Page 1 of 1

Prohashing disproves false Nicehash statement about criminal 51% attacks; files IRS complaint

Posted: Tue Sep 08, 2020 3:52 pm
by Steve Sokolowski

It's time to finally call it as it is - Nicehash is complicit in criminal activities. In this post, I'll describe a recent incident involving Ethereum Classic, will review a false press release issued by Nicehash, will show how Nicehash earned $9,900 from one attack alone, and will prove how Nicehash could entirely prevent these attacks with only a few months of coding effort. Finally, I'll reveal how Prohashing has followed ETCLabs's recent legal action with a complaint to the United States Internal Revenue Service against Nicehash.

How much Nicehash earns from attacks

Nicehash, as a mining hashrate rental provider, buys hashrate from customers and resells it to renters, who direct it at public pools or at their own systems. Criminals who rent hashrate and direct it to their own systems can program those systems to mine huge strings of blocks that are not visible to the public. After conducting business with cryptocurrency exchanges, the thieves send all of the mined blocks to the Internet, causing a coin's balances to revert to a state before the scammers dealt with the exchanges, thus stealing all of the money from the transactions that are no longer present in the long strings of blocks they mined.

Since July 29, there have been at least three of these 51% attacks against the Ethereum Classic network. In the first, attackers stole almost $5.6m from an exchange by reverting over 4,000 blocks ( ... c-labs-ceo) and causing the ETC chain to reorganize. The second attack saw the thieves get away with $1.7m, and 7,000 blocks had been reverted in the third attack, the purpose of which was unclear at the time of writing.

What's in common with these attacks? They all were perpetrated using hashrate from Nicehash! Not Mining Rig Rentals, or any other hashrate rental service - Nicehash specifically. Nicehash knew about the possibility of attacks (not least because I told them in a series of E-Mails a year ago), and they did not respond to my and others' requests to add checks to their system to prevent them because they earn significant profit from the attacks. Their lack of action has enabled their system to become the go-to platform for criminals to steal money from innocent victims, to destroy projects, and to defraud exchanges for millions of dollars.

The profit Nicehash earns from these attacks is significant. The first attack against ETC, on July 29, cost an estimated $192,000, which was earned as rental revenue by Nicehash. They charge 2% to sell hashpower, 3% + 0.0001BTC to buy it, and 0.1% to withdrawal (which is above the BTC transaction fees actually needed at this time, Nicehash earns a total of about 5.1% + 0.0001 BTC in fees ( ... rvice/fees). From this one attack alone, they walked away with almost $9,900 in illegal profits.

Nicehash's terms of service ( state exactly the following in regards to 51% attacks:
That's not an error - the phrase "51%" doesn't appear in their documentation at all. They don't even make a token effort to state that their service may not be used to conduct attacks.

But they are aware that 51% attacks exist - Nicehash issued a press release shortly after the second incident ( ... s-aug-2020). The press release consists of fluff stating that they will take the issue seriously and are conducting an internal investigation.

A staggering sum of money, $5.7m in one attack alone, was stolen, and they promise an "internal investigation." Note that they said they would work with law enforcement, but did not state that they had actually called law enforcement. Furthermore, they made no mention of restitution to the victims. By not paying the $9900 in profit they earned to OKex, the defrauded exchange, they are involved in a criminal conspiracy. The sellers whose hashrate was used to conduct the attacks were unwittingly used as accomplices and their $192,000 is also tainted.

An implementation that proves Nicehash can prevent 51% attacks

One of the most important parts of this press release, and the one I want to refute in detail, is where Nicehash claims that it isn't possible to prevent 51% attacks using their system. This statement is false. I estimate they could make their system very resistant to 51% abuse by spending just $22,000, close to the amount they likely earned from these few attacks alone. $2,000 would pay for servers upon which coins can be installed, and $20,000 would pay for two months' labor of a developer to implement the protections.

