Bitcoin Merge Mining Pool

2023-01-12: The pool is currently down while an audit is underway. See news for details.



The pool server is down while it is being rebuilt. This status page exists to keep up to date with progress. Investigation is continuing towards tracking down who infiltrated the server. A forensic examination of the server is underway. For any questions please email admin (at) I encourage any pool user affected by this to email and get in touch. Any other communications medium other than that account does not represent the pool. Any help or advice appreciated.


On 2022-12-27 the pool received the following email:

From: Woon Jin woonjin81 at proton dot me To: admin at mmpool dot org Subject: mmpool info mined block this month Hi my friend My name is Woon Jin - Im security and pentesting enginer and I contact you to explain more about mmpool problems that appear this month First of all keep all your private keys in safe places!. First step for me was to give all credentials to conect to your btc server. The btc server was accesed first with user main, I checked that wallet that was stored local and I see 0 transactions. I copied that wallet and go away for months. I keeped an eye on that public addreses from pool and I see no transactionas from 2016 or 2017 and I go away. after some time I come back and check again that address and I see some coinbase transactions from some block mined. I come back to that btc server and I tried to modified the pool config file but no admin privilege and I tried to got admin privilege with a linux kernel expl. but was a btc server crash first time and then the root privilege escalation was succesful. I put a new mining address and keep waiting months. after a lot of time in a day I received a mining pool notification and bang the block mined. all founds are keeped in safe place. for more details mail me back I attached her the old privat key for your user main. don't forget to check all your devices about security issues and don't forget about ckpool secutiry issues. -----BEGIN OPENSSH PRIVATE KEY----- [redacted] -----END OPENSSH PRIVATE KEY----- Sent with [Proton Mail]( secure email.

I confirmed that the private key was the key to SSH to the server. I replied requesting more information and return of the funds. On 2022-12-28 I received the following:

Hi friend admin Hard time here in Shangqui no job no salary and covid pandemic low money level for people here No more details I have keep you credentials in safe place update software Old software and webs have more bugs Firewall is good to be install update ckpool software netcat works well. Happy year admin Sent with Proton Mail secure email.

I didn't reply to this email but received another on 2023-01-01:

Hi admin No waste time audit source code old scripts expl no public avaiable solo.ckpool.or no firewall ssh open exp no work source no bug has address has IPv6 address 2604:2dc0:100:240f::1 scan hostname: : 22 : TXT : SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5 : 80 : TXT : : 22 : TXT : SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5 : 80 : TXT : : 443 : TXT : : 443 : TXT : : 3333 : TXT : : 3333 : TXT : : 4334 : TXT : : 4334 : TXT : : 8333 : TXT : : 8333 : TXT : Sent with Proton Mail secure email.

I have heard nothing from them since. I am updating the pool software to remove vulernabilities. Once that is done, the pool will be resumed. The bitcoins stolen by the attacker are not retrievable, if you have resources to track them down from the emails that would be useful. As a pool that shares the distribution of mined bitcoins to the users, so is the loss of mined bitcoins through attacks like this distributed. The block will be treated as unfound and the DGM reward system will treat it as if it had not been mined. This will mean the rewards will continue to be funded to miners in future blocks as the DGM system "catches up" for what looks like an unlucky mining period.

On 2022-01-07 I received an email from a pool user with an attempt to obtain information about the pool operator embedded in the email. I am doing my best at keeping the pool operational, and while I've been running it have been responsible for the distribution of many bitcoins. I appreciate all your patience and use of the pool. I hope we can continue to operate in a fair manner following this.

I've received an email from someone claiming responsibility for stealing the coins, with proof that they obtained access to the server through an exploit. I'll post an update here about the correspondence with them soon. The pool server is currently down while the software and setup is audited.
Unfortunately it looks like the pool backend has been comprimised and the address in the coinbase transaction was changed to one under the attackers control. It looks like they generated an address to be similar to the original pool address. The coins haven been moved from that address, possibly to a coin mixer based on the look of the transactions. The configuration files of the pool were last changed in December 2021, a couple of days after the server experienced a reboot. I'm working on the theory that they were changed by the attacker then. I'm currently analysing the server looking for evidence. There will likely be downtime at some point as I investigate. I'm considering options on how to handle the situation and will post here after discussion with other parties involved in the pool operation and miners. If the attacker is reading this, I implore them to consider returning the funds. This is a small pool operation with a few miners, and the loss of these funds is devastating.
A few days ago block 767395 was found by the pool. The pending block hasn't been released however as there is an issue accessing the funds. The usual mmpool mining address is 1AsghDmUHppnAiWLgEGKdU5spKUAY4MSeD, but the new block was mined to 1AsghDJnwh7VokUonnfwgoAy6f2vRKHhHF. The private key for the latter address is not in the pool wallet. It's been a year since a block was mined and I think at the time the address was changed, and is in a backup pool wallet. I'm currently working through the pool wallets to try and find a wallet that has the private key for the address. I'm concerned that the initial characters of the two addresses is the same - that seems very coincidental but the funds haven't moved so I don't think there's likely to be any malicious change. I hope to report in the next couple of days progress on the search for the key to the address. In the meantime I've changed the pool mining address back to the original address. I'm sorry for the delay as I investigate.
There was a period of downtime today due to network connectivity issues from the server host. This has been resolved and the pool is operational again.
After a long dry run a block has been found. Payments are currently pending, you can request a withdrawal and they'll be processed in approximately 24 hours. Your statistics page will show a list of pending and completed payouts, including transaction id with the payment is released. The pending payout will show the address where the payment will go to. Please check this and if it is not correct, contact the pool admins immediately.
The pool was down temporarily for about 12 hours due to a level 3 global outage across the internet. It is operational again now.