A mysterious hacker has reportedly implemented a virus in the ASIC mining machines of various bitcoin miners in China, demanding they either pay a 10 BTC ($36,000) ransom or infect others with the virus to avoid losing their machines and facilities.

According to an anonymous bitcoin miner going by cC, who spoke to local news outlet Yibenchain, the management interface in some of his Antminer mining machines “suddenly turned green with an ant in the middle and mining pickaxes on both sides.”

If the green screen was clicked on, a popup message that threatened the miner and his operation came up, written in both English and Chinese.

The ransom note miners received

The message reads:

I am hAnt! I continue to attack your Antminer. As long as you spread the infected machine, my server verifies that there are 10 new IPs and the number of antminers reaches 1,000. I will stop attacking you! Otherwise I will turn off your antminer’s fan and overheat protection, which will cause you to burn your machine or will burn the house.

It goes on to ask the miner to either download a specific firmware that’ll update their machines to infect others within its network, or to pay the hacker a 10 BTC ransom, worth about $36,000 at press time, for it to stop attacking.

Given the virus’ name and nature, it appears to only affect Antminers. Per Jiang Zhuoer, the founder of prominent cryptocurrency mining pool BTC.Top, his firm has been tracking the virus for “a long time,” and has detected it on various machines, including the Antminer S9 and T9, as well as on the Litecoin L3+ miner.

Speaking to local news outlet 8BTC, he revealed it’s a Linux-based miner. Per cC, despite the threats it makes it doesn’t seem to be very profitable, as “it’s not difficult to fix the infection.” To get rid of it miners have to format their machines – which reportedly takes 4 days – or replace their “byte libraries” and control panels.

Per Zhuoer, the infection likely came from overclocking firmware, released by anonymous developers. Overclocking ASIC mining machines allows miners to get a better hashrate out of them, but increases power consumption and shortens their lifespan.

The hacker(s) behind hAnt, Zhuoer added, is likely not Chinese, although the infection is spreading through Baidu. According to 8BTC’s translation, he said:

It suggests two possibilities – the hacker is deliberately targeting China where bitcoin mines are concentrated; Second, Chinese miners inadvertently helped spread the virus before they realized the[ir] overclocked firmware was infected.

Dealing With the Infection

According to the news outlet while miners comply with their demands or get rid of the infection, the hackers still make sure they get paid. This, by changing the address to which the coins are mined to one they own, often late at night so the miners will lose hours of revenue.

In some cases, the hacker has changed the address for a few hours per day to avoid detection and steal as much mining rewards as possible. The report claims a few hours could net the hacker $355, if they infect large mining farms.

To avoid being infected, Zhuoer suggested avoiding installing third-party firmware and regularly changing the login passwords of the routers miners use in their networks. If already infected this won’t work, as some of hAnt’s variants are reportedly able to record password changes.

Virus’ targeting cryptocurrency users aren’t new. Recently, a package of extensive exploits found in a fake copy of a torrented movie was found to be falsifying search results and redirecting cryptocurrency payments. Bitcoin stealing malware has even been found in cheats for the popular game ‘Fortnite.’