The first step in preventing attacks is installing additional coin daemons on the servers. Since Nicehash runs (or ran) its own pools for miners to use when they are not being rented for a number of algorithms, and because Nicehash operates an exchange that pays customers in many coins, the actual work here is limited to smaller coins they don't already support. Having about 200 coins installed in total would protect all mineable coin networks with a market capitalization above $1m, while having just 50 coins installed would protect all but the smallest networks. Purchasing four 2013-era servers with about 256GB of total RAM and installing 2016-era solid state disks totaling about 3TB would be sufficient for all the coin networks, because data deduplication can be used to dramatically save costs for huge forked coins like Bitcoin, Bitcoin Cash, Bitcoin SV, Bitcoin Gold, Bitcoin Diamond, and so on. Since Nicehash likely has the largest coins installed, the hardware cost is minimal.

Once the coins are installed, there is a "blocknotify" command in the configuration files (like .bitcoin/bitcoin.conf or .digibyte/digibyte.conf) that will execute a program when a new block arrives. For this solution, a new program receives the "previous block hash" provided by the blocknotify command, and connects to a database with a single table that has three columns: block hash, difficulty, and time received. The program inserts a row into the database table with the received hash and the current time. The "difficulty" column is filled with the value returned by calling "getdifficulty" on the coin that notified the program of the block. The program also looks for really old rows, like a day or a week ago, and deletes them to save disk space.

Finally, Nicehash modifies its rental software. When a new rental occurs, the first block will be sent using the stratum protocol, which is defined at The "prevhash" field in the "mining.notify" command allows Nicehash, by querying the database table, to determine exactly what coin network is being mined, and what the network's hashrate is, using simple multiplication as described at Then, Nicehash simply limits the maximum size of the rental to 99% of the network's current hashrate, or some other value it determines is far enough below 100% to avoid an attack from succeeding due to luck alone. If some of the hashrate being rented was already assigned to legitimate mining of that coin in Nicehash's default pool, then Nicehash knows that and can set the maximum lower.

This change would likely be sufficient to prevent most fraud, but there are improvements that could be made if it turns out that criminals try to work around the system. To prevent multiple accounts from being used for an attack, the overall rental limit can be enforced by tracking the current "prevhash" value across all its miners. Even if a fraudster sets up multiple pools with multiple accounts with multiple IP addresses to try to mine a huge chain of blocks, at least 101% of the legitimate network's hashrate will still need to be mining the same illegitimate "prevhash" at most times. The hashrate limit can be enforced by simply looking at the oldest order's initial block to determine what network is being mined. Nicehash can track that network's difficulty, and therefore the rental limit, in real time by adding a "coin" column to the database table, looking up the latest difficulty for the coin, and adjusting the limit on the fly for competing chains.

Nicehash is lying when they state that they have no way to prevent 51% attacks, and the feasibility of this scheme proves that. Not only can they prevent these attacks, they are the best-equipped company in the world to thwart these attacks. If they took action, the number of 51% attacks against all coins would crash to near zero immediately. They have the most information of anyone, they have known for a long time that have a problem, and they have purposely chosen to do nothing so that they can profit from these thefts.

Next steps

Charlie Shrem, who was involved years ago in BitInstant, the exchange from which I purchased my first bitcoins, served jail time during the last decade for a very similar circumstance involving a marketplace and its customers. The exchange failed to conduct anti-money laundering checks on its customers, but failing to conduct such checks doesn't indicate the exchange knew specific customers who were criminals. What got Shrem jailed in the end is that a customer told him that (s)he was involved in drug dealing. Shrem stated in court that he not only didn't conduct checks, but that he also knew that the customer was involved in drugs and also that he knew what he was doing was wrong.

Nicehash's executives easily satisfy two of the criteria that sent Shrem to jail. While they are not required to conduct AML checks upon money they receive, they were obviously notified that their service was being used by attacks based upon the numerous newspaper articles that have been written. Despite that, they continue to offer services and repeatedly fail to investigate large renters using their services. The implementation I demonstrated above is not complicated - it only requires one or two database tables - so it is ludicrous to suggest that nobody ever thought of it or something similar over the last 10 or 100 attacks. After their system was used to steal at least $7m in one month alone, "it's not our problem" would not be a reasonable statement to any jury.

ETCLabs, which manages Ethereum classic, has retained a lawyer to pursue legal action ( ... ace-Pursue and ... be90b62a2a) on behalf of the fraud victims in the first two attacks. After the third attack, they clarified that they would also pursue action against Nicehash and cloud mining providers.

