CryptoJacking, CryptoMining and the Rise of Monero

CryptoJacking, CryptoMining and the Rise of Monero

Monero WikimediaBy Andy Norton and Stefano Ortolani

Lastline is witnessing a tremendous increase in malware samples that have a cryptocurrency mining purpose. The graph below shows exactly the explosive change in cybercriminal motivations. Of course, we all know that Bitcoin has been the go-to cryptocurrency for criminal payments in ransomware, but now on the back of Bitcoin’s successful usage in cybercrime, we are seeing the adoption of other currencies in money-making activities by other criminal groups.

Rise of Monero

When we drill a bit deeper into this trend we see which domains are being requested by the malware samples (see chart below), allowing us to identify which cryptocurrency mining pools are popular. Of the top 8 mining “pools” requested by malware, only one refers to Bitcoin. All the others point to a crypto relative newcomer, Monero. Monero was founded in April 2014 with an emphasis on equality and privacy, two aspects that we will explore in this article that contribute to making Monero a criminal’s dream.

explosive growth cryptocurrency mining through 2017 internal

The domain-by-domain view of the explosive growth cryptocurrency mining through 2017 shows several trends. Coinhive and Coinhive alternatives have grabbed the cryptojacking headlines in recent months, with a regular stream of hacked websites – most recently, @bad_packets spotted the infection of www.blackberrymobile[.]com. This connects back to the Monero address of “9KNyPFbDqJesaSxBLcQoJZX6PgXN1ld0”, which had also been injected into a number of Chinese domains, shown below.

Monero infected Chinese domains

The mining pools in Lastline data that surface the most in malware payloads are moneropool.com and xmr.pool.minergate.com.

mining pools

Minergate is a portal that allows you to choose and mine different cryptocurrencies. The graph below shows the various minergate pools specified in different malware payloads. Further investigation shows the dominance of Monero as the most popular by far.

Monero inline

We are witnessing Monero becoming the new bad boy in town.

Why is Monero taking over?

Here are the three key reasons that make Monero is so attractive to cybercriminals:

1. Monero is . . . wait for it . . . “fungible

Fungible means that the currency is interchangeable and untraceable in the same way that an ounce of 24 carat gold and be swapped with another ounce of 24 carat gold. They are of equivalent value and have no historic traceability of prior transactions.

Monero cites this as an advantage over other cryptocurrencies. “Fungibility is an advantage Monero has over Bitcoin and almost every other cryptocurrency, due to the privacy inherent in the Monero blockchain and the permanently traceable nature of the Bitcoin blockchain. With Bitcoin, any BTC can be tracked by anyone back to its creation coinbase transaction. Therefore, if a coin has been used for an illegal purpose in the past, this history will be contained in the blockchain in perpetuity. This lack of fungibility means that certain businesses will be obligated to avoid accepting BTC that have been previously used for purposes which are illegal”.

Currently, some large Bitcoin companies are blocking, suspending, or closing accounts that have received Bitcoin used in online gambling or other purposes deemed unsavory by said companies.

2. Monero is booming

The hockey stick price chart for Monero (see chart below, showing Monero price in USD and in Bitcoin) matches the same trend we have seen in Malware payloads. The chicken and egg question springs to mind: Is the volume of mining driving the price increase, or, is the price increase driving the volume of mining?

3. Monero is general CPU friendly

To promote equality, Monero uses the CryptoNight hash algorithm. This algorithm was designed to be mined by normal CPU devices, a philosophical implementation of Satoshi Nakamoto’s original vision of “one-CPU-one-vote” system. So, anyone with a computer can mine Monero, unlike other cryptocurrencies that require specific hardware in order to avoid being significantly disadvantaged.

Summary

It is the very nature of Monero’s principles—privacy and equality—that make it so attractive to criminal activities. There is a very low chance of getting caught due to the fungible nature of the transactions. And because any CPU can be used, it makes infecting devices and creating a botnet or exploiting browsers for mining very attractive. Only time will tell if this is truly cybercrime’s Shangri-la. With legal attention turning to cryptocurrencies and the fundamental Know Your Customer principles for FIAT currencies, it will be very interesting to see how fungibility survives.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton

Latest posts by Andy Norton (see all)