Connect with us


Crooks use the bitcoin blockchain to protect their botnets from takedown



When hackers corral infected computers into a botnet, they take special care to ensure they don’t lose control of the server that sends commands and updates to the compromised devices. The precautions are designed to thwart security defenders who routinely dismantle botnets by taking over the command-and-control server that administers them in a process known as sinkholing.

Recently, a botnet that researchers have been following for about two years began using a new way to prevent command-and-control server takedowns: by camouflaging one of its IP addresses in the bitcoin blockchain.

Impossible to block, censor, or take down

When things are working normally, infected machines will report to the hardwired control server to receive instructions and malware updates. In the event that server gets sinkholed, however, the botnet will find the IP address for the backup server encoded in the bitcoin blockchain, a decentralized ledger that tracks all transactions made using the digital currency.

By having a server the botnet can fall back on, the operators prevent the infected systems from being orphaned. Storing the address in the blockchain ensures it can never be changed, deleted, or blocked, as is sometimes the case when hackers use more traditional backup methods.

“What’s different here is that typically in those cases there’s some centralized authority that’s sitting on the top,” said Chad Seaman, a researcher at Akamai, the content delivery network that made the discovery. “In this case, they’re utilizing a decentralized system. You can’t take it down. You can’t censor it. It’s there.”

Converting Satoshi values

An Internet protocol address is a numerical label that maps the network location of devices connected to the Internet. An IP version 4 address is a 32-bit number that’s stored in four octets. The current IP address for, for instance, is, with each octet separated by a dot. (IPv6 addresses are out of the scope of this post.)

The botnet observed by Akamai stored the backup server IP address in the two most recent transactions posted to 1Hf2CKoVDyPj7dNn3vgTeFMgDqVvbVNZQq, a bitcoin wallet address selected by the operators. The most recent transaction provided the third and fourth octets, while the second most recent transaction provided the first and second octets.

The octets are encoded in the transaction as a “Satoshi value,” which is one hundred millionth of a bitcoin (0.00000001 BTC) and currently the smallest unit of the bitcoin currency that can be recorded on the blockchain. To decode the IP address, the botnet malware converts each Satoshi value into a hexadecimal representation. The representation is then broken up into two bytes, with each one being converted to its corresponding integer.

The image below depicts a portion of a bash script that the malware uses in the conversion process. aa shows the bitcoin wallet address chosen by the operators, bb contains the endpoint that looks up the two most recent transactions, and cc shows the commands that convert the Satoshi values to the IP address of the backup server.


If the script was converted into Python code, it would look like this:


The Satoshi values in the two most recent wallet transactions are 6957 and 36305. When converted, the IP address is:

In a blog post being published on Tuesday, Akamai researchers explain it this way:

Knowing this, let’s look at the values of these transactions and convert them into IP address octets. The most recent transaction has a value of 6,957 Satoshis, converting this integer value into its hexadecimal representation results in the value 0x1b2d. Taking the first byte (0x1b) and converting it into an integer results in the number 45—this will be the 3rd octet of our final IP address. Taking the second byte (0x2d) and converting it into an integer results in the number 27, which will become the 4th octet in our final IP address.

The same process is done with the second transaction to obtain the first and second octets of the C2 IP address. In this case, the value of the second transaction is 36,305 Satoshis. This value converted to its hexadecimal representation results in the hex value of 0x8dd1. The first byte (0x8d), and the second byte (0xd1), are then converted into integers. This results in the decimal numbers 141 and 209 which are the second and first octets of the C2 IP address respectively. Putting the four generated octets together in their respective order results in the final C2 IP address of

Here’s a representation of the conversion process:


Not entirely new

While Akamai researchers say they have never before seen a botnet in the wild using a decentralized blockchain to store server addresses, they were able to find this research that demonstrates a fully functional command server built on top of the blockchain for the Ethereum cryptocurrency.

“By leveraging the blockchain as intermediate, the infrastructure is virtually unstoppable, dealing with most of the shortcoming of regular malicious infrastructures,” wrote Omer Zoha, the researcher who devised the proof-of-concept control server lookup.

