ScannerSend Network

Crowd-sourced miner hunting. Every kill generates intelligence.

When CryptoAnnihilator kills a miner, the attacker's wallet address is still on disk. It has to be — the pool needs it in plaintext. The ScannerSend Network collects these wallets from servers worldwide and builds a database of dirty addresses.

The more servers that run it, the faster wallets get burned.

How It Works

Detection & Kill

CryptoAnnihilator detects a miner using its 4-layer behavioral engine and kills the process.

Wallet Extraction

Before the kill, Layer 5 extracts the wallet address from /proc/PID/cmdline, environment variables, or config files. The wallet is always there.

Secure Report

The plugin sends a signed forensic packet to net.scannersend.org — wallet, pool, coin type, detection layer. Nothing else. The packet is nonce-authenticated and HMAC-signed.

Crowd Validation

When 3+ unique servers report the same wallet, it's flagged as confirmed dirty. These wallets are published on our public dashboard.

What IS reported

Wallet address and coin type (XMR, BTC, ETH, etc.)
Mining pool hostname and port
Process name (e.g., xmrig)
Detection layer number (1-4)
Timestamp

What is NEVER reported

Your IP address (discarded server-side)
Your hostname or system info
OS, kernel version, RAM, disk
Usernames, file paths, command lines
Any personally identifiable information

Install the Plugin

The ScannerSend Network is a separate, optional plugin. CryptoAnnihilator works identically without it.

sudo crypto_annihilator.py --install-network

Or manually:

wget https://scannersend.org/download/scannersend_network.py -O /usr/local/bin/scannersend_network.py
chmod +x /usr/local/bin/scannersend_network.py

To disable (even with plugin installed):

crypto_annihilator.py --kill --no-network

To remove completely:

rm /usr/local/bin/scannersend_network.py

Security

Every report is nonce-authenticated (server-issued, single-use, 60s expiry) and HMAC-SHA256 signed. The server validates strict schema, wallet format, rate limits (10/hr), and rejects anything that doesn't match. The plugin source is readable: 130 lines of Python.

View Reported Wallets →

Privacy

What is sent: Wallet address, coin type, pool host/port, process name, detection layer, timestamp.

What is never sent: Your IP (discarded in Tier 1), hostname, system info, kernel version, usernames, file paths, or any personally identifiable information.

Tier 2 (opt-in): Adds a non-reversible contributor hash (SHA256 of IP + salt) for tracking your own contribution history. You can query your receipts and see if reported wallets get confirmed.

The base tool never makes outbound connections. Only the explicitly installed plugin phones home, and only to net.scannersend.org. Remove the plugin to stop all reporting instantly.