A Day in the Life of a Pool Operator
Or How I Became a “Botnet Kingpin”
A true story about running a CPU mining pool, receiving an alarming email, watching half your infrastructure go dark, and spending a day proving you’re not a criminal.
I run a mining pool for a CPU-mineable coin. Some people pointed a botnet at it. My hosting provider concluded that I was the botnet operator, pulled the plug on my server, and I spent a lovely day on emails, phone calls, and existential dread proving that I’m just a guy running a mining pool. The weather forecast for pool operators: unpredictable, with a chance of false accusations.
Act I: A Perfectly Normal Tuesday
Picture this. It’s a regular workday. I’m at my day job as an IT engineer, doing IT engineer things. Specifically, I was working on a new project — the kind of focused work where you’ve got three terminals open, a documentation tab you’ll definitely read later, and that particular flow state where everything just clicks.
In the background, as always, my mining pools are humming along. They’ve been running for over a decade. Uptime Kuma is green across the board. Miners are mining. Blocks are being found. Payouts are going out. The beautiful, boring routine of a well-maintained infrastructure.
Among the pools I operate is one for a CPU-mineable coin. If you know anything about CPU-mineable coins, you already know where this story is going. If you don’t — well, buckle up.
CPU-mineable coins are the “free Wi-Fi” of cryptocurrency mining. Every computer has a CPU. Every compromised computer has a CPU. You see the problem.
Act II: The Email
Right in the middle of my flow state, my phone buzzes. Then it buzzes again. And again. I glance at it, expecting maybe a Slack notification about a meeting I was already ignoring. Instead, I see this:
To: me, a law-abiding citizen
Subject: Service Termination — Botnet C&C Activity Detected
Dear Customer,
We have detected that your server is being used as a botnet command and control (C&C) server. Multiple reports indicate malicious traffic originating from your IP address, consistent with botnet coordination activity.
Your service has been suspended effective immediately.
Regards,
The Abuse Department
I stared at my phone for a solid five seconds. Then I did what any reasonable person would do: I re-read it to make sure I wasn’t hallucinating.
I was not hallucinating.
My hosting provider had just called me a botnet kingpin and shut down my server.
Right about then, Uptime Kuma decided to join the conversation. My phone turned into a Christmas tree of red notifications. The frontend proxy — the one that sits between the internet and my actual pool infrastructure — was on that server. So when they pulled the plug, they didn’t just take down one service. They took down the front door to half my operation.
a perfectly good day
and Uptime Kuma meltdown
now offline
Act III: What Actually Happened
Let me explain what was actually going on, since my hosting provider clearly didn’t bother to check.
I run a mining pool. A mining pool is a server that accepts connections from miners. Miners connect via the stratum protocol, submit shares (proof of computational work), and get paid proportionally when the pool finds a block. This is not controversial. This is how cryptocurrency mining has worked since approximately forever.
Now, here’s the fun part about CPU-mineable coins: since you don’t need a GPU or an ASIC to mine them, any computer can do it. Including computers that don’t belong to the person running the mining software on them.
Some enterprising individual — let’s call them “not my problem but suddenly very much my problem” — was running a botnet. They had compromised a bunch of machines and installed mining software on all of them. Then they pointed all of those miners at my pool.
From the outside, this looks like thousands of connections from diverse IPs all talking to my server. To someone who doesn’t know what a mining pool is, this pattern looks exactly like a botnet calling home to its command and control server.
Except I’m not the one controlling the botnet. I’m the parking lot where the getaway car happened to park.
The actual botnet operator is out there somewhere, probably sipping coffee and watching their hashrate go up on my pool’s dashboard. Meanwhile, I’m the one whose server just got nuked from orbit because a hosting provider’s abuse department saw “lots of connections from suspicious IPs” and jumped straight to “this guy is running a criminal enterprise.”
It’s like owning a parking garage and having someone call the police on you because a stolen car was parked on the third floor. “Sir, you’re clearly running a car theft ring.” No, I’m running a parking garage. People park here. I don’t check their title deeds.
Act IV: The Five Stages of Proving Your Innocence
What followed was one of the most tedious experiences of my life, and I say that as someone who once had to debug a race condition in a Node.js stratum server at 3 AM. At least the race condition didn’t question my moral character.
Stage 1: The Reply Email
I wrote a very polite, very detailed email explaining that I run a cryptocurrency mining pool. I explained what stratum connections are. I explained what CPU mining is. I explained why many different IPs connecting to a mining pool is not only normal but is literally the entire business model. I included links, diagrams, and barely concealed desperation.
Response time: several hours of silence.
Stage 2: The Follow-Up Email
Since hours had passed and my pools were still bleeding miners (who were, understandably, leaving to mine elsewhere since they couldn’t reach my frontend), I sent a follow-up. This one was slightly less polished and slightly more “please, for the love of all that is holy, look at what a mining pool actually is.”
Stage 3: The Phone Call
I called their support line. I was transferred. Then transferred again. I explained mining pools to three different people, each of whom seemed to be hearing about cryptocurrency for the first time. One of them asked if mining was “like Bitcoin.” Yes. Yes it is like Bitcoin. That is literally what it is. Can I please have my server back.
