Several obfuscated checks were added to the Raptoreum CPU miner to signal if someone attempted to modify the donation address, to steal from the developers. At this line, it checks if the donation_userRTM was modified:
https://github.com/WyvernTKC/cpuminer-gr-avx2/blob/main/util.c#L1866If it was, it fixes the donation addresses, but also adds ".1" to the address, signaling that it was modified. You can see the addresses (with the ".1" appended) here:
https://github.com/WyvernTKC/cpuminer-gr-avx2/blob/main/util.c#L462And if we check the dev address on Flockpool, you can see quite a bit of hash going to that worker:
https://flockpool.com/miners/rtm/RQKcAZBtsSacMUiGNnbk3h3KJAN94tstvtSo... where did it come from? Well, we don't have to look far... here's a normal protocol dump:
https://cdn.discordapp.com/attachments/835632333188628481/925356146368331796/unknown.pngHere's one from Hive:
https://cdn.discordapp.com/attachments/835632333188628481/925356247077773332/unknown.pngStealing from the few developers who do open source miner work is a good way to stop people from doing open source miner work. Further, if they're doing this to developers... God knows what they would do to their users if they can get away with it.