symposium on Security and Privacy. Los Alamitos, CA, USA: IEEE, 2015, pp. 104–121

work page 2015

[3] [3]

A study of the impact of cryptocurrency price volatility on the stock and gold markets,

X. Zhang, Z. Chen, and S. Wang, “A study of the impact of cryptocurrency price volatility on the stock and gold markets,”Finance Research Letters, vol. 69, p. 106114, 2024. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1544612324011437

work page 2024

[4] [4]

Cambridge digital mining industry report: Global operations, sentiment, and energy use,

Cambridge Centre for Alternative Finance, “Cambridge digital mining industry report: Global operations, sentiment, and energy use,” https: //www.jbs.cam.ac.uk/wp-content/uploads/2025/04/2025-04-cambridge -digital-mining-industry-report.pdf, Apr. 2025, university of Cambridge, Judge Business School, First Edition

work page 2025

[5] [5]

firmwar: An imminent threat to the foundation of comput- ing,

V . Babkin, “firmwar: An imminent threat to the foundation of comput- ing,” Black Hat Asia 2023 Briefings, Singapore, May 2023, presentation slides

work page 2023

[6] [6]

A Large-Scale analysis of the security of embedded firmwares,

A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti, “A Large-Scale analysis of the security of embedded firmwares,” in23rd USENIX Security Symposium (USENIX Security 14). San Diego, CA, USA: USENIX Association, Aug. 2014, pp. 95–110. [Online]. Available: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/ presentation/costin

work page 2014

[7] [7]

Automated dynamic firmware analysis at scale: A case study on embedded web interfaces,

A. Costin, A. Zarras, and A. Francillon, “Automated dynamic firmware analysis at scale: A case study on embedded web interfaces,” in Proceedings of the 11th ACM Asia Conference on Computer and Communications Security. New York, NY , USA: Association for Computing Machinery, 2016, pp. 437–448

work page 2016

[8] [8]

FIRM-AFL: High-Throughput greybox fuzzing of IoT firmware via augmented process emulation,

Y . Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “FIRM-AFL: High-Throughput greybox fuzzing of IoT firmware via augmented process emulation,” in28th USENIX Security Symposium (USENIX Security 19). Santa Clara, CA, USA: USENIX Association, Aug. 2019, pp. 1099–1114. [Online]. Available: https://www.usenix.o rg/conference/usenixsecurity19/present...

work page 2019

[9] [9]

P2IM: Scalable and hardware- independent firmware testing via automatic peripheral interface modeling,

B. Feng, A. Mera, and L. Lu, “P2IM: Scalable and hardware- independent firmware testing via automatic peripheral interface modeling,” in29th USENIX Security Symposium (USENIX Security 20). Virtual Event, USA: USENIX Association, Aug. 2020, pp. 1237–1254. [Online]. Available: https://www.usenix.org/conference/usenixsecurity 20/presentation/feng

work page 2020

[10] [10]

A survey on iot and embedded device firmware security: Architecture, extraction techniques, and vulnerability analysis frameworks,

S. U. Haq, Y . Singh, A. Sharma, R. Gupta, and D. Gupta, “A survey on iot and embedded device firmware security: Architecture, extraction techniques, and vulnerability analysis frameworks,”Discover Internet of Things, vol. 3, no. 1, p. 17, 2023. [Online]. Available: https://doi.org/10.1007/s43926-023-00045-2

work page doi:10.1007/s43926-023-00045-2 2023

[11] [11]

A review of iot firmware vulnerabilities and auditing techniques,

T. Bakhshi, B. Ghita, and I. Kuzminykh, “A review of iot firmware vulnerabilities and auditing techniques,”Sensors, vol. 24, no. 2, p. 708, Jan. 2024

work page 2024

[12] [12]

Hardening stratum, the bitcoin pool mining protocol,

R. Recabarren and B. Carbunar, “Hardening stratum, the bitcoin pool mining protocol,” 2017. [Online]. Available: https://arxiv.org/abs/1703 .06545

work page 2017

[13] [13]

