County IT Supervisor Mined Bitcoin At the Office, Prosecutors Say

An anonymous reader quotes a report from The New York Times: A Long Island man was charged on Wednesday with using his position as an I.T. supervisor for Suffolk County to mine cryptocurrency from government offices, costing the county thousands of dollars in electricity. Prosecutors said that Christopher Naples, 42, of Mattituck, L.I., had hidden 46 specialized devices used to mine Bitcoin and other cryptocurrencies in six rooms in the Suffolk County Center in Riverhead, including underneath floorboards and inside an unused electrical panel. Mr. Naples was charged with public corruption, grand larceny, computer trespass and official misconduct. If convicted of the top charge, he could face up to 15 years in prison.

Mr. Naples had admitted that the devices belonged to him and that he had been operating them for at least several months before the district attorney's office was alerted to the scheme. Prosecutors said that at least 10 of Mr. Naples's machines had been running since February, costing Suffolk County more than $6,000. [...] [G]iven that 36 more machines had been discovered, it was likely that Mr. Naples had cost the county thousands more. [...] [O]ne room in which Mr. Naples had placed the devices had critically important computer servers and other equipment for the entire county, and that the temperature in that room in which the devices were placed had dropped 20 degrees shortly after they were disabled.

Throw the book at him

[The-Ixian]

There is no excuse for this level of incompetence and greed.

I mean, he should have stopped at 1 or 2 devices.... That floorboard trick sounds like a good one. He should have just stuck with that...

Seriously though, I am sure that most IT admins have had at least a passing thought of loading a miner on company equipment or putting an extra server in the server room. But a core part of the make-up of a good IT admin is trustworthiness. If you don't have trust, you don't have anything.

Shame on this guy for abusing that trust.

Wait till it's in silicon...

[Anonymous Coward]

This guy was a low level hack.

How about we take a good hard look at any electronic IC that generally runs rather warm and has the potential for network access? How hard would it be to sneak some extra circuitry inside an IC at design time to do some bitcoin mining on the sly? Everything is going towards "smart" this and "smart" that these days, so why not? Who's gonna notice that your new smart TV runs a little warmer than your old dumb TV? Or your new QLC SSD drive runs a little extra warm, even when you'r

Re:

[DontBeAMoran]

Sell enough of these, and it could be as profitable and sneaky as the guy who programmed the bank account software to deposit every rounded down half cent into a special account.

Let's be thankful that Superman stopped him.

Re: Wait till it's in silicon...

[Type44Q]

How hard would it be to sneak some extra circuitry inside an IC at design time to do some bitcoin mining on the sly?

Infinitely small transistors, completely free... just don't tell the fabs.

Re:

[omnichad]

Who's gonna notice that your new smart TV runs a little warmer than your old dumb TV?

And now you know why the US requires EnergyGuide tags for appliances and larger electronics. They foresaw stealth mining.

What?! No under-age hookers and Molly?

[SpzToid]

Agreed, that's just silly. No under-age hookers and Molly without a member of Congress? Sheesh. Florida men make Suffolk County I.T. look like amateurs. Check out how to mine bitcoin on the government dollar in Florida.

https://www.clickorlando.com/n... [clickorlando.com]

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[kyoko21]

what he should have done was gone to the county and ask them to legit mine for coins so they can recoup some profits as a way to diversify....

Re:

[oneiros27]

There was a guy selling mining rigs a while back who had a video where he basically said that the only way to actually make money on it was to steal electricity.

(he was grabbing power at a coffee shop)

So it only makes them money if they're in an area where electricity is cheap, it doesn't cause other maintenance headaches (like taxing the air handlers), and the price of bitcoin increases.

At least back in the 90s/early 2000, sysadmins who got fired for abuse of company resources were being altruistic. (for

Re:

[Joreallean]

It depends on what type of miner you're using anything that is not a GPU miner mining ETH likely is going to be pretty low profitability without it being a relatively large and very large power consumption. The problem is the older coins like Bitcoin and Litecoin the amount of hash you need to earn a decent return is huge so the cost to power margin is pretty small or non-existent if you have to pay for power. The GPU mining you do in your PC though is 100% profitable right now almost regardless of power

Re:

[Moryath]

There was a guy selling mining rigs a while back who had a video where he basically said that the only way to actually make money on it was to steal electricity.