Today, Prohashing is also announcing that it will be joining the fight by filing reports with government agencies to pressure them to take action against Nicehash. While we are not able to afford international litigation like ETCLabs can, and while we disagree that anti-money laundering laws do and should apply to someone paying for a service (the implications extend far outside cryptocurrency), we do know that Nicehash has for at least three years been operating illegally in other ways in the United States. In addition to the conduct described above, Nicehash is an insolvent company, which suspended its repayment program and misrepresented the value owed to customers ( ... ram-update). They preferred specific creditors over other creditors without a judicial order, a violation of bankruptcy legislation.

However, the easiest violations to prove are tax-related, so we started by filing a complaint with the Internal Revenue Service, which is pictured at The complaint references a specific document published by the IRS that clearly states that Nicehash is required to file paperwork for certain payouts involving US customers. Because they don't collect the information necessary to file this paperwork, it is impossible for them to have filed it, and they are clearly in violation of the regulation. It should be noted that I don't believe that the IRS is right in requiring these forms to be submitted, but I do believe the law is clear in what everyone is required to do.

If they don't begin playing by the rules, this fine is $500 per US customer. The choices for Nicehash are now clear: they can begin producing the forms as Prohashing, Bittrex, and other legitimate businesses do; they can terminate service to US customers; or they can do nothing until they wake up to find their assets were seized to pay the fines.

If you are a Nicehash customer, you should do your part by refraining from selling or renting hashrate at Nicehash. If you want to use another rental service, Mining Rig Rentals ( has not been shown to be involved in 51% attacks, and they are very responsive to support tickets. Or, you can solo mine or mine with a pool. While it might be excessive to state that Nicehash miners would have government action pursued against individuals, it has been shown how customers who knew that a marketplace was involved in illegal activity, like sellers at the Silk Road, had money seized even if their own shop was not involved in drug dealing. Remember that Nicehash is already bankrupt - even in the absence of crimes like 51% attacks, whatever is left over at Nicehash after a seizure would likely be prorated to all creditors, including those who lost money in the December 6, 2017 attack, and the value lost in that attack has not been paid back at 82% as Nicehash falsely claims it has.


Nicehash has been a thorn in the side of coin developers and exchanges for years. They blatantly ignore the law and profit from criminal attacks that have resulted in the loss of tens of millions of dollars from hard-working people. They have put the future of the Ethereum Classic Trust, a registered security offered to normal people, in jeopardy. Their founders and employees ignore this reprehensible conduct and laugh all the way to the bank. With ETCLab's recent action, I'm glad to see that the community is beginning to see Nicehash for what it is - a company built on the profits of scammers, fraudsters, and thieves.

Re: Prohashing disproves false Nicehash statement about criminal 51% attacks; files IRS complaint

Posted: Wed Apr 07, 2021 5:36 pm
by Banished_Privateer
Reviving old topic but I feel like it's relevant. There was a huge panic recently surrounding PhoenixMiner (they went offline for a while, MEGA took down their download page/accounts and NiceHash started telling people to stop using it). Currently PM devs are back, MEGA download page is also back, but they officially moved over to github. I'm not going to comment here entire story but rather advice for interested parties (PhoenixMiner users and NiceHash users) to read the conversation starting roughly here: ... sg56526051

I hope it's not against rules to link that but I also believe that it contains crucial information and context on the whole story and it's better to link the source than rephrase all of it.

Re: Prohashing disproves false Nicehash statement about criminal 51% attacks; files IRS complaint

Posted: Thu Apr 08, 2021 8:23 am
by Steve Sokolowski
That whole saga with Nicehash is weird. I'm not sure what to make of it. The positions of both sides are odd:

For Nicehash, their statement that they would require KYC from mining software developers is a lie. There are no laws in any jurisdiction that require software developers to verify their identities. As usual, Nicehash is publishing false information.

For the mining devs, it doesn't make sense to me why they believe they would be in some sort of danger if they reveal themselves. How is developing mining software a dangerous activity? In 1999, I made a conscious choice to be 100% honest with my posts online, so everything uses my real name. Everyone on the Internet knows exactly who I am, and the worst that has ever happened to me are troll posts that I ignore or delete. Nobody has ever tried to kill me, and I wonder if anyone has ever been killed from revealing their identity online as long as the Internet has existed.