Disappeared coins: Steal hashrate in stratum secretly,

X. Liu, R. Chong, Y . Huang, Y . Zhang, and Q. Zhou, “Disappeared coins: Steal hashrate in stratum secretly,” Black Hat Asia 2021, 2021, conference presentation

work page 2021

[14] [14]

On the security and performance of proof of work blockchains,

A. Gervais, G. Karame, K. W ¨ust, and V . Glykantzis, “On the security and performance of proof of work blockchains,” Financial Cryptography and Data Security, 2016, used as a reference for Stratum-related attack surface discussion

work page 2016

[15] [15]

The unbearable lightness of bitcoin mining,

L. Luuet al., “The unbearable lightness of bitcoin mining,” ACM CCS, 2015, reference used for mining-pool attack surface discussion

work page 2015

[16] [16]

Routing attacks on cryptocurrency mining pools,

M. Tran, T. von Arx, and L. Vanbever, “Routing attacks on cryptocurrency mining pools,” in2024 IEEE Symposium on Security and Privacy (SP). Los Alamitos, CA, USA: IEEE, 2024, pp. 3805–

work page 2024

[17] [17]

Do you play it by the books? a study on incident response playbooks and influencing factors,

[Online]. Available: https://doi.org/10.1109/SP54263.2024.00254

work page doi:10.1109/sp54263.2024.00254 2024

[18] [18]

Blind signatures for untraceable payments,

D. Chaum, “Blind signatures for untraceable payments,” inAdvances in Cryptology, D. Chaum, R. L. Rivest, and A. T. Sherman, Eds. Boston, MA, USA: Springer US, 1983, pp. 199–203

work page 1983

[19] [19]

Bitcoin: A peer-to-peer electronic cash system,

S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” https: //bitcoin.org/bitcoin.pdf, 2008, white paper

work page 2008

[20] [20]

A next-generation smart contract and decentralized appli- cation platform,

V . Buterin, “A next-generation smart contract and decentralized appli- cation platform,” https://ethereum.org/en/whitepaper/, 2014

work page 2014

[21] [21]

Asic design for bitcoin mining,

Y . Sun, H. Yang, W. Zhang, and Y . Gu, “Asic design for bitcoin mining,” University of Michigan, Tech. Rep., 2021, eECS 570 Final Report. [Online]. Available: https://zwtaoumich.github.io/paper/EECS5 70 Final Report.pdf

work page 2021

[22] [22]

Bitmain official website,

Bitmain Technologies Ltd., “Bitmain official website,” https://www.bi tmain.com, 2025

work page 2025

[23] [23]

Whatsminer official website,

MicroBT Mining, “Whatsminer official website,” https://www.whatsm iner.com, 2025

work page 2025

[24] [24]

Canaan official website,

Canaan Creative Co., Ltd., “Canaan official website,” https://www.cana an.io, 2025

work page 2025

[25] [25]

Adaptive overclocking mining algorithm selection approach in the cryptocurrency 14 mining pool,

M.-C. Yuen, K.-M. Lau, C.-W. Yung, and K.-F. Ng, “Adaptive overclocking mining algorithm selection approach in the cryptocurrency 14 mining pool,” inProceedings of the 2022 5th International Conference on Blockchain Technology and Applications, ser. ICBTA ’22. New York, NY , USA: Association for Computing Machinery, 2023, pp. 50–56. [Online]. Available: h...

work page doi:10.1145/3581971.3581978 2022

[26] [26]

Enisa threat landscape report 2018: 15 top cyberthreats and trends,

European Union Agency for Cybersecurity (ENISA), “Enisa threat landscape report 2018: 15 top cyberthreats and trends,” ENISA, Tech. Rep., Jan. 2019, accessed 2026-01-26. [Online]. Available: https://www.enisa.europa.eu/sites/default/files/publications/WP2018%2 0O.1.2.1%20-%20ENISA%20Threat%20Landscape%202018.pdf

work page 2018

[27] [27]

