Adding Cryptojacking Campaign - Drupal Sites To Main Blocklist


Please can someone add the Cryptojacking Campaign - Drupal Sites, to the main pi-hole block list repository.

Link Drupal Cryptojacking Campaigns -- Affected Sites - Google Sheets


1 Like

I took the hosts from the lists above and placed them on this pastebin.

It will never expire so go ahead and use it as an additional list. (manually updated)

I signed up for updates from that list, so once it gets updated I'll update the pastebin too (i’ll still maintain pastebin for the ones using it).


you can also use @deHakkelaar’s list:

It auto updates itself. Simply add it to the block lists in your pi-hole and it will work.


That's great thanks :slight_smile:

EDIT: Read down posts below this one for updates!!!

Put it in CRON like so:

sudo mkdir /var/www/html/lists

echo $((RANDOM % 60)) "2 * * * root curl -s '' | awk -F , '{print $1}' | tail -n +2 | tee /var/www/html/lists/cryptojacking_campaign.list.txt 2>&1 > /dev/null && curl -s '' | awk -F , '{print $1}' | tail -n +2 | tee -a /var/www/html/lists/cryptojacking_campaign.list.txt 2>&1 > /dev/null" | sudo tee /etc/cron.d/cryptojacking_campaign

sudo service cron reload

When CRON runs between 2 and 3 AM (randomized), the generated list will be written locally to "/var/www/html/lists/cryptojacking_campaign.list.txt"

To create the list immediately instead of waiting for CRON to run:

curl -s '' | awk -F , '{print $1}' | tail -n +2 | sudo tee /var/www/html/lists/cryptojacking_campaign.list.txt 2>&1 > /dev/null && curl -s '' | awk -F , '{print $1}' | tail -n +2 | sudo tee -a /var/www/html/lists/cryptojacking_campaign.list.txt 2>&1 > /dev/null

On the Pi-hole admin page you can add below link as a list:



It syncs with the google sheet every hour as the list is still growing
... for the lazy ones :wink:

@Ukruler54321, maybe you could mention the source in your first posting:


I added the URL to adlists.list, which is in /etc/pihole will this do the trick?

That will do the trick.
If you run below one, the added URL will be imported into Pi-hole:

pihole -g

But I offered two automated alternatives as to relieve @RamSet from having to manually update that pastebin list whenever the google sheet gets updated.
If you dont want to setup cron like described above, you can use the link I provided as a list instead of the pastebin one:

And you dont need to edit the "adlists.list" file manually.
Instead use the web GUI to add the URL to the lists:


I updated the Pastebin list (and added the new host they added unders the second tab)

@deHakkelaar they started adding hosts to the second tab of the excel file.

You should update your contab to grab from there also :slight_smile:

I have deleted link from adlists.list.

Then added to the blocklist using the following command.

The terminal displays the "is not a valid argument or domain name!"


pihole -b adds a domain to the blacklist. It's not the correct way to add it to your ad lists.

sudo nano /etc/pihole/adlists.list

at the end, save and run a

pihole -g

That should get you there :slight_smile:

I updated the cron instructions above, the cron line is a bit long now :wink:
and below list is generated every hour pulling in both sheets now:

pi@noads:~ $ curl -s | wc -l

pi@noads:~ $ curl -s | tail
1 Like

Use the Pi-hole admin web GUI to add URL lists.
It will automatically pull all the blocked domains into Pi-hole.
The below link should get you there:


Thanks it worked

@deHakkelaar the spreadsheet has 5 pages. Does your list contain all of them?

Compromised Drupal properties (Source, Malwarebytes blog)

1 Like

Concatenated all on the pastebin list.

1 Like

Now it does:

pi@noads:~ $ curl -s | wc -l

And I moved shop to a VM thats got LetsEncrypt SSL:

Better test the URL in a browser first as my DNS change might not have propagated yet.
If you get a "Secure Connection Failed" messages or similar in the browser you need to wait a bit (DNS record TTL = 12 hours).
But as soon as you can load that https link in a browser, you can add it as a list in Pi-hole, and remove the old http one of course.
I'll keep the old http one running for a while as well.

The crontab became too long so I scripted it and put that in a crontab:


curl -s '' | awk -F , '{print $1}' | tail -n +2 | tee /var/www/html/lists/cryptojacking_campaign.list.txt
curl -s '' | awk -F , '{print $1}' | tail -n +2 | tee -a /var/www/html/lists/cryptojacking_campaign.list.txt
curl -s '' | awk -F , '{print $1}' | tail -n +2 | tee -a /var/www/html/lists/cryptojacking_campaign.list.txt
curl -s '' | awk -F , '{print $1}' | tail -n +2 | tee -a /var/www/html/lists/cryptojacking_campaign.list.txt
curl -s '' | awk -F , '{print $1}' | awk -F '//' '{print$2}' | grep -v '^$' | tail -n +2 | tee -a /var/www/html/lists/cryptojacking_campaign.list.txt


I've been using your list ( but now it fails.
Would you mind to fix it?


I did some efforts but it seems something has changed.
I've been using below method/answer since I started the list to get an CSV export from the source Google sheet:

But getting a redirect message now to a non existing document:

pi@ph5:~/tmp $ curl -s -k ''
<TITLE>Temporary Redirect</TITLE>
<H1>Temporary Redirect</H1>
The document has moved <A HREF="*/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4?format=csv&amp;gid=0">here</A>.

I've asked if they made any changes.
But for now I dont know how to get the sheet's exported.
So I've taken down the list for the duration.

Ps. I did tidy up the script a bit to make it more readable.
Also "issues" can be reported on Github:

:sweat_smile: Sorry didn't know you host it on github - filed a issue there.


That was easy fix with the help of @yubiuser.
List is up again:

pi@ph5:~ $ pihole -g
  [i] Target:
  [✓] Status: Retrieval successful
  [i] Received 853 domains