Malicious Mining of Monero: Criminals Use Illegally-Obtained Computing Power to Mine their “Cryptocurrency of Choice”

Recent Rise in Crypto-Mining Scripts in Website Code, Embedded in Fake Image Files

Since summer of this year, a trend in using mining as a source of revenue to replace advertisements has been rising among savvy website-builders.  Instead of placing paid advertisements on a site, a few lines of code (originally created by Coinhive) can be placed into the website’s script that causes visitors’ computing power to temporarily be used to mine Monero.

The Pirate Bay is one such website that has put this practice into action.  Naturally, plenty of visitors to the site were a bit unsettled and unhappy to see their CPU usage suddenly jump up and their computers slow down, although disabling JavaScript was enough to stop the involuntary mining from happening.

Now, criminals are using this same approach to take advantage of unsuspecting internet-surfers’ computing power.  It can be as simple (if you can call it that) as hacking into a website, embedding the mining code, and receiving the revenue that it generates; criminals are also embedding malicious code within fake image files and creating crypto-mining malware.

Data collected from Kaspersky revealed that over 1.65 million machines had been compromised by malware that mines cryptocurrency.  IBM’s X-Force team is responsible for the collection of the data centered around malicious code embedded within websites and compromised servers.

IBM recently told BleepingComputer that along with the embedding of malicious mining code in websites, criminals and hackers can also embed cryptocurrency mining code and software into fake image files using a technique called steganography.

According to IBM’s Dave McMillen, the fake image files were “hosted on compromised web servers running Joomla or WordPress, or stored on compromised JBoss Application Servers.”

McMillen added that while IBM was unable to determine exactly which or how many servers were being used by attackers, the company was able to identify infected servers across the websites several industries, including IT, communications, manufacturing, retail, and finance.

Monero Rising As New Central Darknet Currency

Bitcoin critics have long cited the coin’s association with criminal activity as a reason to stay away from the crypto world as a whole.  These claims are not entirely without merit–Bitcoin was the main currency used to transact on the infamous Silk Road network, which was used to sell drugs, illicit services, and other contraband materials.  

To this day, Bitcoin is still used for some illegal transactions–it is the only currency used on Backpage, a website that is used to host personal ads that are often associated with sex trafficking.  What’s strange is that Bitcoin is not actually that well-suited to this purpose; while difficult, it is certainly possible to identify the user behind any given transaction using the pseudonymous information stored on Bitcoin’s blockchain.  

Recently, Monero has been making waves as a far more anonymous cryptocurrency than Bitcoin, and criminals have had their interests piqued accordingly.  Monero utilizes CryptoNote technology to mask users’ identities.

CryptoNote is far more anonymous than Bitcoin’s CoinJoin technology; it involves the creation of one-time-use public address as well as the optional use of large “ring signatures” that can combine large groups of users’ transactions with similar amounts into one so that the individualized transactions within the “ring” are virtually untraceable.

Monero saw a huge leap in value in September of 2016 from ~US$2 to a peak of ~US$12, and it has been continuing on a very bullish zig-zag trend ever since.  A report from Wired attributed this meteoric rise in Monero’s valuation to its use on the so-called “darknet”, where Monero is used in illicit transactions that require high levels of anonymity.