I'm just waiting for the day when it's revealed that ~70% of miners on a top 5 cryptocurrency are compromised by a specialized worm or malware. We'll probably only find out after the double spending is discovered but this type of outcome seems almost inevitable. The people writing this type of software are definitely financially motivated, but I can easily imagine such a person throwing away millions of dollars in 0-days just to fulfill such a hackneyed cyberpunk cliche.
Also, we know that things like stuxnet exist. Imagine something even a fraction as crazy as that targeting mining nodes. It's going to happen eventually.
>We'll probably only find out after the double spending is discovered but this type of outcome seems almost inevitable
attacks like this is harder to pull off than you think. miners constantly submit "shares" to the pool, which are then validated to credit them a share in the block reward[1]. depending on the difficulty threshold of the shares are, these could be submitted a few times a minute to every few minutes. if you hacked and gained control of the miners, sure you can redirect all the hashing power to you, but this will be detected quite quickly. with thousands of dollars on the line per minute, you can bet that everybody has monitoring in place to detect a dip in shares submission. also keep in mind that you have to keep this going for about 1 hour (for your initial transaction to confirm) without people noticing. moreover, the core problem stealing hash power to do a 50% attack is that block times will skyrocket on the main chain, which will let everybody (and not just the pool operator) know that something's up. plus after this attack, you can bet that exchanges will start requiring additional confirmations for large deposits, and instituting withholding times for cryptocurrency withdraws.
[1] I don't know whether large mining operators do this. Strictly speaking, they don't but I'd imagine they do this because it lets them know that their rigs are up and producing valid hashes (ie. not malfunctioning). It's almost certain that small mining operators use pools.
You're right that there are a few canaries in the coal mine, but there are a lot of creative options if you have the ability to execute arbitrary code on a mining node botnet, assuredly some of which are yet to be discovered (as far as we know). Consider as well the many financial opportunities available to someone who may have an interest in sabotaging or disrupting some kind of mining activity, perhaps in subtle ways that are not usually noticed.
with that method, you might be able to fool the mining operator's monitoring system (assuming you also pwn their pool server), but you can't fool the whole network. there's simply no way to hide a 50% drop in network hashrate.
Also, we know that things like stuxnet exist. Imagine something even a fraction as crazy as that targeting mining nodes. It's going to happen eventually.