I got hacked: My Hetzner server started mining Monero

Posted by jakelsaunders94 12/17/2025

I got hacked: My Hetzner server started mining Monero(blog.jakesaunders.dev)

606 points | 412 commentspage 5

dilippkumar 12/18/2025|

I’m sorry you went through this.

But I am interested in the monero aspect here.

Should I treat this as some datapoint on monero’s security having held up well so far?

tgsovlerkhgsel 12/18/2025||

> Should I treat this as some datapoint on monero’s security having held up well so far?

No. The reason attackers mine Monero and not some other cryptocurrency isn't the anonymity. Most cryptocurrencies aren't (meaningfully) mineable with CPUs, Monero (apparently) is. There may be others, but I suspect that they either deliver less $ per CPU-second (due to not being valuable), or are sufficiently unknown and/or painful to set up that the attackers just go with the known default.

Trying to mine Bitcoin directly would be pointless, you'd get no money because you're competing with ASIC miners. Some coins were designed to be ASIC resistant, these are mostly mined on GPUs. Monero (and some other coins) were designed to also be GPU resistant (I think). You could see it as a sign that that property has held up (well enough), but nothing else.

Hendrikto 12/18/2025||

The main reason to use Monero for stuff like this is their mining algo. They made big efforts and changed algorithms several times to make and keep it GPU and ASIC resistant.

If you used the server to mine Bitcoin, you would make approximately zero (0) profit, even if somebody else pays for the server.

But also yes, Monero has technically held up very well.

cylemons 12/18/2025||

Didn't Qubic manage to attack Monero?

akimbostrawman 12/18/2025||

They tried to do a 51% attack which at worst could result in double spends. They have never reached more than 35%.

The attack did not and could not compromise or weaken moneros privacy and anonymity features.

qingcharles 12/17/2025||

As an aside, if you're using a Hetzner VPS for Umami you might be over-specced. I just cut my Hetzner bill by $4/mo by moving my Umami box to one of the free Oracle Cloud VPS after someone on here pointed out the option to me. Depends whether this is a hobby thing or something more serious, but that option is there.

ianschmitz 12/17/2025||

I would pay $4/mo to stay as far away from Oracle as possible

angulardragon03 12/17/2025|||

All fine and well, but oracle will threaten to turn off your instance if you don’t maintain a reasonable average CPU usage on the free hosts, and will eventually do so abruptly.

This became enough of a hassle that I stopped using them.

treesknees 12/17/2025|||

Do you mean if it’s idle, or if it’s maxed out? I’ve had a few relatively idle free-tier VMs with Oracle and I’ve not received any threats of shutoff over the last 3 years I’ve had them online.

angulardragon03 12/21/2025||

Idle - low usage Minecraft server was the issue for me

qingcharles 12/18/2025|||

I assumed the same, but as long as you keep a credit card on file apparently they will let you idle it too. I went in and set my max budget at $1/mo and set alerts too, just in case.

spiderfarmer 12/17/2025|||

I pay for Hetzner because it’s an EU based, sane company without a power hungry CEO.

mos87 12/18/2025||

Orange Man Bad?!?

eb0la 12/18/2025||

Yes: Orange clown very bad.

mos87 12/18/2025||

>ebola

lol.

jakelsaunders94 12/17/2025|||

I've got a whole Hetzner EX41 bare metal server, as opposed to a VPS. It's gotr like 20 services on it.

But yeah it is massively overspecced. Makes me feel cool load testing my go backend at 8000 requests per second though!

tgtweak 12/17/2025||

The manageability of having everything on one host is kind of nice at that scale, but yeah you can stack free tiers on various providers for less.

prmoustache 12/18/2025||

Author forgot one important take: to limit the attack surface what doesn't need to be public facing should not be public facing. Things such as analytics software can easily be accessed through wireguard or even simpler using ssh as socks proxy.

tgsovlerkhgsel 12/18/2025||

Would "user root" without --privileged and excessive mounts have enabled a container escape, or just exposed additional attack surface that potentially could have allowed the attacker to escape if they had another exploit?

PlqnK 12/18/2025|

They would need a vulnerability in containerd or the kernel to escape the sandbox and being root in the sandbox would give them more leeway to exploit that vulnerability.

But if they do have a vulnerability and manage to escape the sandbox then they will be root on your host.

Running your processes as an unprivileged user inside your containers reduces the possibility of escaping the sandbox, running your containers themselves as un unprivileged user (rootless podman or docker for example) reduces the attack surface when they manage to escape the sandbox.