Well yeah. Cryptocurrencies are built for 2 reasons: money laundering and to substitute for penny stocks in pyramid and pump-and-dump scams. As such, the biggest "producers" also will find any way possible (almost always illegal) to shift the cost of the electricity and pollution generate onto others too.

It's impossible to respect or take serio

Re:

[Tx]

There was a guy selling mining rigs a while back who had a video where he basically said that the only way to actually make money on it was to steal electricity.

And this is BS. I live in the UK where electricity is expensive, at £0.18/kWh ($0.25), and GPU mining is still profitable. ASIC mining is more profitable still if you have an up to date miner. From what I understand, electricity is half the cost in the USA than it is here. So your "guy who had a video" was talking out of his arse, or talking a

Re:

[Luthair]

That might depend on your definition of profitable - you might be ahead on electrical cost, that doesn't mean you'll ever pay off the cost of the hardware and actually make money.

Re:

[Culture20]

But if you're using the mining program at home on your gaming rig during cold winter days while you're at work or sleeping, you're getting some use out of your GPU during off-hours

Re:

[Luthair]

And sending those components to a premature grave.

Re:

[Culture20]

And sending those components to a premature grave.

The upgrade churn makes that a moot point.

Re: Throw the book at him

[Fons_de_spons]

Well, if you heat your home in winter with electricity, you may as well spread a few miners here and there. (No heatpump). If you have excess solar power, mining may be viable in summer.

Re:

[cusco]

Yeah, I did that, installed SETI@Home on a couple of new servers that spent 90+% of their time idling, the phone system, and a few workstations that the monitor was always turned off. Almost got fired over that, but at one point I was in the top 20 producers of work units. My only excuse was that I as new to the IT profession, but it wasn't much of an excuse since I knew enough to hide what I was doing.

Re:

[NFN_NLN]

> as a way to diversify....

Yes, the country can diversify the tax payers money... some crypto speculation, some horse racing and top it off with scratch-off tickets.
Diversity is our strength.

loading a miner on company power / network

[Joe_Dragon]

loading a miner on company power / network (small data use and if we go after that then we need go after any one who uses the network for non work stuff)
running up the power bill / AC load is the big thing.

Re:loading a miner on company power / network

[gosso920]

They make a dollar, I make a dime.

That's why I mine on company time.

Re:

[geekmux]

They make a dollar, I make a dime.

That's why I mine on company time.

Probably one of the worst reasons I've ever heard. Those dimes add up to your salary.

Oh, and speaking of time, it sounds like the entire impact of his crime comes down to stolen electricity, which somehow justifies up to 15 years of incarceration. Hope it's worth it for you.

Re:loading a miner on company power / network

[Moryath]

it sounds like the entire impact of his crime comes down to stolen electricity,

#1 - Stolen electricity in dollar amounts crossing the line from "petty larceny" to "grand larceny" under statute. New York law would indicate that a $6000 theft (based on the dollar amount of the stolen electric costs) is Grand Larceny in the Third Degree [newyorkthe...awyers.com]. Depending on the full number of devices located, calculation of the charges, they may very well increase this to the 2nd degree if he does not plea bargain. Max load for the devices in question is $4200/month [timesreview.com] so I would gather they can easily make a case the theft is actually over the $50,000 line in electricity.

#2 - Illegal access, connecting unapproved and illicit devices to the business network without authorization.

#3 - Illegal access, punching holes in the firewall that (a) degraded service significantly and (b) left it wide open to outside compromise.

#4 - Public Corruption charge, consisting of self-dealing and/or embezzlement.

#5 - Official Misconduct.

Re:

[geekmux]

#1 - Not going to dispute this other than their assumptions that devices were consuming "max load" 100% of the time. Don't give me that crap. It should be fairly easy to do the actual calculations here with electric bills and power meter statistics. Don't estimate a 2nd degree charge. PROVE it.

#2 - Rather difficult to call his access "illegal" when he was obviously authorized to access these physical areas to plant his devices. IT often has "facilities" level access because computers are usually everyw

Re:

[Moryath]

#2 - He was not authorized to plant/install those devices. Doesn't matter if he was authorized to physically walk into the room, he wasn't authorized to install those devices and hook them to the building network.

#3 - Given the state of the mining software? Trivial to exploit a vulnerability in them and use it as an attack vector into the county systems.

#5 - When average citizens get the BOOK thrown at them - He's not "an average citizen". He occupied an office of public trust. Fuck off with your gaslig

Re:

[xavdeman]

Found the crypto-miner that is doing the same thing and is defending this guy's conduct. Cryptomining = eco-cide.

