Complete guide to CryptoAnnihilator v1.0.0 by ScannerSend
curl -sS https://scannersend.org/install.sh | sudo bash
This downloads the script, copies it to /usr/local/bin/, creates a systemd service, and starts it immediately. One command, done.
wget https://scannersend.org/download/crypto_annihilator.py chmod +x crypto_annihilator.py sudo python3 crypto_annihilator.py --kill --daemon
sudo python3 crypto_annihilator.py
Runs a single scan and reports findings without killing anything. Good for a first look.
Monitors all TCP connections via ss and reads /proc/PID/cmdline and /proc/PID/environ for Stratum mining protocol patterns: mining.subscribe, mining.submit, mining.authorize. No legitimate software uses these JSON-RPC methods. If a process speaks Stratum, it is mining.
Measures CPU usage over a configurable window (default: 5 seconds). A process that sustains high CPU (default: 80%+) AND has outbound network connections to non-whitelisted destinations matches the behavioral profile of a crypto miner. This catches miners that use custom binaries, renamed executables, or novel algorithms with no known signature.
Maintains a list of 22+ mining pool domains and common miner process names. With --install-dns-block, these domains are poisoned in /etc/hosts. With --install-firewall, iptables rules block the Stratum protocol at the kernel level.
| Flag | Description |
|---|---|
--kill | Kill detected miners with SIGKILL (default: alert only) |
--daemon | Run continuously, scanning at regular intervals |
--interval N | Scan interval in seconds (default: 30) |
--cpu-threshold N | CPU percentage threshold for behavioral detection (default: 80) |
--cpu-window N | CPU measurement window in seconds (default: 5) |
--whitelist names | Comma-separated process names to skip |
--immune-dir path | Skip processes running from this directory |
--install-firewall | Install iptables rules to block Stratum protocol |
--install-dns-block | Block mining pool domains in /etc/hosts |
--fortify | Enable self-healing persistence (5 layers) |
--uninstall | Cleanly remove CryptoAnnihilator and all persistence layers |
--status | Show current protection status |
--verbose | Verbose output with debug information |
--version | Show version number |
When run with --fortify, CryptoAnnihilator installs 5 independent persistence layers that self-repair on every scan cycle:
| Layer | Mechanism | If removed... |
|---|---|---|
| 1 | chattr +i on binary | Blocks deletion, even by root |
| 2 | systemd Restart=always, RestartSec=1 | Process restarts in 1 second |
| 3 | Cron watchdog (every 60s) | Restarts if service was stopped |
| 4 | rc.local boot fallback | Starts on boot if systemd disabled |
| 5 | Self-copying binary | Running process restores deleted files |
To cleanly remove everything: sudo crypto_annihilator.py --uninstall
Is this safe to run on my server?
Yes. It has zero dependencies beyond Python 3.6+ stdlib. No pip install, no network calls, no telemetry. Read the full source before running — it's 1,134 lines of readable Python.
Will it kill legitimate processes?
No. Layer 1 only triggers on Stratum mining protocol (no legitimate software uses mining.subscribe). Layer 2 requires BOTH sustained high CPU AND suspicious outbound connections. Use --whitelist to exempt specific processes if needed.
How do I update to a new version?
If you used --fortify, the binary is immutable. Run: sudo chattr -i /usr/local/bin/crypto_annihilator.py, then reinstall normally. The installer handles this automatically.
How do I completely remove it?
sudo crypto_annihilator.py --uninstall removes everything: service files, cron watchdog, rc.local entry, immutable flags, and the binary itself. Logs are preserved at /var/log/crypto_annihilator/.
Does it phone home or send telemetry?
No. Zero network calls. Zero telemetry. It reads /proc and runs ss. That's it. Verify yourself: grep -n "urllib\|requests\|http\|socket\.connect" crypto_annihilator.py — you'll find nothing.
What Python version does it need?
Python 3.6 or newer. Uses only stdlib modules: subprocess, os, re, time, signal, pathlib, logging, argparse.
What about Docker containers?
CryptoAnnihilator runs on the host and monitors all processes, including those inside containers. It reads /proc which spans all namespaces.