Crypto miners on the rise: Kaspersky experts report more than 230% growth in the number of malicious mining programs,

Kaspersky, “Crypto miners on the rise: Kaspersky experts report more than 230% growth in the number of malicious mining programs,” https: //www.kaspersky.com/about/press-releases/crypto-miners-on-the-rise-k aspersky-experts-report-more-than-230-growth-in-the-number-of-mal icious-mining-programs, Nov. 2022, kaspersky press release, accessed 2026-01-26

work page 2022

[28] [28]

Miner malware targets iot, offered in the underground,

F. Merces, “Miner malware targets iot, offered in the underground,” https://www.trendmicro.com/en us/research/18/e/cryptocurrency-minin g-malware-targeting-iot-being-offered-in-the-underground.html, May 2018, trend Micro Research, accessed 2026-01-26

work page 2018

[29] [29]

Demystifying cryptocurrency mining attacks: A semi-supervised learning approach based on digital forensics and dynamic network characteristics,

A. Zimba, M. Chishimba, C. Ngongola-Reinke, and T. F. Mbale, “Demystifying cryptocurrency mining attacks: A semi-supervised learning approach based on digital forensics and dynamic network characteristics,” 2021. [Online]. Available: https://arxiv.org/abs/2102.1 0634

work page 2021

[30] [30]

Exploiting cryptocurrency miners with OSINT techniques,

A. Sari and S. Kilic, “Exploiting cryptocurrency miners with OSINT techniques,”Transactions on Networks and Communications, vol. 5, no. 6, pp. 1–9, Dec. 2017

work page 2017

[31] [31]

Inside the mirai botnet,

Cloudflare, “Inside the mirai botnet,” https://blog.cloudflare.com/ins ide-mirai-the-infamous-iot-botnet-a-retrospective-analysis/, 2016, large-scale IoT botnet and DDoS attacks

work page 2016

[32] [32]

New malware targets linux devices for ddos and crypto mining,

SC Media, “New malware targets linux devices for ddos and crypto mining,” https://www.scworld.com/brief/new-malware-targets-linux-n etwork-devices-for-ddos-crypto-mining, 2026, condiBot and Monaco malware

work page 2026

[33] [33]

Aussie researcher claims antminer bitcoin devices can be hijacked,

D. Pauli, “Aussie researcher claims antminer bitcoin devices can be hijacked,” https://www.theregister.com/2016/07/12/aussie writes app to hijack scores of pricey antmine bitcoin miners/, 2016, accessed 2026

work page 2016

[34] [34]

Antminer has remote shutdown flaw (antbleed),

R. Chirgwin, “Antminer has remote shutdown flaw (antbleed),” https: //www.theregister.com/2017/04/27/prospect of trouble in bitcoin wor ld major miner vulnerable/, 2017, accessed 2026

work page 2017

[35] [35]

Infected asics: A growing menace for crypto miners,

D-Central Technologies, “Infected asics: A growing menace for crypto miners,” https://d-central.tech/infected-asics-a-growing-menace-for-cry pto-miners-everywhere/, 2025, industry report

work page 2025

[36] [36]

Cryptocurrency asic miners security and hacking audit,

J. A. Chambers, “Cryptocurrency asic miners security and hacking audit,” https://jamesachambers.com/cryptocurrency-asic-miners-sec urity-and-hacking-audit/, 2022, security analysis blog

work page 2022

[37] [37]

Attacks on isp networks allows to steal $83,000 from bitcoin mining pools,

Security Affairs, “Attacks on isp networks allows to steal $83,000 from bitcoin mining pools,” https://securityaffairs.com/27448/cyber-crime/bit coin-mining-pools-hack.html, 2014, bGP hijacking of mining traffic

work page 2014

[38] [38]

