Prohashing disproves false Nicehash statement about criminal 51% attacks; files IRS complaint

Read about Prohashing, mining, and coins in general!
Forum rules
Sign up to be notified of new posts to the Prohashing Blog at
Post Reply
User avatar
Steve Sokolowski
Posts: 4110
Joined: Wed Aug 27, 2014 3:27 pm
Location: State College, PA

Prohashing disproves false Nicehash statement about criminal 51% attacks; files IRS complaint

Post by Steve Sokolowski » Tue Sep 08, 2020 3:52 pm


It's time to finally call it as it is - Nicehash is complicit in criminal activities. In this post, I'll describe a recent incident involving Ethereum Classic, will review a false press release issued by Nicehash, will show how Nicehash earned $9,900 from one attack alone, and will prove how Nicehash could entirely prevent these attacks with only a few months of coding effort. Finally, I'll reveal how Prohashing has followed ETCLabs's recent legal action with a complaint to the United States Internal Revenue Service against Nicehash.

How much Nicehash earns from attacks

Nicehash, as a mining hashrate rental provider, buys hashrate from customers and resells it to renters, who direct it at public pools or at their own systems. Criminals who rent hashrate and direct it to their own systems can program those systems to mine huge strings of blocks that are not visible to the public. After conducting business with cryptocurrency exchanges, the thieves send all of the mined blocks to the Internet, causing a coin's balances to revert to a state before the scammers dealt with the exchanges, thus stealing all of the money from the transactions that are no longer present in the long strings of blocks they mined.

Since July 29, there have been at least three of these 51% attacks against the Ethereum Classic network. In the first, attackers stole almost $5.6m from an exchange by reverting over 4,000 blocks ( ... c-labs-ceo) and causing the ETC chain to reorganize. The second attack saw the thieves get away with $1.7m, and 7,000 blocks had been reverted in the third attack, the purpose of which was unclear at the time of writing.

What's in common with these attacks? They all were perpetrated using hashrate from Nicehash! Not Mining Rig Rentals, or any other hashrate rental service - Nicehash specifically. Nicehash knew about the possibility of attacks (not least because I told them in a series of E-Mails a year ago), and they did not respond to my and others' requests to add checks to their system to prevent them because they earn significant profit from the attacks. Their lack of action has enabled their system to become the go-to platform for criminals to steal money from innocent victims, to destroy projects, and to defraud exchanges for millions of dollars.

The profit Nicehash earns from these attacks is significant. The first attack against ETC, on July 29, cost an estimated $192,000, which was earned as rental revenue by Nicehash. They charge 2% to sell hashpower, 3% + 0.0001BTC to buy it, and 0.1% to withdrawal (which is above the BTC transaction fees actually needed at this time, Nicehash earns a total of about 5.1% + 0.0001 BTC in fees ( ... rvice/fees). From this one attack alone, they walked away with almost $9,900 in illegal profits.

Nicehash's terms of service ( state exactly the following in regards to 51% attacks:
That's not an error - the phrase "51%" doesn't appear in their documentation at all. They don't even make a token effort to state that their service may not be used to conduct attacks.

But they are aware that 51% attacks exist - Nicehash issued a press release shortly after the second incident ( ... s-aug-2020). The press release consists of fluff stating that they will take the issue seriously and are conducting an internal investigation.

A staggering sum of money, $5.7m in one attack alone, was stolen, and they promise an "internal investigation." Note that they said they would work with law enforcement, but did not state that they had actually called law enforcement. Furthermore, they made no mention of restitution to the victims. By not paying the $9900 in profit they earned to OKex, the defrauded exchange, they are involved in a criminal conspiracy. The sellers whose hashrate was used to conduct the attacks were unwittingly used as accomplices and their $192,000 is also tainted.

An implementation that proves Nicehash can prevent 51% attacks

One of the most important parts of this press release, and the one I want to refute in detail, is where Nicehash claims that it isn't possible to prevent 51% attacks using their system. This statement is false. I estimate they could make their system very resistant to 51% abuse by spending just $22,000, close to the amount they likely earned from these few attacks alone. $2,000 would pay for servers upon which coins can be installed, and $20,000 would pay for two months' labor of a developer to implement the protections.

The first step in preventing attacks is installing additional coin daemons on the servers. Since Nicehash runs (or ran) its own pools for miners to use when they are not being rented for a number of algorithms, and because Nicehash operates an exchange that pays customers in many coins, the actual work here is limited to smaller coins they don't already support. Having about 200 coins installed in total would protect all mineable coin networks with a market capitalization above $1m, while having just 50 coins installed would protect all but the smallest networks. Purchasing four 2013-era servers with about 256GB of total RAM and installing 2016-era solid state disks totaling about 3TB would be sufficient for all the coin networks, because data deduplication can be used to dramatically save costs for huge forked coins like Bitcoin, Bitcoin Cash, Bitcoin SV, Bitcoin Gold, Bitcoin Diamond, and so on. Since Nicehash likely has the largest coins installed, the hardware cost is minimal.

Once the coins are installed, there is a "blocknotify" command in the configuration files (like .bitcoin/bitcoin.conf or .digibyte/digibyte.conf) that will execute a program when a new block arrives. For this solution, a new program receives the "previous block hash" provided by the blocknotify command, and connects to a database with a single table that has three columns: block hash, difficulty, and time received. The program inserts a row into the database table with the received hash and the current time. The "difficulty" column is filled with the value returned by calling "getdifficulty" on the coin that notified the program of the block. The program also looks for really old rows, like a day or a week ago, and deletes them to save disk space.