Stage 4: The Evidence Package
They wanted “proof” that I was running a legitimate service. So I compiled a greatest-hits album of legitimacy: pool website screenshots, public blockchain records, years of operational history, registration information, my pool’s listing on mining aggregator sites, and a heartfelt letter that stopped just short of attaching my birth certificate and a character reference from my mother.
Stage 5: The Waiting
And then I waited. While my frontend was down. While miners were leaving. While Uptime Kuma sent me red alerts with the enthusiasm of a toddler who discovered the car horn. I sat there, refreshing my email, having done absolutely nothing wrong, waiting for permission to run the service I’ve been operating for over a decade.
Act V: The Clouds Part (Mostly)
Eventually — and by “eventually” I mean after enough emails to fill a novella — the hosting provider conceded that maybe, just possibly, I was not in fact running a criminal botnet empire from my rented server. The service was restored. The frontend came back online. The Uptime Kuma dashboard slowly turned green again, one check at a time, like a patient coming out of a coma.
But the damage was done. Miners who had been disconnected for hours had already moved to other pools. Some came back. Some didn’t. The pool’s hashrate took a hit that took days to recover from. And I had lost an entire workday at my actual job dealing with this, because apparently “my hosting provider thinks I’m a cybercriminal” isn’t something you can put on a ticket and deal with tomorrow.
The botnet operator? Still out there. Still not my problem. Except, of course, it was entirely my problem.
I’m not a criminal
transfers required
(as always)
The Bigger Picture: Life as a Pool Operator
People sometimes ask me what it’s like to run a mining pool. I think they expect me to talk about hashrates and block rewards and optimizing stratum latency. And sure, that’s part of it. But the real answer is: it’s a weather system.
Some days are sunny. Everything works. Blocks come in at a steady pace. Miners are happy. Nobody is emailing you about anything. You almost forget that you’re running critical infrastructure that people depend on. You can focus on new features, optimizations, and the stuff that actually makes this fun.
Then, with zero warning, it starts pouring. A botnet points at your pool and your hosting provider declares you a wanted man. Or someone launches a DDoS attack because they’re bored, or angry, or running a competing pool with questionable ethics. Or a coin daemon has a consensus bug at 2 AM and suddenly you’re on a fork that nobody else is on. Or a hard drive fails. Or a miner finds a block but the submission gets stuck because of a network blip and you lose a $200 block reward to the void.
And then, eventually, the rain stops. The sun comes back out. But it’s never quite the same bright, cloudless sky it was before. It’s more of an “okay, what’s next” kind of overcast. Cloudy skies. You learn to appreciate the good days more because you know — with absolute certainty — that the next surprise is already loading.
Morning: Everything is green. Life is beautiful. You consider writing a blog post about how smoothly things are running.
Afternoon: You receive an email that makes your stomach drop. Half your infrastructure is on fire. You’re explaining what TCP ports are to a support agent.
Evening: Things are mostly back online. You’re too tired to be relieved. You stare at the monitoring dashboard and wait for the next thing.
Repeat.
What I Learned (Besides Patience)
If there’s a takeaway from this delightful experience, it’s a few things:
- Have redundancy for your frontend/proxy layer. If I hadn’t been running the frontend on a single server with that provider, the impact would have been much smaller. Single points of failure are fine until they aren’t, and they stop being fine at the worst possible moment.
- Keep documentation ready. Having a pre-written “we are a legitimate mining pool” explanation with supporting evidence saves time when you need to explain your existence to someone who thinks you’re a criminal.
- Choose hosting providers that understand what you do. Or at least ones that ask questions before pulling the plug.
- Mine legitimately. If you’re pointing compromised machines at a pool, you’re not just breaking the law — you’re potentially getting the pool shut down for everyone who’s mining honestly. The pool operator gets punished for your actions. Don’t be that person.
- Understand that pool outages sometimes happen because of things like this. It’s not always a technical failure. Sometimes it’s a human one — just not on the pool operator’s side.
The Bottom Line
Running a mining pool is a 24/7 commitment that extends well beyond keeping software updated and servers running. It means being available when things go sideways, even when “sideways” means defending yourself against accusations that would be funny if they weren’t actively destroying your uptime.
CPU-mineable coins attract botnets. That’s not a secret, and it’s not the pool’s fault. A pool can’t verify whether a connecting CPU belongs to the person submitting shares or to someone on the other side of the world who got their machine compromised. Blaming the pool is like blaming the highway for a speeding car.
A pool operator’s day can go from sunny to stormy in the time it takes to read one email. And it usually does so when you’re in the middle of something else entirely. There’s no “good time” for your hosting provider to accuse you of cybercrime. But there’s definitely a “worse time,” and that’s apparently always when it happens.
If you’re a miner reading this: know that behind every mining pool is a person (or a small team) who deals with this kind of chaos so that you can just point your miner at a stratum address and collect payouts. If your pool has an outage, maybe give it a minute before switching. There might be a very tired pool operator on the other end, trying to convince a support agent that stratum connections are not, in fact, a cyberweapon.
Related Articles
Mining Pool Security
How mining pools protect themselves and their miners from DDoS, exploits, and other threats.
Choosing the Right Mining Pool
How to evaluate mining pools by fees, payout schemes, uptime, and trustworthiness.
Pool Solo Mining vs Real Solo Mining
The truth about “solo mining on a pool” from a pool operator who’s been doing this since 2013.