Satori coin robber malware analysis,

Netlab 360, “Satori coin robber malware analysis,” https://blog.netla b.360.com/botnets-never-die-satori-refuses-to-fade-away-en/, 2018, wallet replacement attack on mining software

work page 2018

[39] [39]

hant asic malware targeting miners,

D-Central, “hant asic malware targeting miners,” https://d-central.tec h/infected-asics-a-growing-menace-for-crypto-miners-everywhere/, 2019, ransomware targeting Antminer devices

work page 2019

[40] [40]

Bitcoin mining pools targeted in wave of ddos attacks,

CoinDesk, “Bitcoin mining pools targeted in wave of ddos attacks,” https://www.coindesk.com/markets/2015/03/12/bitcoin-mining-pools -targeted-in-wave-of-ddos-attacks, 2015, dD4BC attacks on mining pools

work page 2015

[41] [41]

ASIC Miner Value,

“ASIC Miner Value,” https://www.asicminervalue.com, 2025

work page 2025

[42] [42]

MinerStat Mining Hardware Database,

“MinerStat Mining Hardware Database,” https://minerstat.com/hardwa re/asics, 2025

work page 2025

[43] [43]

WhatToMine ASIC Mining Database,

“WhatToMine ASIC Mining Database,” https://whattomine.com/miners, 2025

work page 2025

[44] [44]

Canaan creative public source code repositories,

Canaan Creative, “Canaan creative public source code repositories,” ht tps://github.com/orgs/Canaan-Creative/repositories, 2020, accessed: 2026-01-28

work page 2020

[45] [45]

Bitmainfirmwareunpacker,

VladTheJunior, “Bitmainfirmwareunpacker,” https://github.com/Vla dTheJunior/BitmainFirmwareUnpacker, 2025, community tool for unpacking Bitmain proprietary .bmu firmware images

work page 2025

[46] [46]

iceriver-oc: Iceriver overclocking firmware,

rdugan, “iceriver-oc: Iceriver overclocking firmware,” https://github.c om/rdugan/iceriver-oc, 2024

work page 2024

[47] [47]

cpuminer-multi: Multi-threaded cpu miner,

T. Pruvot and contributors, “cpuminer-multi: Multi-threaded cpu miner,” https://github.com/tpruvot/cpuminer- multi, 2026, gPLv2-licensed GitHub repository

work page 2026

[48] [48]

Cpuminer,

Lucas Jones, “Cpuminer,” https://github.com/lucasjones/cpuminer-multi, 2014, original CPUMiner fork

work page 2014

[49] [49]

cgminer: Multi-threaded multi-pool fpga and asic miner for bitcoin,

Kano and contributors, “cgminer: Multi-threaded multi-pool fpga and asic miner for bitcoin,” https://github.com/kanoi/cgminer, 2026, gitHub repository, fork of ckolivas/cgminer, accessed 2026-04-20

work page 2026

[50] [50]

Cve-2018-10058: cgminer and bfgminer remote management api authenticated code execution,

MITRE Corporation, “Cve-2018-10058: cgminer and bfgminer remote management api authenticated code execution,” https://cve.mitre.org/cg i-bin/cvename.cgi?name=CVE-2018-10058, 2018, stack-based buffer overflow in cgminer ¡= 4.10.0

work page 2018

[51] [51]

Semgrep: Lightweight static analysis for many lan- guages,

Semgrep, Inc., “Semgrep: Lightweight static analysis for many lan- guages,” https://github.com/semgrep/semgrep, 2026, version 1.150.0

work page 2026

[52] [52]

Cve-2018- 11220: Bitmain antminer remote code execution,

National Institute of Standards and Technology (NIST), “Cve-2018- 11220: Bitmain antminer remote code execution,” https://nvd.nist.g ov/vuln/detail/CVE-2018-11220, 2018, nVD

work page 2018

[53] [53]