Criminals already had other covert means for infected bots to locate command servers. For example, VPNFilter, the malware that Russian government-backed hackers used to infect 500,000 home and small office routers in 2018, relied on GPS values stored in images stored on to locate servers where later-stage payloads were available. In the event the images were removed, VPNFilter used a backup method that was embedded in a server at

Malware from Turla, another hacking group backed by the Russian government, located its control server using comments posted in Britney Spears’ official Instagram account.

The botnet Akamai analyzed uses the computing resources and electricity supply of infected machines to mine the Monero cryptocurrency. In 2019, researchers from Trend Micro published this detailed writeup on its capabilities. Akamai estimates that, at current Monero prices, the botnet has mined about $4,300 worth of the digital coin.

Cheap to disrupt, costly to restore

In theory, blockchain-based obfuscation of control server addresses can make takedowns much harder. In the case here, disruptions are simple, since sending a single Satoshi to the attacker’s wallet will change the IP address that the botnet malware calculates.

With a Satoshi valued at .0004 cent (at the time of research, anyway), $1 would allow 2,500 disruption transactions to be placed in the wallet. The attackers, meanwhile, would have to deposit 43,262 Satoshis, or about $16.50, to recover control of their botnet.

There’s yet another way to defeat the blockchain-based resilience measure. The fallback measure activates only when the primary control server fails to establish a connection or it returns an HTTP status code other than 200 or 405.

“If sinkhole operators successfully sinkhole the primary infrastructure for these infections, they only need to respond with a 200 status code for all incoming requests to prevent the existing infection from
failing over to using the BTC backup IP address,” Akamai researcher Evyatar Salas explained in Tuesday’s post.

“There are improvements that can be made, which we’ve excluded from this write-up to avoid providing pointers and feedback to the botnet developers,” Salas added. “Adoption of this technique could be very problematic, and it will likely gain popularity in the near future.”

Continue Reading


Samsung will soon ship Micro LED TVs, but Mini LED still leads the lineup



It’s that time of year when many TV manufacturers begin announcing prices for and shipping their annual product refreshes. We took a look at Sony’s OLED lineup yesterday, and today we’re turning our attention to Samsung, which just announced imminent availability (most models will start shipping this month) for its high-end Micro LED and Mini LED TV lineup.

We’ll get to Micro LED in a minute, but let’s start with the mainstream high end, which comprises the Mini LED TVs. Samsung is giving these a proprietary “Neo QLED” label.

The top-end QN900A is the most tricked-out 8K option, with 65-inch ($5,000), 75-inch ($7,000), and 85-inch options ($9,000). One step down while keeping the 8K banner flying is the QN800A, offered in the same sizes but at $3,500, $4,700, and $6,500, respectively.

Since there’s hardly any 8K content out there to enjoy, most people who aren’t just looking for bragging rights will want to opt for the 4K models. The flagship there is the QN90A, at 55 inches ($1,800), 65 inches ($2,600), 75 inches ($3,500), and 85 inches ($5,000).

One step down gets you the QN85A, which comes in the same sizes as the QN90A at $1,600, $2,200, $3,000, and $4,500.

Across the new TVs offered, we’re looking at the usual specs for high-end TVs in 2021 regardless of manufacturer, including HDMI 2.1 with all the features you expect to come with it, like VRR, 4K120, ALLM, and eARC. There’s also Filmmaker Mode, and a one-stop pop-up menu for accessing HDMI 2.1 and gaming-related features like VRR. (LG introduced something similar in its 2021 TVs.)

And as usual, Samsung isn’t playing ball with Dolby, so there’s no support for Dolby Vision HDR (or Atmos, for that matter). Rather, you’ll have to lean on either the just-as-good-in-most-cases-but-inferior-in-some-situations HDR-10 standard, as well as HDR-10+, which remains a little light on content.

And of course, like every other big 2021 TV, the new Mini LED sets will feature an improved AI processor that does video and audio processing to maximize the wow factor.