Re:Throw the book at him

[jellomizer]

The core part of every job being a Sys-Admin or not is trustworthiness.
However the more power or authority you are granted you need to keep up your level of trustworthiness, because the more power that you have the less number of people who have the authority to question your actions.

Most Organizations have a hard time figuring out what to do with those IT Guys. They are often granted power that is normally reserved for only the top officials. However they may only have the authority that an entry level person has. Power Breeds corruptness, Authority Breeds responsibility. Combined with the fact that organization know they need these computers to run their business, however the work of the IT Guys is like some sort of black magic. Makes it difficult to check on and sanity check a Sys-Admins decision.

This creates a situation where a Sys-Admin when caught will go down in flames. Vs. just being corrected early on before it went too far.

An organization that has a better handle on IT, vs the lone IT Guy, Where they actually review system requirements and determine that they may not need extra servers, or servers full of GPU to run a Database. They are people hired to monitor performance and utilization, as well backup admins for if they are on vacation, or gets hit by a bus. Where there are little surprises. So if the IT Guy was using spare processing power to mine for bitcoins, it would be caught, and probably just a word of warning, showing that we monitor such things, and that it is unacceptable use of the organizations systems. (which is often enough) Basicly to balance the amount of power and authority to an acceptable level.

Re:

[Moryath]

They are often granted power that is normally reserved for only the top officials. However they may only have the authority that an entry level person has...Combined with the fact that organization know they need these computers to run their business, however the work of the IT Guys is like some sort of black magic.

You mean to say: the sysadmins are made responsible for security, but then not given the power to enforce/require even the simplest shit (such as 2-factor authentication, require reboots for t

Re:

[Opportunist]

If I find that you run a miner on a network I am responsible for, you're a has-been. And I mean in the industry.

Actually, you run an unauthorized device with network access that potentially accepts access from the internet, you're a has-been.

And it's not about the money. Neither the electricity bill nor the money you could have gotten from the mined coins. It's a security risk.

Re:

[Known Nutter]

If I find that you run a miner on a network I am responsible for, you're a has-been. And I mean in the industry.

You are able to blackball someone from the entire industry? How does that work?

Re:

[Moryath]

1. Fire for cause.

2. File civil lawsuit from company or county entity, to recoup losses.

3. Publicize information regarding the firing-for-cause and civil lawsuit to as many known in-industry communication channels as possible. Possibly make the story get on the news, as happened in this case.

At that point they're likely not going to find employment in the industry... at least not anywhere that knows what they are doing.

Now if only it worked that way for abusive/steroided cops, but sadly, the cops get p

Re:

[wwphx]

Zero references. When HR calls, you confirm they worked there, which is pretty much the max you can do these days. Then you call the IT director and say "Off the record, this person was compromising network security by hiding multiple high energy consumption internet accessing devices throughout our infrastructure and they will never work for us again." And they might get on the list for an interview, but they won't proceed any further.

When I worked for the police department, we had a programmer posit

Re:

[ayesnymous]

Not sure why this was modded down.

Re:

[Antique Geekmeister]

> Then you call the IT director

Most corporate attorneys, and HR departments, will fire you much faster for this than they fired the person caught mining bitcoin.

Re:

[kmoser]

Self-pleasuring in your cubicle doesn't drain the company's bottom line. It may drain something else, but not corporate profits.

Re:

[gnasher719]

He was caught [self-pleasuring] in his cubical!"

Seriously, what does that have to do with his ability to develop software?

Re:

[wwphx]

If you're telecommuting and doing that at home, fine. Lots of people doing that during Covid times. But inside a shared office space? EWW! And maybe in a private office, cleaning up after one's self, deodorizing. But still, EWW! I've only had a private office twice in my 30 year IT career and I'd never consider doing that.

Re:

[Opportunist]

The financial information security industry is surprisingly small.

And we talk.

Re:

[inode_buddha]

I could understand if this guy was in the private sector. But he's not, he works for the government. Therefore they should let him go off scot-free, just like Congress. Because they commit fraud and corruption on an industrial scale, legally. They legalized it for themselves (see:insider trading). Going after some low-level hack like this guy is just hypocrisy, not that that has ever stopped anyone in government.

Re:

[cusco]

All? That was dumb. I just put it on a couple of barely-used servers (and still got caught and almost fired).