Cve-2022-36604: Canaan avalon authentication bypass,

——, “Cve-2022-36604: Canaan avalon authentication bypass,” https: //nvd.nist.gov/vuln/detail/CVE-2022-36604, 2022, nVD

work page 2022

[54] [54]

Cve-2022-24659: Goldshell path traversal,

——, “Cve-2022-24659: Goldshell path traversal,” https://nvd.nist.gov /vuln/detail/CVE-2022-24659, 2022, nVD

work page 2022

[55] [55]

Cve-2022-24660: Goldshell debug interface exposure,

——, “Cve-2022-24660: Goldshell debug interface exposure,” https: //nvd.nist.gov/vuln/detail/CVE-2022-24660, 2022, nVD

work page 2022

[56] [56]

Cve-2022-24657: Goldshell hardcoded credentials,

——, “Cve-2022-24657: Goldshell hardcoded credentials,” https://nvd. nist.gov/vuln/detail/CVE-2022-24657, 2022, nVD

work page 2022

[57] [57]

S19 xp flashing sd card instruction,

Bitmain Technologies Ltd., “S19 xp flashing sd card instruction,” https: //support.bitmain.com/hc/en-us/articles/10202973537177-S19-XP-Flash ing-SD-card-Instruction, 2024

work page arXiv 2024

[58] [58]

Antminer s19/s21 firmware installation,

“Antminer s19/s21 firmware installation,” https://support.awesomemin er.com/support/solutions/articles/35000189959-awesome-miner-antmi ner-s19-s21-firmware-installation, 2024

work page arXiv 2024

[59] [59]

Whatsminer sd card flashing program,

Zeus Mining International Co., Ltd., “Whatsminer sd card flashing program,” https://www.zeusbtc.com/firmware-download/details/47 09-whatsminer-sd-card-flashing-program-download, 2024

work page 2024

[60] [60]

WhatsMiner Series Firmware,

“WhatsMiner Series Firmware,” https://bixbit.io/en/firmwares/whatsmi ner-series-m2x, 2024

work page 2024

[61] [61]

WhatsMiner SD Card Flashing Tutorial,

“WhatsMiner SD Card Flashing Tutorial,” https://www.youtube.com/wa tch?v=WxqchyZvQkA, 2024

work page 2024

[62] [62]

Whatsminer Firmware Upgrade Toolkit,

Hitsxx, “Whatsminer Firmware Upgrade Toolkit,” https://github.com/H itsxx/Whatsminer, 2018, public GitHub repository providing firmware packaging and remote upgrade scripts for Whatsminer ASIC miners

work page 2018

[63] [63]

Avalonminer firmware,

Zeus Mining International Co., Ltd., “Avalonminer firmware,” https: //www.zeusbtc.com/firmware-download/avalonminer-firmware/, 2024

work page 2024

[64] [64]

Iceriver miner firmware,

——, “Iceriver miner firmware,” https://www.zeusbtc.com/firmware-d ownload/iceriver-miner-firmware/, 2024

work page 2024

[65] [65]

Canaan Official Notice on Impersonated Support,

“Canaan Official Notice on Impersonated Support,” https://www.canaan .io/support/, 2025

work page 2025

[66] [66]

Notepad++ hijacked by state-sponsored hackers,

Notepad++ Project, “Notepad++ hijacked by state-sponsored hackers,” https://notepad- plus- plus.org/news/hijacked- incident- info- updat e/, Feb. 2026, security incident report describing an infrastructure-level compromise of the Notepad++ update distribution channel between June and December 2025

work page 2026

[67] [67]

Bad leverage: A study of cryptocurrency mining malware,

R. Konothet al., “Bad leverage: A study of cryptocurrency mining malware,” IEEE Security & Privacy, 2018, reference used for malware and mining abuse discussion

work page 2018

[68] [68]

