“StartWallet”: How not to lose money while cryptomining


Over the last year, cryptocurrency has been amongst the top in making news despite the volatility. The two common ways to possess cryptocurrency is via trading or mining some of your own.

Cryptomining has seen two interesting developments, one is the rise of browser Cryptojacking where people are unknowingly mining cryptocurrencies by visiting sites with the hidden Cryptomining code. The other development has been the rise of enthusiasts to mine cryptocurrencies legitimately by using mining software for their dedicated or personal equipment. This has led to introduction of many non-tech savvy people into this field, who want an easy way to mine the various currencies floating around.

An easy way given to them is ethOS. As mentioned on their website, ethOS is a 64-bit Linux OS that mines Ethereum, Zcash, Monero, and other GPU-minable coins.

Despite its simplicity, some basic precautions are needed to be taken for the user to gain profit. The default credentials over SSH for ethOS is username: “ethos” with password: “live”. Attackers have already tried to log in to exposed ethOS systems using these credentials. NewSky Security SSH honeypots have also observed these credential attacks.

The StartWallet

However, we will be discussing another issue here, about the “StartWallet”. Many users often complain about a start page which pops up in their PC, or their default search engines changed without their consent. This lies in the categorization as adware, and the other party makes revenue by gaining traffic from these actions. The start page change is not always an adware though. In many cases it is legitimate (the user gives consent in EULA to change their start page, or it can be pre-configured like Bing is the default search engine for Microsoft Edge browser).

Going back to our discussion on ethOS, we observe that they not only have a preset configuration of username or password, but also have a preset “StartWallet”. Hence if someone installs ethOS and starts mining, all mined currency will go into this default address.

ethOS has not concealed it, in fact they mention clearly on their website about the default wallet, and ask the user to change it to their own address.

While everyone is expected to change it, some people who might not be very well versed in the operation of ethOS can start unconsciously mining for the default wallet. By the time they know about it and change the address, they already might have done some favors to the default wallet.

We found some interesting reddit threads on this issue. Here is one rant where a user thinks he has been attacked, but in reality, he has not changed the default address.

He got some interesting reactions as people try to explain to him the root cause of his unconscious mining for the default account.

“You guys just didn’t change the default info. They are pulling in thousands of dollars from idiots like you who literally are mining directly into their wallet. LMFAO”

There are two opinions on this issue: one set of people believe that person who doesn’t know what they are doing deserve to suffer, and it is fine if they mine for someone else because of a lack of understanding; the other line of thought can be that the ethOS team can come up with a better solution, for example asking for the wallet on the first run rather than putting their default address, as mentioned in another reply on reddit.

Million-dollar Ethereum wallet

We investigated whether this “default” Ethereum wallet is valid or not. It turns out that not only is this a valid address, but it also has over a million dollars. However, the money might have also come through other means on this wallet other than the default wallet mining of unaware users.


While it sounds lucrative to make some quick money by mining, it is always good to have a basic understanding of the mining mechanism used in order to avoid issues like these. When it comes to ethOS :

· Change the default SSH credentials “ethos: live” as soon as possible.

· Change the default wallet address to your own. (in home/ethos/local.conf).

· Force ethOS to keep local.conf changes after reboots.

· If one doesn’t need remote services, they can blank the file
“/home/ethos/remote.conf”. Remote configuration is only needed when there is a real need to control the device remotely.

· Have a detailed read of http://ethosdistro.com/kb/ to understand the minute details about ethOS configurations.

Ankit Anubhav, Principal Researcher, NewSky Security (NewSky Security)

“StartWallet”: How not to lose money while cryptomining was originally published in NewSky Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: “StartWallet”: How not to lose money while cryptomining | by NewSky Security | NewSky Security