The other big news with the 2021 TVs is that Samsung is (sort of) walking back a widely criticized move it made to its lineup in 2020. That was when the company actually downgraded the number of dimming zones and some other features in its 4K TVs relative to their 2019 predecessors in favor of pushing the envelope in its 8K portfolio instead.

The 8K TVs still have more dimming zones, but we’re not looking at a huge year-over-year drop like last time. That’s because Samsung’s new 4K models will also feature Mini LED tech just like the 8K TVs—which wasn’t a forgone conclusion, given what happened last year.

Explaining Micro LED and Samsung’s OLED-busting strategy

Samsung says its less expensive TVs will launch later in the year, and it didn’t provide any information that we didn’t already see at the Consumer Electronics Show in January.

While much of the hype in the world of TVs is currently focused on OLED, Samsung’s LCD TVs remain the bestselling TVs in many regions, and in-depth technical reviewers like Rtings pretty consistently name Samsung’s sets as the best non-OLED ones available in terms of picture quality, albeit not always in bang-for-buck. Samsung doesn’t even make OLED TVs, though it produces OLED panels for other products.

And to potentially battle OLED in the long term, Samsung is relying on Micro LED technology, which has individually emissive pixels just like OLED does. That means Micro LED matches OLED’s chief advantage, which is that pixels of maximum brightness appear right next to pixels that are completely black. But Samsung claims the burn-in risk associated with OLED is not a factor in the same way with Micro LED.

Plus, OLED TVs have been knocked for not matching the HDR peak brightness of the best traditional LED TVs. Micro LED is said to combine the best of both worlds: perfect blacks with very high peak brightness and all the granularity you’d expect in between.

Micro LED TVs have been talked up as the future TV tech for years, and they’ve been commercially available in very limited contexts before, but this year marks Samsung’s first quasi-mainstream attempt to sell a bunch of them.

They still won’t be for everyone, though. They’re sure to be colossally expensive for one thing, but they’ll also only come in 110- and 99-inch sizes to start. Later, we’ll get 88- and 76-inch sizes, but even those are bigger than most people’s living rooms can accommodate.

So for its more mainstream flagship TVs, Samsung is leaning on Mini LED, which is not the same as similarly named Micro LED. Mini LED TVs are still fundamentally the same technology as any other LCD TV the company has sold for years, but with a new approach that allows much more granular backlighting to reduce blooming around bright objects and other problems associated with LCD TVs while still delivering strong peak brightness.

Expect to see the term Mini LED popping up a lot in the very near future, while Micro LED will probably stay out of the mainstream for a while yet. Other companies, like Apple, are bullish on Mini LED and are poised to roll it out in all sorts of products like laptops and tablets in the coming months.

As if the stew of terms like “OLED,” “LED,” “LCD,” “Mini LED,” and “Micro LED” wasn’t confusing enough, Samsung has opted to brand its Mini LED sets “Neo QLED” TVs, which essentially means nothing, except that Samsung wants to claim it’s the only company making “Neo QLED” TVs.

The company called its previous high-end LED TVs “QLED” TVs because of an optimization dubbed quantum dot technology, which was the previous big push to make LCD TVs more competitive with OLED before Mini LED came along. “QLED” will remain the label for the company’s midrange LCD sets.

Listing image by Samsung

Continue Reading


Google-free /e/ OS is now selling preloaded phones in the US, starting at $380



/e/ OS, the “open-source, pro-privacy, and fully degoogled” fork of Android, is coming to Canada and the USA. Of course, you’ve always been able to download the software in any region, but now (as first spotted by It’s Foss News) the e Foundation will start selling preloaded phones in North America. Previously, /e/ only did business in Europe.

Like normal, the e Foundation’s smartphone strategy is to sell refurbished Samsung devices with /e/ pre-loaded. In the US, there are only two phones right now: the Galaxy S9 for $379.99 or a Galaxy S9+ for $429.99. North Americans still have reason to be jealous of Europe, where you can get /e/ preloaded on a Fairphone, which is also Europe-exclusive.

