Not trying to insinuate anything, but just suggesting...  I apologize if any of these ideas have already been covered, just trying to help.


Is it possible that clevermining was hacked, or at least one of the servers was, but the hack is smart enough to only siphon off a small amount of hash?  Otherwise it would be immediately noticeable when it was implemented.

Granted it appears that other pools were affected as well.  Is it possible that they're using similar backend software that may have been compromised?

Otherwise we appear to have a paradoxical situation.

- it isn't the pool because multiple pools are affected
- it isn't cgwatcher because those without it are affected
- it isn't the miner because people's miners that haven't been touched in weeks or longer are affected (unless it's a virus on the network)
- DNS hijacking seems unlikely, as that's a pretty massive thing to implement, and if you have that ability you're probably going after bigger fish.

I think malware does seem most likely, as if cgminer is open to remote control there is no authentication.  Any computer or device anywhere on the network could scan for and redirect miners.  This way even miners that haven't been touched in a year could still be affected.

Do we have a thread with full details on everyone who has been affected?  All software installed and versions, OS, patches, windows updates on/off, last time any configuration was modified, router, ISP, location, etc?

Do we have any way to reproduce this?  Does anyone with logging enabled have a record of the request?  Is it happening frequently enough to run a network monitor?  Do we know what coin is being maliciously mined?