Finally, Nicehash modifies its rental software. When a new rental occurs, the first block will be sent using the stratum protocol, which is defined at The "prevhash" field in the "mining.notify" command allows Nicehash, by querying the database table, to determine exactly what coin network is being mined, and what the network's hashrate is, using simple multiplication as described at Then, Nicehash simply limits the maximum size of the rental to 99% of the network's current hashrate, or some other value it determines is far enough below 100% to avoid an attack from succeeding due to luck alone. If some of the hashrate being rented was already assigned to legitimate mining of that coin in Nicehash's default pool, then Nicehash knows that and can set the maximum lower.

This change would likely be sufficient to prevent most fraud, but there are improvements that could be made if it turns out that criminals try to work around the system. To prevent multiple accounts from being used for an attack, the overall rental limit can be enforced by tracking the current "prevhash" value across all its miners. Even if a fraudster sets up multiple pools with multiple accounts with multiple IP addresses to try to mine a huge chain of blocks, at least 101% of the legitimate network's hashrate will still need to be mining the same illegitimate "prevhash" at most times. The hashrate limit can be enforced by simply looking at the oldest order's initial block to determine what network is being mined. Nicehash can track that network's difficulty, and therefore the rental limit, in real time by adding a "coin" column to the database table, looking up the latest difficulty for the coin, and adjusting the limit on the fly for competing chains.

Nicehash is lying when they state that they have no way to prevent 51% attacks, and the feasibility of this scheme proves that. Not only can they prevent these attacks, they are the best-equipped company in the world to thwart these attacks. If they took action, the number of 51% attacks against all coins would crash to near zero immediately. They have the most information of anyone, they have known for a long time that have a problem, and they have purposely chosen to do nothing so that they can profit from these thefts.

Next steps

Charlie Shrem, who was involved years ago in BitInstant, the exchange from which I purchased my first bitcoins, served jail time during the last decade for a very similar circumstance involving a marketplace and its customers. The exchange failed to conduct anti-money laundering checks on its customers, but failing to conduct such checks doesn't indicate the exchange knew specific customers who were criminals. What got Shrem jailed in the end is that a customer told him that (s)he was involved in drug dealing. Shrem stated in court that he not only didn't conduct checks, but that he also knew that the customer was involved in drugs and also that he knew what he was doing was wrong.

Nicehash's executives easily satisfy two of the criteria that sent Shrem to jail. While they are not required to conduct AML checks upon money they receive, they were obviously notified that their service was being used by attacks based upon the numerous newspaper articles that have been written. Despite that, they continue to offer services and repeatedly fail to investigate large renters using their services. The implementation I demonstrated above is not complicated - it only requires one or two database tables - so it is ludicrous to suggest that nobody ever thought of it or something similar over the last 10 or 100 attacks. After their system was used to steal at least $7m in one month alone, "it's not our problem" would not be a reasonable statement to any jury.

ETCLabs, which manages Ethereum classic, has retained a lawyer to pursue legal action ( ... ace-Pursue and ... be90b62a2a) on behalf of the fraud victims in the first two attacks. After the third attack, they clarified that they would also pursue action against Nicehash and cloud mining providers.

Today, Prohashing is also announcing that it will be joining the fight by filing reports with government agencies to pressure them to take action against Nicehash. While we are not able to afford international litigation like ETCLabs can, and while we disagree that anti-money laundering laws do and should apply to someone paying for a service (the implications extend far outside cryptocurrency), we do know that Nicehash has for at least three years been operating illegally in other ways in the United States. In addition to the conduct described above, Nicehash is an insolvent company, which suspended its repayment program and misrepresented the value owed to customers ( ... ram-update). They preferred specific creditors over other creditors without a judicial order, a violation of bankruptcy legislation.

However, the easiest violations to prove are tax-related, so we started by filing a complaint with the Internal Revenue Service, which is pictured at The complaint references a specific document published by the IRS that clearly states that Nicehash is required to file paperwork for certain payouts involving US customers. Because they don't collect the information necessary to file this paperwork, it is impossible for them to have filed it, and they are clearly in violation of the regulation. It should be noted that I don't believe that the IRS is right in requiring these forms to be submitted, but I do believe the law is clear in what everyone is required to do.

If they don't begin playing by the rules, this fine is $500 per US customer. The choices for Nicehash are now clear: they can begin producing the forms as Prohashing, Bittrex, and other legitimate businesses do; they can terminate service to US customers; or they can do nothing until they wake up to find their assets were seized to pay the fines.

If you are a Nicehash customer, you should do your part by refraining from selling or renting hashrate at Nicehash. If you want to use another rental service, Mining Rig Rentals ( has not been shown to be involved in 51% attacks, and they are very responsive to support tickets. Or, you can solo mine or mine with a pool. While it might be excessive to state that Nicehash miners would have government action pursued against individuals, it has been shown how customers who knew that a marketplace was involved in illegal activity, like sellers at the Silk Road, had money seized even if their own shop was not involved in drug dealing. Remember that Nicehash is already bankrupt - even in the absence of crimes like 51% attacks, whatever is left over at Nicehash after a seizure would likely be prorated to all creditors, including those who lost money in the December 6, 2017 attack, and the value lost in that attack has not been paid back at 82% as Nicehash falsely claims it has.


Nicehash has been a thorn in the side of coin developers and exchanges for years. They blatantly ignore the law and profit from criminal attacks that have resulted in the loss of tens of millions of dollars from hard-working people. They have put the future of the Ethereum Classic Trust, a registered security offered to normal people, in jeopardy. Their founders and employees ignore this reprehensible conduct and laugh all the way to the bank. With ETCLab's recent action, I'm glad to see that the community is beginning to see Nicehash for what it is - a company built on the profits of scammers, fraudsters, and thieves.
Post Reply