Re:

[lrichardson]

Obligatory PA link: https://www.penny-arcade.com/c... [penny-arcade.com]

Same news, different person ...

theft of electricity

[AndroSyn]

Theft of electricity used to be the only thing they could pin computer related crimes with. What's old is new again, I suppose.

Re:

[im_thatoneguy]

He should have given the county a cut... and then some . I bitcoin mine on a number of our machines, but 100% goes to my company. I'm just maximizing utilization of precious assets (expensive GPUs).

We've already made $2,000 this year which I put right back into buying faster GPUs for employees... which can then mine. A virtuous cycle of using systems after hours to buy systems for during business hours.

Re:

[sabbede]

Misappropriation of department resources is what I think that would be called. Honestly, charging him with anything else seems excessive.

computer trespass?? I can see grand larceny, damag

[Joe_Dragon]

computer trespass?? for what the small amount of data
I can see grand larceny for the power and higher AC costs.

Re:

[red_dragon]

Given how broadly the CFAA gets applied, that's pretty typical. It's basically accusing him of breaking and entering, but with a computer. I guess he should've thought of it ahead of time and patented it first.

Re:

[sabbede]

In New York, Grand Larceny starts at $1000 (4th degree). I don't know if he could have used that much power, but I think the reason they say he could face up to 15 years is that 2nd degree grand larceny is a theft worth more than $50k, or one that involves among other things, "or (c) use or abuse his position as a public servant by engaging in conduct within or related to his official duties".

Though it still seems excessive for what basically amounts to stealing office supplies.

Re:

[Joe_Dragon]

well they can say he damaged an $1000+ AC unit buy jacking the heat up with miners.

Back In My Day...

[Vandil X]

We used the company T1 connection to host a headless Quake II CTF server, and even had it listed on GameSpy.

We were just a bunch of dumb college kids who loved playing Quake II CTF.

We eventually got busted and took it offline forever. Just got a stern yelling at.

We would never dream of something hardcore like mining Bitcoin at work. That may as well have been the virus in Office Space to us back then.

Re:Back In My Day...

[backbyter]

Ran a Quake server locally on our network and 4 of us would play a lunch.

Had the head of the word processing unit come to us complaining that their network printers were down. Sure enough, could not get a job to print. Went back to my office to start the get the sniffer started. Turned off the Quake server so that wouldn't show up in the logs. A minute later, the original complainant came to tell us that the printer was running again and to thank us for fixing it.

We put the Quake server on a different ring.

Re: Back In My Day...

[dknj]

Once upon a time we ran a quake server on the only sparc that could host Oracle. Well one day the professor came over to our office and complained that oracle queries were taking way too long. We said we would look right into it! When the door closed we simply stopped our death match⦠that was hosted on the beefy oracle box. Once his class ended we fired it right back up (sorry to any students who were hideously frustrated doing homework that night)

This was 20+ years agoâ¦

Re:

[jellomizer]

Being today computers are so vulnerable that they really need to be setup and used for their intended purpose only.
You got yelled at for Playing Quake II CTF, not so much because they had issues with you misusing the computer, but because you were goofing off at work, playing games where you should had been working. (as well possibly making noise and distracting other workers as well)

Today having a game on your system is one more possible vulnerability for someone to get onto your network with.

Re:

[cusco]

Did phone support for Win95 back when it was still fairly new at the most disorganized contractor I've ever seen. Our third day the instructor who was supposed to be training us in troubleshooting didn't show up so they just let us in the classroom. About half the class were already Win95 users, and got poking around on the Microsoft network until they found a network share of the multiplayer version of Doom. Within about 20 minutes they had crashed the entire Microsoft network backbone, so management de

Re:

[istartedi]

In the late 90s I was at a place where we did Seti@Home and also Quake. I don't know if higher-ups knew about the Quake, but the SETI group was well-known and some admins might have even been on there too. It was all volunteer stuff and/or morale building that wasn't about making money. I suspect a Bitcoin mining pool would not have been tolerated.

Management could be jerks about some things, but I think they tolerated odd/experimental servers because they knew it made people better and happier workers.

Thermostat?

[bill_mcgonigle]

If the server room/closet went down 20 degrees then either their thermostat is broken or he overloaded the cooling with his miners.

If it was the latter then he was putting work machines at risk of failure as well. His salary is way more than $2K in a NY govvy job. Not smart.