These Samsung phones are used devices, but the site says the devices have “been checked and reconditioned to be fully working at our partner’s facilities.” The phones have a one-year warranty and are described as “Good-as-New” with “no surprises.” An /e/ device means you’ll be getting a fork of Android 10, and for ongoing support, the e Foundation says, “We aim to support with at least 3 years of software updates and security patches.”

/e/ OS was founded by Gaël Duval, the creator of Mandrake Linux, and the project describes itself as a “non-profit project in the public interest.” /e/ is built a lot like a Linux distribution, in that it takes a curated collection of other open source projects, merges them into a single product, and does its best to fill in the remaining gaps. In this case, /e/ is based on LineageOS, the Android community’s open source, device-ready version of Google’s Android source code. The primary contribution of /e/ is filling in all the gaps left by the lack of Google apps, so there’s an /e/ app store, an /e/ cloud storage and account system, and various Google-replacement apps like a Chromium-based browser, an email fork called K-9 Mail, contacts, search, photos, etc. The company is even trying to build a Google Assistant replacement.

Actually getting regular Android apps to run on a forked version of Android is a challenge. Google Play Services is built into many apps for things like push notifications, and there’s a good chance that functionality won’t work on /e/ OS. These apps will at least run on /e/ OS instead of exiting outright, thanks to the inclusion of MicroG, an open source project that hijacks Google API calls.

/e/’s communication problems

This is a slight digression, but I can’t seem to find a first-party source for this news, which is just another example of how incredibly frustrating it can be to try to follow or cover /e/ OS. The name “/e/ OS” doesn’t really work on search engines—slashes are usually not a valid character for a search, and you’re left searching for a single-letter OS, which works very poorly. You can nail the official home page of the e Foundation, but search engines quickly move on to other things that contain the letter “e,” so it’s harder than it needs to be to bring up news or other ancillary information about the OS.

The e Foundation webpage doesn’t show any news or have a blog (there is a dead news section here), and the official /e/ Twitter never announced US sales. The “Follow us” footer on the e Foundation page lists a Medium blog, but the icon goes to the wrong link: this empty blog instead of this active blog, but the active /e/ blog doesn’t mention this news, either.

Clearly part of what the e Foundation wants to accomplish is building a wider movement of respecting privacy and pushing back against data collection companies, but step one of a movement like this needs to be communication, and /e/ seems very bad at communication. How is anyone supposed to find this stuff out?

There’s a chance you don’t have to actually buy a phone to run /e/ OS. Just like with Lineage, you can install the OS at home, for free, if you have a compatible device. There are 138 devices officially supported by /e/ OS (oddly no Pixel phones, which are probably the most popular unlocked devices), although only about 60 are on the latest version. There is even an “Easy Installer” for some Samsung Exynos devices.

Listing image by e Foundation

Continue Reading


Minisforum U850—solid hardware and easy upgrades in a little box



Earlier this month, we teased the announcement of a new model of mini-PC from specialty vendor Minisforum. Today, we’re taking a look at the results of some hands-on testing of the Minisforum U850, configured with a Comet Lake i5 CPU, 16GiB RAM, and a 256GB Kingston NVMe SSD.

The U850 is an aggressively generalist mini-PC, and it can tackle most roles—its dual network interfaces make it a good candidate for a high-performance router, and its combination of tons of USB ports, HDMI and DisplayPort video out, and surprisingly fast storage make it an excellent little desktop PC.

Specs at a glance: U820 / U850
CPU Intel i5-8249U (U820)
Intel i5-10210U (U850)
OS Windows 10 Pro (pre-installed) / Linux supported
GPU Intel Iris+ 655 (U820)
Intel UHD 630 (U850)
Wi-Fi M.2 Intel AX200 Wi-Fi 6, dual-band + BlueTooth 5.1
SSD M.2 2280 512GB NVMe SSD
  • two SATA ports
  • one full-size HDMI 2.0
  • one full-size DisplayPort
  • one USB-C (full featured)
  • one USB-C (charge only)
  • four USB3.1 Type-A
  • one 1Gbps Ethernet (Realtek 8111H)
  • one 2.5Gbps Ethernet (Intel)
  • one 3.5 mm audio
  • one Digital Mic
Price as specified $639 (U820) / $699 (U850)

The only role the U850 might play that we’d advise some caution with is home theater PC (HTPC)—although it’s powerful enough to do the job, its fan noise when under load is loud enough that it might annoy the sorts of people who tend to want a small, unobtrusive HTPC in the first place.

