If you suggest someone was logging on my machines - it will be a little harder than that. Machines are behind two firewalls, extra network segment, no ssh was possible from outside.

What I implemented (filterwise) is that the miner rig cannot connect to external IP at will, but only on specific IPs (pools) and specific ports - 3333.

Even if the attacker spoofed the package - so the source ip is from the pool, then the redirect is blocked by external filters - so no stealing can be done anymore.