Nevertheless, it's clear that this is yet another reason to steer clear of Nicehash. The devs are pretty nice to Nicehash at the end, saying that people will have to "make a choice for themselves." They recommend frequent withdrawals from Nicehash, but given their high withdrawal fees, that precaution simply isn't possible.

Re: Prohashing disproves false Nicehash statement about criminal 51% attacks; files IRS complaint

Posted: Thu Apr 08, 2021 1:16 pm
by Banished_Privateer
Steve Sokolowski wrote:
Thu Apr 08, 2021 8:23 am
Nobody has ever tried to kill me, and I wonder if anyone has ever been killed from revealing their identity online as long as the Internet has existed.
I wish you it stays that way, although I do believe that is a silly question. I do like the transparency of Prohashing developers and it strengthens my trust in your business, but it always comes at the compromise of safety to some degree. You don't necessary need to even reveal your identity but simply can become a victim of dox'ing, very common nowadays and extremely easy because of how we make our information widely available and public through social media and different means.

When money comes into play, greed, jealousy and other factors make humans commit terrible things. Even in gaming (something that should be relatively safe), there are plenty of known real-life physical attacks or sabotages on players. You can typically read about some for EVE Online game.

We can even read on their page: ... policy-en/
Real-life threats:
While we understand that the virtual worlds we maintain can cause tensions and emotions to run high at times, real life threats are not tolerated. Let your in-game lasers and artillery do the talking!

Regardless of whether they are made in jest or in the heat of the moment, any threat of real-world violence against another player, a volunteer or a developer is taken seriously. Repercussions range from temporary to permanent suspension depending on the context of the case and the user’s prior track record.

At the discretion of CCP, threats considered to be particularly credible will be reported to the relevant authorities, which may include but not be limited to::

National Commissioner of the Icelandic Police.
Municipal, State, Federal and/or National Law Enforcement Agencies.
In addition to this, section 3 of the CCP Event Code of Conduct also covers threats made against individuals attending real world events, or threats of violence against events themselves.

Individuals who make credible real-life threats of this kind are not welcome in our community and will be removed without recourse under section 5. B. (1) of our End User License Agreement.
When it comes to the crypto world, there is a list of physical attacks, maintained and updated by "jlopp" or actually Jameson Lopp. He himself was a victim of physical attack: ... state.html

His list is published here:

Re: Prohashing disproves false Nicehash statement about criminal 51% attacks; files IRS complaint

Posted: Thu Apr 08, 2021 1:38 pm
by Steve Sokolowski
Yeah, gaming is weird in the way that people treat each other. One thing I noticed is that it seems the biggest DDoS attacks are against gaming servers and conferences, like the one that took down the entire PlayStation network a few years ago around Christmas. I don't know what it is about gaming that seems to attract criminals that try to take down services like that.

On the other hand, when it comes to doxxing, I don't care about being doxxed because all my information is already publicly available. There are a lot of people who like to live two or three lives, where they have to keep straight what their bosses know or what their families know or what their online pals know. That's why, for example, in the "Huel guide," I posted about the episodes of mania I suffered from around 2006. If people don't like me for who I am, then those are people I don't want to associate with. It's also really difficult to keep straight who knows what when you try to live separate lives.

While I appreciate that there are isolated incidents, there are millions of people who own cryptocurrency. Just as I'm not concerned to take the Pfizer vaccine because there is a 1/150,000 chance of anaphalyxis, the number of security incidents would need to run up to 50,000 or more before the percentages would even be worth changing behavior over.

Finally, I'd like to state that if your security strategy depends on secrecy, then it is flawed. The pool's strategy for securing coins would require three separate people to fail and would require those failures to not be caught for more than a week before any money were lost, even if it were known exactly how to target it.

Re: Prohashing disproves false Nicehash statement about criminal 51% attacks; files IRS complaint

Posted: Thu Apr 08, 2021 1:43 pm
by Steve Sokolowski
But getting back to the original topic, I never take anything that Nicehash says at face value because they have not demonstrated truthfulness in many of their past statements.

Unfortunately, we're limited in what we can comment about Nicehash specifically because we have to be extremely careful that we can legally prove anything that we say about them, to avoid a civil action. In this case, I don't have any way to prove the truthfulness of the developers' statement, even though it is probably correct. That said, you are not limited from sharing information that is "likely true," thanks for posting this information, and please post more when it becomes available.