I built a screenshot API and some guy was mining cryptocurrencies with it.
Hey folks, just wanted to share this story. Yes, I could have been better prepared for what happened, I know. :)
This morning when I opened up my inbox, I had around 150 alert emails from the the logging tool I use. I immediately thought I must have pushed a nasty bug to production and started investigating. I quickly realized some guy was creating new accounts really fast on our screenshot API service and was rapidly using all the free plan credit.
He was making screenshots of this page https://cnhv.co/2uujp to mine cryptocurrencies on the machines hosting the chrome instances we use to make screenshots.
I figured he was hanging out on ApiFlash’s homepage so I could reach him through Crisp, the tool we use to chat with potential clients. Here is the conversation we had:
Me: Hi. Please stop creating multiple accounts on ApiFlash, you’re violating the terms of service.
Him: how do you know?
Me: From our admin interface we have metrics to monitor usage.
Him: so u tracked my ip? wow!!!
Me: We have legal obligation to gather data from our clients.
Him: oh. sorry. i was using your server for mining cryptocurrency
Him: sorry i will stop it
Me: Thank you.
Him: will there be any legal proceedings ? 😅
Me: If you stop now. No. If you continue yes.
Him: but its your fault. you have not implemented any mechanisms to prevent bots or automated access
Me: We allow users to create accounts freely, but we have various tools in place to ban people. We also have a contractor that can build a legal case if needed.
Him: ok i understand. but its your duty to make sure that automated softwares cannot make account on your site
Me: We might add more security if we feel the need.
Him: i am web developer too. i can help you
Him: i just created a tool in php for automatically creating accounts on your site. 😅
Me: We figured. 🙂
Me: Selenium ?
Him: no php curl
Him: i can help you if you want
Him: so , you have no idea about site security or are you just too lazy to implement it? 😅
Him: please implement a captcha in your site . it will prevent all those automated tools
Me: Thank you for your advice.
Me: Are we the first website you are attacking ?
Him: no.. 😅
Him: this is my hobby
Him: for fun and profit
Me: Do you make decent money from coinhive ?
Him: no. i have not made anything yet
Him: so i thought of using such sites to mine some coins. 😉
Him: i am sorry if you had any loss
Me: It's ok we haven't lost anything.
Me: There is a bunch of other screenshot website you might want to try. 😉
Him: it will consume their processing power . you know it
Me: Yes it's in browser monero mining.
Him: btw why would you want me to try other websites? just to make some loss for them? 😅
Me: No, don't. I was just joking. 🙂
Him: can i be a part of your team ?
Me: i'm sorry but we already have a developer in house.
Him: anyway it was nice meeting you.
Me: I'm sure you're a great guy deep inside. There is a ton of better ways to make money as a developer. It was nice meeting you too. Good luck ! I hope your life is going to be great ! 🙂
Him: thanks. bye 🙂
I think it’s one of the most pacific way I did mitigate an attack, and he was not that bad of a guy after all. 😄