Complete guide to CryptoAnnihilator v2.0.0 by ScannerSend
Requirements: Linux (any distro) + Python 3.6+. Root access for full protection.
Uses /proc, iptables, and systemd — Linux only. Not compatible with Windows or macOS.
curl -sS https://scannersend.org/install.sh | sudo bash
This downloads the script, copies it to /usr/local/bin/, creates a systemd service, and starts it immediately. One command, done.
wget https://scannersend.org/download/crypto_annihilator.py chmod +x crypto_annihilator.py sudo python3 crypto_annihilator.py --kill --daemon
sudo python3 crypto_annihilator.py
Runs a single scan and reports findings without killing anything. Good for a first look.
Monitors all TCP connections via ss and reads /proc/PID/cmdline and /proc/PID/environ for Stratum mining protocol patterns: mining.subscribe, mining.submit, mining.authorize. No legitimate software uses these JSON-RPC methods. If a process speaks Stratum, it is mining.
Measures CPU usage over a configurable window (default: 5 seconds). A process that sustains high CPU (default: 80%+) AND has outbound network connections to non-whitelisted destinations matches the behavioral profile of a crypto miner. This catches miners that use custom binaries, renamed executables, or novel algorithms with no known signature.
Maintains a list of 22+ mining pool domains and common miner process names. With --install-dns-block, these domains are poisoned in /etc/hosts. With --install-firewall, iptables rules block the Stratum protocol at the kernel level.
The zero-day killer. Even if a miner throttles CPU below Layer 2’s threshold, encrypts Stratum with TLS to hide from Layer 1, and renames itself to dodge Layer 3 — it still needs a persistent outbound connection to submit shares. Layer 4 correlates moderate CPU usage (20%+) with long-lived connections to mining-associated ports. This behavioral fingerprint catches evasive miners that defeat every other layer simultaneously.
| Flag | Description |
|---|---|
--kill | Kill detected miners with SIGKILL (default: alert only) |
--daemon | Run continuously, scanning at regular intervals |
--interval N | Scan interval in seconds (default: 30) |
--cpu-threshold N | CPU percentage threshold for behavioral detection (default: 80) |
--cpu-window N | CPU measurement window in seconds (default: 5) |
--whitelist names | Comma-separated process names to skip |
--event-dir path | Skip processes running from this directory |
--install-firewall | Install iptables rules to block Stratum protocol |
--install-dns-block | Block mining pool domains in /etc/hosts |
--fortify | Enable self-healing persistence (5 layers) |
--uninstall | Cleanly remove CryptoAnnihilator and all persistence layers |
--status | Show current protection status |
--verbose | Verbose output with debug information |
--version | Show version number |
--persist | Enable persistence (auto-restart on reboot via cron + systemd) |
--install-network | Download and install the ScannerSend Network plugin for wallet reporting |
--no-network | Disable ScannerSend Network reporting even if plugin is installed |
--network-track | Enable Tier 2 contribution tracking (receipts, history). Requires plugin. |
--install-updater | Download and install the auto-update plugin (consent gate) |
--check-update | Check for and apply available updates (requires update plugin) |
When run with --fortify, CryptoAnnihilator installs 5 independent persistence layers that self-repair on every scan cycle:
| Layer | Mechanism | If removed... |
|---|---|---|
| 1 | chattr +i on binary | Blocks deletion, even by root |
| 2 | systemd Restart=always, RestartSec=1 | Process restarts in 1 second |
| 3 | Cron watchdog (every 60s) | Restarts if service was stopped |
| 4 | rc.local boot fallback | Starts on boot if systemd disabled |
| 5 | Self-copying binary | Running process restores deleted files |
To cleanly remove everything: sudo crypto_annihilator.py --uninstall
Optional plugin for crowd-sourced wallet reporting. Every detection extracts the miner's wallet address and can report it to a central database.
sudo crypto_annihilator.py --install-networkOr manually:
wget https://scannersend.org/download/scannersend_network.py -O /usr/local/bin/scannersend_network.py| Flag | Effect |
|---|---|
--install-network | Download and install the ScannerSend Network plugin |
--no-network | Disable network reporting for this run |
Extracts wallet addresses from detected miners before killing them:
| Source | Method |
|---|---|
/proc/PID/cmdline | Parse -u WALLET and --user WALLET flags |
/proc/PID/environ | Check WALLET, POOL_USER, XMRIG_USER env vars |
| Config files | Scan CWD for config.json, pools.txt with wallet patterns |
Supports: XMR (Monero), BTC, ETH, LTC, DOGE, ZEC wallet formats.
Wallet address, coin type, pool host/port, process name, detection layer, timestamp. Nothing else.
No IP, hostname, system info, usernames, or file paths. Full details →
CryptoAnnihilator is one base tool plus optional, independent plugins. Each piece is a separate download with its own consent gate.
crypto_annihilator.py1,591 lines of Python. All 5 detection layers, kill logic, persistence, uninstall. Never phones home. Ever. This is the only required piece.
scannersend_network.py — optionalWallet reporting. Sends detected wallet addresses to net.scannersend.org. Tier 1 (anonymous) or Tier 2 (contribution tracking). Does not require Plugin 2.
