Cryptocurrency miners: the latest tool for cyber criminals
Learn more about the new form of cyber crime that is being driven by cryptocurrency fever


Due to the growing popularity and market value (at the time of writing!) of cryptocurrencies, it is no surprise that there has been a surge in the number of malicious attacks using cryptominers.
In its latest report into Cybercrime tactics and techniques: 2017 state of malware', Malwarebytes claims to have blocked an average of 8 million drive-by mining attempts from websites and visitors all over the world.
Drive-by mining is a revival of an old concept of browser-based mining using JavaScript. A new venture called Coinhive revived this method late last year, providing a simple API for webmasters to add to their website, which would turn any visitor into a miner for the Monero digital currency.
Predictably, this technology was immediately abused by webmasters that ran it silently, therefore exploiting the visitor's CPU for their own gain. Eventually, criminals also took note and started compromising websites with cryptomining code. This means that the system resources of unsuspecting victims can be harnessed without authorisation in order to mine cryptocurrency.
The most popular currency for drive-by mining in 2017 is Monero, most likely due to the higher speed with which transactions are processed, even of small amounts. Criminals also benefit from the anonymity automatically incorporated into the Monero blockchain, and the fact that the mining algorithm doesn't favour specialised chips.
Popular attack methods
PUP wrappers: Several bundlers and PUP wrappers have been found to install miners, and they appear to be replacing adware as a payment method. IStartSurf, a PUP well known for its browser hijackers, has started to include miners in its silent installs.
Exploit kits and malvertising: The payload of the RIG exploit kit now includes cryptominers. Even the EternalBlue exploit (of WannaCry fame) was used to spread a miner that used Windows Management Instrumentation for a fileless, persistent infection.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Malicious spam: Cryptocurrencies are easy pickings for spammers. They often use Bitcoin value fluctuations as a means for phishing, while sending out cryptominers or installers for these miners as malspam.
Social engineering: This is an increasingly popular method of attack used for drive-by mining. Some campaigns are run by convincing people they need to install a new font, when in fact they are being served a cryptominer. Some miners are also being offered as cracked versions of popular software.
Bitcoin wallet theft: Banking Trojans have expanded their working field into stealing cryptocurrencies right out of people's virtual wallets. Coinbase is a cryptowallet that trades in several cryptocurrencies, including Bitcoin. A Trickbot variant was spotted that includes the Coinbase exchange to steal credentials from the sites it monitors.
Other Trojans have been spotted that steal cryptocurrencies on the fly, including one that monitors a user's clipboard. As soon as it spots the address of a cryptocurrency wallet on the clipboard, it replaces the address with that of the threat actor.
Attacks like this can be virtually impossible to detect, and few people would expect something they had just copied to change before being pasted into an address bar.
It is likely that as cryptocurrency fever continues, drive-by mining will evolve as new mining platforms are utilised - such as Android and IoT devices - and new forms of malware are developed to mine and steal cryptocurrency.
Picture: Shutterstock
Esther is a freelance media analyst, podcaster, and one-third of Media Voices. She has previously worked as a content marketing lead for Dennis Publishing and the Media Briefing. She writes frequently on topics such as subscriptions and tech developments for industry sites such as Digital Content Next and What’s New in Publishing. She is co-founder of the Publisher Podcast Awards and Publisher Podcast Summit; the first conference and awards dedicated to celebrating and elevating publisher podcasts.
-
Why veterans can excel in data centers – and could help the IT sector address its skill shortages
In-depth Ex-military workers can bring software and hardware to civilian roles
By John Loeppky
-
LaunchDarkly to "double down" on observability with Highlight acquisition
News Highlight's observability tools will be integrated into LaunchDarkly's Guarded Releases software deployment service
By Daniel Todd
-
Hackers are using Zoom’s remote control feature to infect devices with malware
News Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
By Ross Kelly
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
News State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
By Emma Woollacott
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
By Jane McCallion
-
LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to know
News Cyber criminals are flocking to LinkedIn to conduct social engineering campaigns, research shows.
By Solomon Klappholz
-
Phishing campaign targets developers with fake CrowdStrike job offers
News Victims are drawn in with the promise of an interview for a junior developer role at CrowdStrike
By Solomon Klappholz
-
Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week
News Fresh research demonstrates the sophistication and capability of state-sponsored threat actors to compromise diverse targets
By Richard Speed
-
Malware being pushed to businesses by search engines remains a pervasive threat
News High-profile malvertising campaigns in recent months have surged
By Ross Kelly
-
CISA: Phishing campaign targeting US federal agencies went undetected for months
News Threat actors used legitimate remote access software to maliciously target federal employees
By Rory Bathgate