OutOfHere 12/17/2025||

You're lucky that Hetzner didn't delete your server and terminate your account.

mythrwy 12/18/2025||

If they do that they don't get paid for the service the subsequent month.

croemer 12/18/2025||

With which justification?

OutOfHere 12/18/2025||

Cryptocurrency software usage. It is strictly against their policy. Afaik, their policy does not differentiate with voluntary and involuntary use.

They have done it to others.

cachius 12/18/2025||

Does anybody know how to just list the processes running inside a single container from within that container?

And isn’t it a design flaw if you can see all processes from inside a container? This could provide useful information for escaping it.

meisel 12/17/2025||

Is mining via CPU even worthwhile for the hackers? I thought ASICs dominated mining

jsheard 12/17/2025||

ASICs do dominate Bitcoin mining but Monero's POW algorithm is supposed to be ASIC resistant. Besides, who cares if it's efficient when it's someone else's server?

tgtweak 12/17/2025|||

Monero's proof of work (RandomX) is very asic-resistant and although it generates a very small amount of earnings, if you exploit a vulnerability like this with thousands or tens of thousands of nodes, it can add up (8 modern cores 24/7 on Monero would be in the 10-20c/day per node range). OPs Vps probably generated about $1 for those script kiddies.

pixl97 12/17/2025|||

Hit 1000 servers and it starts adding up. Especially if you live somewhere with a low cost of living.

asdff 12/18/2025|||

So $40 a year? Does that imply all monero is mined like this because it's clearly not cost effective at all to mine legitimately?

beeflet 12/18/2025||

I think so, but it is hard to say. Could be a lot of people with extra power (or stolen power), but their own equipment. I mine myself with waste solar power

Sohcahtoa82 12/18/2025||

Another option:

Deliberate heat generation.

If it's cold and you're going to be running a heater anyways, then if your heat is resistive, then running a cryptominer is just as efficient and returns a couple dollars back to you. It effectively becomes "free" relative to running the heater.

If you use a heat pump, or you rely on burning something (natural gas, wood, whatever) to generate heat, then the math changes.

tgtweak 12/19/2025||

Yeah the calculus on that becomes tricky when you have heat pumps since the coefficient of performance is >1 vs resistive heating (often 3-4 depending on the temperature).

I used a rack of GPUs to heat my house for a few years back when gpu mining was decently profitable, and my electricity bill was 3-4x more than with the heat pump - so you have to keep a close eye on the math when you're running at/under profitability.

rnhmjoj 12/17/2025|||

This is the PoW scheme that Monero currently uses:

> RandomX utilizes a virtual machine that executes programs in a special instruction set that consists of integer math, floating point math and branches. > These programs can be translated into the CPU's native machine code on the fly (example: program.asm). > At the end, the outputs of the executed programs are consolidated into a 256-bit result using a cryptographic hashing function (Blake2b).

I doubt that you anyone managed to create an ASIC that does this more efficiently and cost effective than a basic CPU. So, no, probably no one is mining Monero using an ASIC.

heavyset_go 12/17/2025|||

Yes, for Monero it is the only real viable option. I'd also assume that the OP's instance is one of many other victims whose total mining might add up to a significant amount of crypto.

edm0nd 12/17/2025|||

Its easily worth it as they are not spending any money on compute or power.

If they can enslave 100s or even 1000s of machine mining XMR for them, easy money if you set aside the legality of it.

minitech 12/17/2025|||

Hard for it not to be worthwhile, since it’s free for them. Same automated exploit run across the entire internet.

Bender 12/17/2025|||

Optimal hardware costs money. Easy to hack machines are free and in nearly unlimited numbers.

justinsaccount 12/17/2025|||

If the effectiveness of mining is represented as profit divided by the cost of running the infrastructure, then a CPU that someone else is paying for is worth it as long as the profit is greater than zero.

nikanj 12/18/2025||

When your cost per host is $0, even $5 / mo / hacked host profit can make for an ok business

bradley13 12/18/2025||

I had something similar, but I was lucky enough to catch it myself. I've used SSH for years, and never knew that it - by default - also accepts password logins. Maybe dumb on my part, but there you go...

throwawayffffas 12/18/2025||

> I also enabled UFW (which I should have done ages ago):

Docker will overwrite your rules when you publish ports.

Do not publish ports with docker. Do not run internal services on the publicly accessible system.

rendaw 12/18/2025|

I didn't see it mentioned, but wouldn't having a RO root filesystem with writable directories mounted noexec also have been sufficient?

More comments...