Install: --install-network | Disable: --no-network or delete the file
scannersend_update.py — optionalAuto-updates. Checks for new versions, verifies SHA256 before applying. Does not require Plugin 1.
Install: --install-updater | Disable: delete the file
Every outbound connection is a conscious choice. Mix and match any combination:
| Setup | Phones Home? | What You Get |
|---|---|---|
| Base only | Never | Full detection + kill. Zero outbound. |
| Base + Network plugin | Only wallet reports | Detection + kill + wallet reporting |
| Base + Update plugin | Only version checks | Detection + kill + auto-updates |
| Base + both plugins | Wallet reports + version checks | Full suite, fully opt-in |
CryptoAnnihilator is built on explicit consent. Every capability beyond basic scanning requires a deliberate flag.
| Action | Flag Required | What Happens |
|---|---|---|
| Scan only | None (default) | Detects miners, prints results. No kills, no network, no persistence. |
| Kill miners | --kill | Terminates detected miners with SIGKILL |
| Auto-restart | --persist or --fortify | Installs systemd/cron watchdog to survive reboots |
| Report wallets | --install-network | Downloads plugin, sends wallet data to net.scannersend.org |
| Track contributions | --network-track | Enables receipts and contribution history (Tier 2) |
Tier 1 (plugin installed, default): Reports wallet address, pool, process name, detection layer. Anonymous. No tracking.
Tier 2 (--network-track): Everything in Tier 1, plus a contributor hash and receipt ID. You can check your report status and see if reported wallets get confirmed. Still no PII — the hash is SHA256 of your IP + salt, not reversible.
The base tool never phones home. Only the explicitly installed plugin makes outbound connections.
CryptoAnnihilator works best with sudo. Without root:
| Capability | Root | Non-root |
|---|---|---|
| Read all process cmdlines | ✅ | ❌ Only your user |
| Kill any process | ✅ | ❌ Only your user |
| Full network table | ✅ | ⚠ Partial |
| Install persistence | ✅ | ⚠ User crontab only |
| CPU monitoring | ✅ | ✅ |
Miners dropped by attackers almost never run as your user. Without root, you'll miss most threats.
If you run a legitimate, authorized crypto mining operation on the same server, CryptoAnnihilator will detect and kill your miners. If you also have the ScannerSend Network plugin installed, it will report your own wallet. This tool cannot distinguish between authorized and unauthorized mining — that is by design. Do not install this on a machine where you intentionally mine cryptocurrency.
Always verify downloads:
sha256sum crypto_annihilator.py
Compare against the checksum published on this page and in the source view.
Is this safe to run on my server?
Yes. It has zero dependencies beyond Python 3.6+ stdlib. No pip install, no network calls, no telemetry. Read the full source before running — it's 1,591 lines of readable Python.
Will it kill legitimate processes?
No. Layer 1 only triggers on Stratum mining protocol (no legitimate software uses mining.subscribe). Layer 2 requires BOTH sustained high CPU AND suspicious outbound connections. Use --whitelist to exempt specific processes if needed.
How do I update to a new version?
If you used --fortify, the binary is immutable. Run: sudo chattr -i /usr/local/bin/crypto_annihilator.py, then reinstall normally. The installer handles this automatically.
How do I completely remove it?
sudo crypto_annihilator.py --uninstall removes everything: service files, cron watchdog, rc.local entry, immutable flags, and the binary itself. Logs are preserved at /var/log/crypto_annihilator/.
Does it phone home or send telemetry?
The detection engine makes zero outbound connections. It reads /proc and runs ss. The only outbound code in the base tool is in the --install-network and --install-updater handlers, which run once when you explicitly ask to download a plugin. Verify: grep -n "urlopen" crypto_annihilator.py — you'll see it's only inside the plugin installer functions, never in the scan loop.
What Python version does it need?
Python 3.6 or newer. Uses only stdlib modules: subprocess, os, re, json, pathlib, logging, argparse, and others. All Python stdlib — no pip install needed.
What about Docker containers?
CryptoAnnihilator runs on the host and monitors all processes, including those inside containers. It reads /proc which spans all namespaces.
My antivirus flagged this file. Is it malware?
No. CryptoAnnihilator uses the same persistence techniques (systemd services, cron watchdogs, immutable file attributes) that real malware uses — because those techniques work. Security tools like Metasploit and Mimikatz face the same issue. Your AV is doing its job; it just can't tell the difference between a tool that uses persistence for defense vs. offense. You can verify the source code yourself, or use --no-persist for detection-only mode that skips all persistence layers.
What is --no-persist mode?
Running with --no-persist disables all 5 persistence layers (chattr, systemd, cron, rc.local, self-copy). The tool still detects and kills miners, but won't install itself permanently. This is useful for one-off scans, testing, or environments where your EDR would flag persistence behavior.