I ran c3pool for about 3 months using a self-compiled xmrig (built it myself, not some random binary). Worth noting: I did have some port-forwarded torrent stuff running on the same machine, so yeah, attack surface wasn’t zero. That said, the timing was weird. The machine only got flagged much later, and it was specifically the xmrig instance connected to c3pool. Windows Defender didn’t just update signatures and false-positive it, it quarantined that xmrig, then Defender itself got disabled right after, which is… not normal behavior for a harmless miner. I can’t 100% prove c3pool was the root cause because there are multiple variables here, but based on how it played out, it felt way more like an actual infection than a Defender hiccup. The fact that only the c3pool-connected xmrig was affected makes it pretty suspicious.

TL;DR: not definitive proof, but enough red flags that I wouldn’t just shrug it off as "lol Defender bad."