Specifications and overview

The review unit we received was a U850 with the Comet Lake i5-10210U CPU. It matches the specs above except for storage, which is a 256GB Kingston Design-In NVMe SSD. The smaller SSD isn’t “cheating” on Minisforum’s part, by the way—it’s a configurable option on the order page, which knocks $40 off the otherwise $699 (US) purchase price.

The easiest way to describe the U850 is “midgrade laptop in a cube form factor,” so—along with the similarly designed but much less powerful Seeed Odyssey—that’s just what we compared it to in our benchmark tests.

With the i5-10210U’s wimpy UHD 630 graphics, you shouldn’t expect to do any gaming on the U850—but it holds its own on video playback and general CPU related tasks. In terms of performance, it also wipes the floor all the way around with the Seeed Odyssey mini-PC.

The one area where the Seeed Odyssey takes the prize from the Minisforum U850 is noise. We wouldn’t call the U850 obnoxious, but it does make a significant amount of fan noise whenever the processor spins up. It’s a clean whoosh, but it’s a very noticeable one, even in an office packed with other PCs. This probably isn’t something that can be avoided with a Comet Lake CPU in a small form factor; laptops with this CPU are just as noisy.


Minisforum’s U850 performs just as you’d expect a laptop armed with a Comet Lake i5-10210U to perform—middling-well for a laptop, though considerably better than many competing VESA-mountable PCs, which tend toward lower-powered CPUs such as Celeron, Pentium Silver, and so forth.

The Passmark CPU benchmark doesn’t show a considerable difference between the U850’s Comet Lake and the Gateway’s Ice Lake CPU—which is a shame, given that the Gateway’s Ice Lake has an enormously better GPU. Cinebench R20 and Geekbench 5 both show a much more marked preference for the Comet Lake, though.

There’s always a lot less to look at in single-threaded performance than multithreaded. Passmark, Cinebench R20, and Geekbench 5 all largely agree—there’s a noticeably bigger difference between the Ryzen 4700u and the Intel i5 CPUs than there is between the Comet Lake and Ice Lake i5 CPUs themselves.

Cinebench and Geekbench both show a noticeably bigger advantage for the Ryzen than Passmark does. But the most important difference here is between the three at the top and the Celeron-powered Seeed Odyssey limping along in the background, with a bit less than half the score of its closest competitor in any single-threaded test here.

This shouldn’t really be taken as a knock against the Odyssey itself—after all, it also sells for a bit less than half the cost of anything else on these charts. It also comes closer to being silent—it does have a fan, but that fan doesn’t need to do as much work as the ones on the laptops, and the result is audible.

We should also point out that the Odyssey made, in our opinion, a perfectly usable budget desktop PC. This puts the performance of the U850—and the two laptops it’s competing more closely with—in perspective. At more than double the single- and multithreaded performance of the Odyssey, the U850 isn’t just a usable desktop PC—it’s a solid one.

AAA gaming on the U850 is a bad idea, and we don’t recommend it. The Acer Swift at the top of these charts is not very good at gaming. The Gateway i5 and Minisforum i5 machines are absolutely terrible at it. Casual games will probably work OK, as well as games 10 or more years old. But that’s about it.

In addition to Time Spy, we ran the much less demanding Night Raid benchmark. Night Raid is specifically targeted at PCs with integrated graphics, which didn’t keep the i5 Gateway and i5 Minisforum from tripping over their own feet running it as well. The numbers you see on those scores translate to a very painful 5-7 frames per second in Night Raid’s demo mode at 1080p. Yuck.

We don’t have any gaming benchmarks for the Celeron-powered Odyssey, and we didn’t want to generate any—so we subbed in a Ryzen 3200U-powered low-end Gateway laptop. The i5 machines did better than the low-end Gateway, but that’s a very low bar to clear.

Continue Reading