A tl;dr on Antbleed

4 min readApr 27, 2017

Earlier today, April 26th, antbleed.com was purchased, twitter was activated and a news bombshell released exposing a backdoor built into all recently released Bitmain miners or those that recently updated the firmware.

(named after the heartbleed bug in the not so distant past)

In typical crypto fashion, this blew up fast and people are trying to write their own tin foil hat theories on social media. Our goal is to help a few people understand what they’re looking at and make informed opinions.

How it works

The firmware will spawn a thread which calls the send_mac function which, as the name implies, sends data about the machine to the AUTH_URL auth.minerlink.com. The device then will attempt to receive data from the server and check if the response is false. If it is, the function returns true which sets the stop_mining global variable to be true.

When that variable is true, in the temperature checking thread, it will set the status_error global variable to true. That will then tell the work update function to not send out jobs so it is no longer mining.

Specifically, in the main driver filed located https://github.com/bitmaintech/bmminer/blob/master/driver-btm-c5.c


While it is on by default, it can only be activated from auth.minerlink.com and cannot be configured differently. A MITM attack or dns spoof could occur as an attack vector. However, large mining operations do not allow their miners direct access to internet ,usually by going through a proxy or stratum so this surface is “not that large”.

edit: for the purposes of attack vector we are defining it as “accessable and executable by external third party”


1. Antbleed.com sources redirecting auth.minerlink.com to in your /etc/hosts file on the miner (or the edge router) so the polling call simply loops back. No harm no foul. Miner keep working as normal

2. You can patch, compile and flash the firmware yourself to remove this hook OR wait until a patch is officially released . Note — we heard someone already compiled a patch and is distributing this already but could not find a git to inspect at the time of this writing.

update: Bitman has made the compiled versions of firmware containing the fix available here

Antminer S9 firmware
Antminer T9 firmware
Antminer R4 firmware
Antminer L3 firmware
Antminer L3+ firmware

The various gits repos seem to reflect the proper change.

Probable Real intent behind this

Bitmain previously was going to launch a service called Minerlink. This service never launched, but it was intended get the “real-time miner status remotely”. There is probably a feature that allows you to make sure that the only miners submitting work for you are your miners, hence the need for an auth url. It is also possible that another feature was to allow you to remotely stop a machine from mining if it were misbehaving. This would explain why this code was put there in the first place. However, since minerlink does not exist, this functionality is now a liability and should have been removed long ago.

Much more concerning facts to come out this

· https://github.com/bitmaintech/bmminer/issues/7 reports that this issue existed 7 months previous to this release and none of the code maintainers made an attempt to explain, improve or remove the issue

· Several of the talking heads of crypto and china mining retweeted older cryptic tweets indicating they were aware of the issue months previous. For something that could have been a very big deal, to have full detail and say nothing is arguably just as malicious as the anything BITMAIN or an attacker might have done.

Also between the same day purchase of a domain, a twitter ,a snazzy logo and knowledgeable bitcoin devs instantly following it, we have to believe that this was known for some time by the publishers as well and planned out in some form of press release. While I applaud antbleed.com for exposing this backdoor, they fit the same description as the above so they clearly had some motive at a minimum.

· Having projects be open source is giving the community a false sense of security and trust. Just because its out there it is a bad assumption that knowledgeable people have done proper code reviews and have patched bugs or exploits. For a series of products that make up roughly 70% of all hash power of the bitcoin blockchain, that is concerning.

Thanks for reading

If you enjoyed our article series so far , we accept bitcoin and ethereum tips which go towards funding WhaleCalls project(s).


ETH — 0xf23eb771cc83A36967E80dA3d10881204d442878

update : bitmain response confirms are view of their original intent. They have shipped a patch removing this attack vector from production

edit: caught a “publisher” changing the btc donation address. shady. Write yo