Being Long Island he should have insisted on an oversized solar array and wind farm and skimmed off the top.

Were they ASICs?

[h33t l4x0r]

Because otherwise I will be forced to hold a poor opinion of this gentleman.

Re:

[timeOday]

They were among other places hidden under floorboards so I doubt they were massive heaving gaming PCs.

Re:

[h33t l4x0r]

You don't know what ASICs are, bruh.

Re:

[timeOday]

Yeah I'm more of a Reebok man

Guilty

[CyberSnyder]

He brought in devices, hid the devices, and knew that they would require power and cooling resources. I guess if I were the defense attorney I'd try to liken it to bringing in a playstation to put in the break room and those people are stealing electricity and cooling. I would also lose the case.

Re:

[superdave80]

The problem with that analogy is that a single Playstation used occasionally vs. dozens of high-power consuming rigs running 24/7 is a whole different level/cost of electricity stealing. That would be like being caught stealing a pallet of office paper and then complaining that Dan down the hall printed out a dozen pages of his tax return on company paper.

The real problem: Security

[Opportunist]

Ok, maybe not in governmental areas where security is swiss cheese anyway, but if you introduce a computer to a network that is not subject to routine auditing, you may open up a security problem.

Personally, I wouldn't even have a problem with him mining stuff on company power. Make it part of the security audit pile and we can talk about you running that crap. Ok, it's different for government institutions because their security head honcho probably couldn't greenlight it due to being taxpayer money that's

Re:

[tomhath]

How about you offer to pay the $6k?

Re:

[Opportunist]

If he was working for me, that could actually have been in the cards. I can't grant bonuses as I wish, but I can justify running computer systems.

Do the math.

How much was mined?

[phalse phace]

Mr. Naples had admitted that the devices belonged to him and that he had been operating them for at least several months before the district attorney's office was alerted to the scheme. Prosecutors said that at least 10 of Mr. Naples's machines had been running since February, costing Suffolk County more than $6,000. [...] [G]iven that 36 more machines had been discovered, it was likely that Mr. Naples had cost the county thousands more.

Article is behind a paywall. Does it mention how many bitcoins he mined and profited from?

If you include those bitcoins which I'd consider the property of Suffolk County since they were mined on their property and using their electricity, the cost to the county would be in the tens of thousands, if not a hundred thousand, considering the price of bitcoin almost hit $65,00/bitcoin back in April of 2021.

Re:

[smooth wombat]

No it's not. You're just lazy.

Re:

[Anonymous Coward]

You've busted on three people about the paywall thing so far that I've seen, and not once offered any advice on getting around them. So, sounds like you're kinda useless in addition to being an asshole.

Re:

[avandesande]

It's roughly 2:1 for power to bc so about 12,000$ bitcoin.

Guy's an idiot on multiple levels

[schwit1]

"Mr. Naples’s use of the internet was such that other county employees had complained that service had slowed, Mr. Sini said. He also said that the county had several times called in workers to fix the air conditioning in the room in which Mr. Naples had installed the machines."

He's in IT. He had to know of these concerns and that it would lead to his scheme being detected.

Where are the stealth computers for doing this?

[LostMyAccount]

Ceiling mount "wireless access points (don't use PoE, tap into the 277 VAC used by commercial fluorescent lighting) , department-scale laser printers that actually print, except that there's another motherboard inside, and so on. If you can make it look like any bog-standard hunk of office technology that nobody questions, you could get away with this for years.

It might not even have to be office computer-type technology. You could mount a thin rig behind the break room fridge. Those plug-in water cooler

20 isn't that hard...

[bodog]

"the temperature in that room in which the devices were placed had dropped 20 degrees shortly after they were disabled."

Some municipal data centers can more accurately be termed data closets, shoehorned into buildings constructed while there were still party lines in effect, +20 degrees could be achieved by powering on a Nintendo.

He should have been "an executive"

[omfglearntoplay]

Then his side business that cost money to the parent entity would be considered part of his normal salary and expenses. But since this guy is an "IT Guy", well how dare he do this, get the police!

While I don't agree with taking advantage of his work place, the guy's wrongs are a hell of a lot less wrong than what the executives do by default from what I see. Cheating on taxes... everything is a company expense. Using company time for side businesses. You name it. This guy probably thought the electric bill would be an extra 30 bucks a month and who would care.

I remember the good ol' days where

[Tablizer]

...slothful employees would simply watch porn.