In brief

  • Dogecoin is now being used by hackers to maintain a crypto-mining botnet.
  • Attackers are accessing APIs with DOGE wallets to mask their location.
  • The attack is still ongoing.

Meme coin Dogecoin is being used by hackers to control Monero-mining malware on Linux operating systems, said security firm Intezer Labs yesterday.

When Intezer Labs was analyzing a relatively new backdoor trojan virus, called Doki, it found an old attacker was using it to direct mining malware on public web servers.

But there was a key difference. The firm found the hacker—who goes by Ngrok—had uncovered a new method to use Dogecoin wallets for infiltrating web servers; a first such use for the meme coin.


“Doki uses a previously undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address,” said Intezer Labs in its report.

Dogecoin may have started as a joke, but its addition to the Coinbase Wallet may help it to take off. Will Binance and Huobi be next?
Dogecoin was originally based on the Shiba Inu dog. Image: Shutterstock.

The attackers targeted command and control (C2) servers for this attack. These are used to organize and control compromised systems within a target network and can include smartphones, PCs, and any other internet-connected device.

Using Dogecoin transactions, the attackers were able to change the C2 addresses on exposed computers that ran their Monero mining bots. This allowed them to continually change their (online) location, which in turn allowed them to run the attack without getting caught by law enforcement.

So why utilize this method? Intezer said these steps meant security firms needed to access the hacker’s Dogecoin wallet to take down Doki, which was “impossible” without knowing the wallet’s private keys.

And it seems to have worked well so far. Intezer said Doki has been active since this January, but remained undetected on all 60 “VirusTotal” scanning software used on Linux servers.


The attack is still active as of today. Intezer Labs noted that over the last several months, docker servers have been increasingly targeted by malware operators, and “especially by crypto-mining gangs.”

A way to prevent exposure to the Ngrok botnet is to ensure that critical application process interfaces (APIs) are not connected to the internet.

As for Dogecoin, from going viral on TikTok to being endorsed by Elon Musk—and now being a critical tool for hackers—is there anything this coin won’t get recognized for?

Stay on top of crypto news, get daily updates in your inbox.