There's Now A Cryptocurrency Created by Participating in DDoS Attacks

What has science done?

Cryptocurrencies like Bitcoin have long been criticized for the absolutely insane amount of electricity and computing resources they require. As of last year, the Bitcoin network—comprised of all the machines on Earth running the Bitcoin software—used 6,000 times more computing power than the world's top 500 supercomputers combined to run the decentralized system that mines and tracks the digital currency.

But while many have tried to come up with constructive ways to utilize all those CPU cycles, two mischievous researchers recently proposed the opposite: A malicious cryptocurrency that can only be mined by participating in digital attacks on other computers.

In a paper presented at the 2016 USENIX computer security symposium, researchers Eric Wustrow and Benjamin VanderSloot propose what they call "DDoSCoin," a theoretical cryptocurrency that uses a "malicious proof-of-work" derived from participating in Distributed Denial of Service (DDoS) attacks, the digital blockades that make websites temporarily unavailable by flooding them with millions of simultaneous requests.

"On the other hand, something similar to DDoSCoin might lower the barrier to collecting rewards for DoS attacks, ultimately driving down the cost for hacktivist consumers"

For those unfamiliar, Bitcoin and other blockchain-based currencies are "mined" into existence by a network of powerful machines, which work together to continually solve insanely complex mathematical puzzles. Computing the solutions to those puzzles results in a "proof-of-work," which generates fresh coins and cryptographically ensures the legitimacy to other users through a distributed public ledger called the blockchain.

But instead of the arbitrary math problems used by Bitcoin and its ilk, DDoSCoin's malicious proof-of-work (which the authors call "Proof-of-DDoS") functions by checking the cryptographically-signed responses that a website's server returns whenever a user connects to it. That way, the system can reward users who prove they've participated in an attack by verifying they've flooded the targeted site with enough requests.

When I asked the researchers why (oh god, why) they would unleash such a thing upon the world, their initial emailed response was: "¯\_(ツ)_/¯"


"Other researchers had explored alternate kinds of proof-of-work systems, but we think there's still a lot of possibilities for further efforts," Wustrow told Motherboard in an email. "Proof-of-DDos might not be a good ultimate end goal, but there are aspects of the idea that may prompt thinking along these or similar lines … We hope that Proof-of-DDoS is eye-catching enough to get people thinking more about these ideas."

The DDoSCoin system also allows its participants to choose specific sites to target through consensus. However, since the proof-of-DDoS concept relies on verifying encrypted TLS connections to a victim website, the participants will only be able to target sites that support those secure connections. Currently, about 56% of Alexa's top million websites support TLS. But that number is expected to increase as the encryption standard becomes more widespread, the researchers say.

The proposal hearkens back to Operation Payback, the DDoS attack led by the nebulous hacktivist collective Anonymous in 2010, which temporarily took down Paypal's website in protest of the company's refusal to process donations to Wikileaks. Despite the temporary nature of the blockade, many of the digital protest's participants faced jail time before taking a plea bargain in 2013.

While the dynamics of DDoS attacks have changed a lot since 2010, Wustrow thinks that something like DDoSCoin could encourage hacktivists, who might use the system to incentivize others to perform attacks on their behalf.

"However, it's probably still easier and more effective to just pay a 'reputable' botnet to do this for you," he says. "On the other hand, something similar to DDoSCoin might lower the barrier to collecting rewards for DoS attacks, ultimately driving down the cost for hacktivist consumers."

The same could be said for more nefarious criminal hackers and pranksters, who would undoubtedly use something like DDoSCoin to further incentivize harassment, extortion, and state-sponsored cyber attacks.

As for the implications of creating a system designed to encourage malicious digital activity, the researchers insist that even if someone were to actually create their theoretical system, the moral and ethical responsibility of its creators should be considered separately from that of its users.

"I'm not a lawyer, so I won't speak about legal responsibility," says Wustrow. "In our paper we have only attempted to show that the idea is possible; we have not pushed to actually make it a reality today."