Cryptocurrency miners: the latest tool for cyber criminals
Learn more about the new form of cyber crime that is being driven by cryptocurrency fever
Due to the growing popularity and market value (at the time of writing!) of cryptocurrencies, it is no surprise that there has been a surge in the number of malicious attacks using cryptominers.
In its latest report into Cybercrime tactics and techniques: 2017 state of malware', Malwarebytes claims to have blocked an average of 8 million drive-by mining attempts from websites and visitors all over the world.
Drive-by mining is a revival of an old concept of browser-based mining using JavaScript. A new venture called Coinhive revived this method late last year, providing a simple API for webmasters to add to their website, which would turn any visitor into a miner for the Monero digital currency.
Predictably, this technology was immediately abused by webmasters that ran it silently, therefore exploiting the visitor's CPU for their own gain. Eventually, criminals also took note and started compromising websites with cryptomining code. This means that the system resources of unsuspecting victims can be harnessed without authorisation in order to mine cryptocurrency.
The most popular currency for drive-by mining in 2017 is Monero, most likely due to the higher speed with which transactions are processed, even of small amounts. Criminals also benefit from the anonymity automatically incorporated into the Monero blockchain, and the fact that the mining algorithm doesn't favour specialised chips.
Popular attack methods
PUP wrappers: Several bundlers and PUP wrappers have been found to install miners, and they appear to be replacing adware as a payment method. IStartSurf, a PUP well known for its browser hijackers, has started to include miners in its silent installs.
Exploit kits and malvertising: The payload of the RIG exploit kit now includes cryptominers. Even the EternalBlue exploit (of WannaCry fame) was used to spread a miner that used Windows Management Instrumentation for a fileless, persistent infection.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Malicious spam: Cryptocurrencies are easy pickings for spammers. They often use Bitcoin value fluctuations as a means for phishing, while sending out cryptominers or installers for these miners as malspam.
Social engineering: This is an increasingly popular method of attack used for drive-by mining. Some campaigns are run by convincing people they need to install a new font, when in fact they are being served a cryptominer. Some miners are also being offered as cracked versions of popular software.
Bitcoin wallet theft: Banking Trojans have expanded their working field into stealing cryptocurrencies right out of people's virtual wallets. Coinbase is a cryptowallet that trades in several cryptocurrencies, including Bitcoin. A Trickbot variant was spotted that includes the Coinbase exchange to steal credentials from the sites it monitors.
Other Trojans have been spotted that steal cryptocurrencies on the fly, including one that monitors a user's clipboard. As soon as it spots the address of a cryptocurrency wallet on the clipboard, it replaces the address with that of the threat actor.
Attacks like this can be virtually impossible to detect, and few people would expect something they had just copied to change before being pasted into an address bar.
It is likely that as cryptocurrency fever continues, drive-by mining will evolve as new mining platforms are utilised - such as Android and IoT devices - and new forms of malware are developed to mine and steal cryptocurrency.
Picture: Shutterstock
Esther is a freelance media analyst, podcaster, and one-third of Media Voices. She has previously worked as a content marketing lead for Dennis Publishing and the Media Briefing. She writes frequently on topics such as subscriptions and tech developments for industry sites such as Digital Content Next and What’s New in Publishing. She is co-founder of the Publisher Podcast Awards and Publisher Podcast Summit; the first conference and awards dedicated to celebrating and elevating publisher podcasts.
-
Why MSPs are now critical digital trust infrastructure and prime targets for modern cybercrimeIndustry Insights MSPs have become critical infrastructure in the digital economy — and that makes them real targets for those with malintent
-
Netgear launches next-gen platform and says it's quality vs quantity re partner engagementNews This is a significant launch, according to the company, and one that aligns with its overarching goal to simplify complexity...
-
‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaignsNews Phishing tests require a delicate touch, emulating realism while not “exploiting goodwill”
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
Microsoft and NCSC issue alerts over hacker campaigns targeting WhatsApp, Signal messaging appsNews Microsoft warns about a sophisticated attack that starts with WhatsApp messages, while the NCSC says such incidents are on the rise
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Thousands of Microsoft Teams users are being targeted in a new phishing campaignNews Microsoft Teams users should be on the alert, according to researchers at Check Point