The silent rise of coinmining attacks

In 2019 alone, over $4.5B worth of crypto went missing due to theft and fraud.
21 January 2021

The silent rise of coinmining attacks. (Photo by JACK GUEZ / AFP)

  • The rapid increase in coin-miner malware suggests that attackers are taking advantage of the recent crypto price hike
  • In 2019 alone, over US$4.5 billion worth of cryptocurrency went missing due to theft and fraud
  • Many businesses and individuals may not realize is that there is serious money to be made in crypto mining – if it isn’t prevented

Last year, Bitcoin marched to an all-time high to end the year with a 300% gain. Today, the digital cryptocurrency is worth over US$34,000 but alongside its rise in value, there has also been a surge in coinminer malware attacks.

Security researchers from Avira Protection Labs observed a 53% increase in the number of coinminer malware attacks in the fourth quarter of 2020, compared to the third quarter of the same year. It’s suspected that there is a connection with the rapid cryptocurrency price hike. 

“The rapid increase in coinminer malware suggests that malware authors are taking advantage of the price trend in recent months and increasingly spreading malware that aims to exploit other people’s computer resources for illegal mining activities. This correlation is not surprising but is nevertheless worrying for legitimate miners and investors,” director of Avira Protection Labs, Alexander Vukcevic said.

“This correlation is not surprising but is nevertheless worrying for legitimate miners and investors,” he added.

Coinminer malware

According to Tech Radar, crypto-malware or coinminer malware is one of the newer malware threats, and unlike ransomware, it works completely undetected on a user’s device, making it particularly stealthy.

Unlike traditional malware that is used to steal data on users to blackmail them, coinminer malware remains in the background as long as possible so that it can insidiously mine cryptocurrency. Using resources from an infected computer or even smartphone such as the processor, graphics card, memory, and network bandwidth, the coinmining malware takes place. 

The three main types of coinminers include executable files, browser-based cryptocurrency miners, and advanced fileless miners. Cybercriminals decide which to deploy based on the device or system whose resources they’re trying to exploit.

Data from the US Department of Justice in 2019 saw a sharp increase in stolen cryptocurrency, with over US$4.5 billion worth going missing due to theft and fraud. This is more than double that of 2018, and it can be assumed that this trend is set to continue thanks to the increase in malware activity.

How do businesses avoid falling victim?

Many businesses and individuals may not realize that there is serious money to be made in crypto mining – it can be big business. Some reports have suggested that profits from mining have hit US$4 billion between 2017 and 2018. 

According to a report by HP, there are some fundamental risks to crypto-jacking. “For one, it forces victims to waste energy […] the electricity consumed for a single bitcoin transaction could power 15 US households for a day. If you multiply this by the number of machines in a business or a data center, you can start to get an idea of how much energy is being used and how much this could cost a business in electricity alone.”

Then there is also the additional issue of network performance impairment. Cryptojacking is basically stealing your processing power, leading to spikes in load. Inevitably, this means that everything else on the network will run slowly or not at all. For most businesses, this is a disastrous scenario. 

Among the few key actions as recommended by HP in its report is starting with the basics, which is keeping software up to date with the latest operating system and hardware patches. It’s about prevention as much as detection. 

Security researcher Troy Mursch recommends blocking known domains and IP addresses tied to illicit crypto-mining, while you should consider hosting the JavaScript locally on your own server rather than linking to code hosted elsewhere. This means changes to the libraries require access to your server, although this will mean you will need to install security patches yourself.