How does GCP detect crypto mining within a VM?

4•drydenwilliams•6mo ago

Are they noticing this because 100% CPU usage? Or DNS queries from the instances?

This just happened to us and it would be super helpful to know how GCP can scan it before.

Comments

pocketsmart•6mo ago

GCP detects crypto mining in VMs by monitoring unusual resource usage like high CPU or network activity. It analyzes logs for known mining software and suspicious process behavior. Machine learning and threat intelligence help flag abnormal VM activity. Tools like Security Command Center and VPC Flow Logs assist in detection. If mining is detected, GCP alerts the user and may recommend or take action.

chistev•6mo ago

AI?

Bender•6mo ago

I do not know the answer specifically as it pertains to GCP but I know that a couple other VPS providers just look for specific programs using a lot of CPU via their command-line and program name from the hypervisor. No scanning, just a process list and CPU usage in those cases. But I have no idea what GCP is specifically doing in your case. Simple monitoring tools can flag this.

mcflubbins•6mo ago

> just look for specific programs using a lot of CPU via their command-line and program name from the hypervisor.

They would have to run this from within the guest, no? I don't like the thought of that.

mmarian•6mo ago

You could look at anomalous ingress/egress patterns.

rithdmc•6mo ago

I've no idea how GCP detect it, though I've read about detection mechanisms profiling the syscalls or CPU signals. Pixie Team posted in 2022 that "RandomX programs are easy to spot. They leverage a large set of CPU features, some of which are rarely used by other programs ... CFROUND changes the rounding mode for floating point operations. Other programs rarely set this mode. When they do, they rarely toggle this value as much as RandomX does"

However, I'd imagine network detection would catch a lot of the larger, automated crypto mining efforts.

Go 1.22, SQLite, and Next.js: The "Boring" Back End

Laibach the Whistleblowers [video]

I replaced the front page with AI slop and honestly it's an improvement

Economists vs. Technologists on AI

Life at the Edge

RISC-V Vector Primer

Show HN: Invoxo – Invoicing with automatic EU VAT for cross-border services

A Tale of Two Standards, POSIX and Win32 (2005)

Ask HN: Is the Downfall of SaaS Started?

Flirt: The Native Backend

OpenAI's Latest Platform Targets Enterprise Customers

Goldman Sachs taps Anthropic's Claude to automate accounting, compliance roles

Ai.com bought by Crypto.com founder for $70M in biggest-ever website name deal

Big Tech's AI Push Is Costing More Than the Moon Landing

The AI boom is causing shortages everywhere else

Suno, AI Music, and the Bad Future [video]

Ask HN: How are researchers using AlphaFold in 2026?

Running the "Reflections on Trusting Trust" Compiler

Watermark API – $0.01/image, 10x cheaper than Cloudinary

Now send your marketing campaigns directly from ChatGPT

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

Show HN: Hibana – choreography-first protocol safety for Rust

Haniri: A live autonomous world where AI agents survive or collapse

GPT-5.3-Codex System Card [pdf]

Atlas: Manage your database schema as code

Geist Pixel

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App