Preventing Crypto Mining abuse on GitLab.com SaaS

Recently, there has been a massive uptick in abuse of free pipeline minutes available on GitLab.com and on other CI/CD providers to mine cryptocurrencies. In addition to the cost increases, the abuse creates intermittent performance issues for GitLab.com users and requires our teams to work 24x7 to maintain optimal services for our customers and users. To discourage and reduce abuse, starting May 17th, 2021, GitLab will require new free users to provide a valid credit card in order to use shared runners on GitLab.com. However, a user will be able to run pipelines without providing a credit card if they use their own runner and disable shared runners. Although imperfect, we believe this will reduce the abuse.

Learn more in this announcement blog post.

1 Like

Mmm while cryptocurrency is a cancer on civilization. The usage of credit cards is quite US centric and we already have one European contributor going “well shit”.

Does the rule applies to forks of a non-free-plan org that has public repos?

Will there ever be the ability to share project runners with forks in merge requests, even if it’s ACL based and we have to grant permissions? It’s the current headache for us anyway, that would actually help gitlab by allowing us to move more things to our org runners

1 Like

Will there ever be the ability to share project runners with forks in merge requests, even if it’s ACL based and we have to grant permissions? It’s the current headache for us anyway, that would actually help gitlab by allowing us to move more things to our org runners

On the sharing of project runners, we do have Allow fork pipelines to run in parent project (&3278) · Epics · GitLab.org · GitLab, where we are looking at allowing forks to generate pipelines or run in parent project.

3 Likes

@mroszko Thanks for the feedback and questions. In addition to credit cards, debit cards also be used.

4 Likes

Is it possible to use GitLab Pages without shared runners on a free account (without credit card verification)?

I currently use shared runners with the simple plain HTML template (.gitlab-ci.yml · master · GitLab Pages examples / plain-html · GitLab) to host a static site on GitLab Pages.

While I wouldn’t mind registering my credit card with GitLab, I don’t like this sets the bar high for new users.

Perhaps enabling 2FA could also be considered a way to verify users.

Also maybe GitLab could work together with GitHub and other CI platforms to create a public shame/ban list for people abusing CI platforms for crypto mining.

2FA doesn’t solve anything. VOIP numbers you can get hundreds for a few dollars and highly automatable by bots.

A shame list literally does nothing. The users are hiding anonymously, they wash their IPs via VPNs and have bots generate hundreds of accounts. Welcome to the openness of the internet.

Debit/credit cards at least require an identity or for an user to commit wire fraud by using stolen card details. Wire fraud can be prosecuted criminally, while terms of service violations are civil manners that are barely enforceable.

I do worry a bit for gitlab here because stolen card details are incredibly easy to come by. My company got our ecommerce system hit a few months ago with bots using our store for tens of thousands of card numbers to test if they were valid, not even to place real orders. Our merchant processor wasn’t happy but :shrug:, we had to turn on captchas for carts on all users.

1 Like

Tanuki San brother could help with triaging workload and users in a smart way. Maybe even throttling them.

We have created a new user which is now blocked for running CI pipelines. I can verify him using a credit card and it shows a success message. However, after a reload of the page or when he tries to trigger the pipeline again, the same error message appears. Does anyone face the same issue?

1 Like

Yes. i have this problem too. And also gitLab pay take from me 2x $1. I see this in my bank billing system - it was my attempts for this :frowning: GitLab, can you get my money back ? I can show you my bank billing

@mikhail.kanavalov, the amount is an authorisation only; you’re not being charged for it but the funds do get “allocated”. This authorisation expires within a few days and the $2 are released so you can use it.

@nineoh, if you can consistently reproduce this error, I’d urge you to create a bug so the GitLab team can look into it: https://gitlab.com/gitlab-org/gitlab/-/issues/new

Hi @thiagocsf , thanks for your reply. We were able to manage it now. The employee for who the new user was had to use his own credit card to verify himself. However, for companies it would be nice if it worked with a company credit card, too.

This might be another issue. I’ve already validated my account but it still asks for validation after refresh. It seems it doesn’t remember anything, please help!

@ZR87 as per previous post above by @thiagocsf I suggest you open a bug so the Gitlab team can look into it. A post on the forum won’t be enough for it to be addressed. Just check first to make sure no-one else has opened an issue/bug for it already.

Hi, I have the same trouble with verification of my new Gitlab account. The pipeline failed, but on the failed pipeline run detail page there is no “verfication banner” and link displayed like in the video in your blog. In my personal account I can also not add a credit card for verification, there it says I should go back to the group. I just want to start to work as developer my new job but have this kind of trouble. :frowning: What should I do?

Meanwhile, I have not my credit card or debit card. But, I have and use wallet currency from Indonesia. Begin pipeline running, get verification first because I create my GitLab Account in Dzulqa’dah 1442 H (June 2021).

Wallet currency or electornical currency from Indonesia use phone number and verification with ID card (= KTP). Thanks for information.