Everything you'll ask, answered upfront.
ClamAV matches file signatures. Hackers recompile miners daily, changing the hash. CryptoAnnihilator doesn't care what the binary looks like — it watches behavior. Stratum protocol traffic, sustained CPU, connection fingerprints. You can't mine without these behaviors, and you can't change that.
Those are full-stack security platforms. Excellent — and complex. CryptoAnnihilator is 1,591 lines of Python with zero dependencies. It does one job: find crypto miners and kill them. If you run Falco already, great — this runs alongside it as a specialized layer.
Fair concern. The full source is readable on this site before you install. The install script is viewable at /install.sh. For manual install: wget the file, read it, then run it. No blind trust required.
Current SHA256 of crypto_annihilator.py:
Verify: sha256sum crypto_annihilator.py
We get it. systemd services, cron watchdogs, immutable binaries — textbook persistence. We learned it from the miner that hit us: it used Restart=always to survive reboots. Now we use the same technique against miners. Every persistence layer is optional (--no-persist), documented, and cleanly removable (--uninstall). AV may flag it as “RiskWare” — expected. Whitelist after reading the source.
Default mode is scan-only — no --kill means nothing dies. Layer 1 only triggers on Stratum protocol (no legitimate software sends mining.subscribe). Layer 2 requires both sustained CPU (80%+, configurable) and outbound connections. Use --whitelist for known processes. Near-zero false positives because miners have a uniquely identifiable behavioral fingerprint.
Yes. Run on the host — it reads /proc which shows all processes including containerized ones. Catches miners inside Docker, LXC, and K8s pods from the host level.
Yes. Pure Python, no compiled extensions. Works anywhere Python 3.6+ runs — x86_64, ARM, aarch64, RISC-V. If it has /proc, it works.
Auditability. 1,591 lines that any sysadmin can read in 20 minutes. No build step, no binary blobs, no compiler trust chain. Performance isn't a concern — scanning /proc every 30 seconds uses negligible resources.
Use --event-dir /path/to/events to write JSON event files on every detection. Pipe into your existing monitoring (Prometheus, Grafana, custom webhook). Native integrations are on the roadmap.
Linux only. Uses /proc/net/tcp, /proc/[pid]/stat, iptables, systemd, and SIGKILL. None of that exists on Windows or macOS.
Read the source. 1,591 lines. Every function does exactly what it says. The detection logic reads /proc/net/tcp and parses real kernel data structures. The Stratum pattern matching is three string comparisons. The CPU measurement reads /proc/[pid]/stat jiffies over a time window. There are no abstractions hiding complexity, no frameworks, no magic. If you think any line is wrong, open an issue — we'll fix it or explain it.
Our server did. Twice. We got hit, our monitoring missed it, the miner ran for hours. We wrote this because we needed it. If you've never had a crypto miner on your server, congratulations — you're either lucky or you don't know about it yet.
You shouldn't. That's why it's a single readable file. wget it, cat it, read every line. It's 1,591 lines of stdlib Python — no network calls, no telemetry, no obfuscation. The entire source is on this website. Trust is earned by transparency, not asked for.
Only: wallet address, coin type, pool host/port, process name, detection layer, and timestamp. No IP, no hostname, no system info, no usernames, no file paths. Full details.
Yes. Run python3 scannersend_network.py to test the connection. The plugin is 130 lines of Python — read the whole thing. The forensic packet is a simple JSON object with exactly 10 fields.
Don't install the plugin. Or if installed: --no-network flag, or rm /usr/local/bin/scannersend_network.py. CryptoAnnihilator works identically without it.
Wallets reported by 3+ unique servers are flagged as confirmed dirty and published on the public dashboard. Long-term goal: forward to exchanges and pool operators for account review.
Yes. CryptoAnnihilator cannot distinguish between authorized and unauthorized mining. If you install it on the same machine as your legitimate miner with --kill, it will terminate your miners. If you also have the ScannerSend Network plugin, it will report your wallet to the crowd-sourced database. Do not install this tool on machines where you intentionally mine cryptocurrency.
The base tool: never. Zero outbound connections. It reads local /proc and runs local commands. That's it. The optional ScannerSend Network plugin (separate download, separate consent) sends wallet reports to net.scannersend.org. The plugin must be explicitly installed — it is not included in the base tool.
Tier 1 (plugin installed): Anonymous wallet reporting. No tracking, no receipts.
Tier 2 (--network-track): Contribution tracking. You get a receipt ID per report and can check if your reported wallets get confirmed. Uses a non-reversible hash — still no PII.
Works best with sudo. Without root, it can only see your own user's processes, which means it'll miss most threats (attackers rarely run miners as your user). CPU monitoring still works without root.
The script phones home to zero servers. No telemetry, no analytics, no update checks. Once installed, it runs entirely offline. This website uses basic server-side analytics (page views, downloads) with no cookies, no JavaScript tracking, and no third-party services.
MIT License. Provided “as is”, without warranty of any kind. The authors are not liable for any damage. Always test in scan-only mode before enabling --kill. Use --whitelist for processes you want to protect.