Hopper: Modeling and detecting lateral movement,

G. Ho, M. Dhiman, D. Akhawe, V . Paxson, S. Savage, G. M. V oelker, and D. Wagner, “Hopper: Modeling and detecting lateral movement,” in30th USENIX Security Symposium (USENIX Security 21). Virtual Event, USA: USENIX Association, Aug. 2021, pp. 3093–3110. [Online]. Available: https://www.usenix.org/conference/us enixsecurity21/presentation/ho

work page 2021

[69] [69]

ShadowMove: A stealthy lateral movement strategy,

A. Niakanlahiji, J. Wei, M. R. Alam, Q. Wang, and B.-T. Chu, “ShadowMove: A stealthy lateral movement strategy,” in29th USENIX Security Symposium (USENIX Security 20). Virtual Event, USA: USENIX Association, Aug. 2020, pp. 559–576. [Online]. Available: https://www.usenix.org/conference/usenixsecurity20/presentation/niakan lahiji

work page 2020

[70] [70]

A secure token-based approach for dhcp client authentication and replay attack prevention,

A. Jony, M. N. Islam, and R. A. Talukder, “A secure token-based approach for dhcp client authentication and replay attack prevention,” in2024 27th International Conference on Computer and Information Technology (ICCIT). Los Alamitos, CA, USA: IEEE, 2024, pp. 855– 860. 15

work page 2024

[71] [71]

‘Cybersecurity Issue’ forces systems shutdown at mgm hotels and casinos,

E. Medina, “‘Cybersecurity Issue’ forces systems shutdown at mgm hotels and casinos,” https://www.nytimes.com/2023/09/11/technol ogy/mgm-cyberattack.html, Sep. 2023, the New York Times

work page 2023

[72] [72]

Unitedhealth hack: What you need to know,

J. Rundle and C. Stupp, “Unitedhealth hack: What you need to know,” https://www.wsj.com/articles/unitedhealth-hack-what-you-need-to-kno w-45efc28c, May 2024, the Wall Street Journal

work page 2024

[73] [73]

Canaan creative official firmware download portal,

Canaan Creative, “Canaan creative official firmware download portal,” https://download.canaan-creative.com/, 2020, accessed: 2026-01-28

work page 2020

[74] [74]

Platform firmware resiliency guidelines,

National Institute of Standards and Technology, “Platform firmware resiliency guidelines,” https://csrc.nist.gov/publications/detail/sp/8 00-193/final, 2018

work page 2018

[75] [75]

The update framework (tuf),

R. Kuppusamyet al., “The update framework (tuf),” USENIX Security Workshop, 2017, workshop reference

work page 2017

[76] [76]

Uptane: Securing software updates for automobiles,

——, “Uptane: Securing software updates for automobiles,” https://up tane.org, 2019

work page 2019

[77] [77]

Good practices for supply chain cybersecurity,

ENISA, “Good practices for supply chain cybersecurity,” https://www. enisa.europa.eu/publications/good-practices-for-supply-chain-cybersecu rity, 2019

work page 2019

[78] [78]

The minimum elements for a software bill of materials (sbom),

National Telecommunications and Information Administration, “The minimum elements for a software bill of materials (sbom),” https://www. ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom, 2021

work page 2021

[79] [79]

Cyber security for consumer internet of things: Baseline require- ments,

ETSI, “Cyber security for consumer internet of things: Baseline require- ments,” https://www.etsi.org/deliver/etsi en/303600 303699/303645/02. 01.01 60/en 303645v020101p.pdf, 2020

work page 2020

[80] [80]

Guide to computer security log management,

National Institute of Standards and Technology, “Guide to computer security log management,” https://csrc.nist.gov/publications/detail/sp/8 00-92/final, 2006. 16 APPENDIXA OPENSCIENCE This work contributes a reproducible methodology for large- scale security analysis of cryptocurrency mining firmware based on publicly accessible distribution artifacts. To...

work page 2006