Researchers from the Universidad Carlos III de Madrid and the King’s College London analyzed a vast data set of 4.4 million malware samples collected between 2007 to 2018 to quantify the amount of Monero (XMR) coins criminals using crypto-mining malware have been able to accumulate.
Both static and dynamic analysis techniques coupled with OSINT data were used to efficiently extract info from malware samples such as mining pools and wallet identifiers.
The resulting information allowed the researchers to estimate the profits secured by various cryptojacking campaigns by analyzing public payment records generated as rewards for the criminals’ illicit crypto-mining efforts.
Using crypto-mining malware, criminals have mined (at least) 4.3% of the moneros in circulation, earning up to 56 million USD. One of the main reasons of the success of this criminal business is its relatively low cost and high return of investment. Also, since it is considered a lower threat to their clients, the AV industry has not paid due attention.
Illicit crypto-mining is a malicious activity through which crooks surreptitiously use desktop or mobile devices of other people to mine for cryptocurrency without having to pay for the hardware or the energy used during this process.
Malicious mining comes with high return on investment ratios
These malicious campaigns will use either a web-based mining tool (a process also known as drive-by mining) embedded in websites they’ve hacked into or a dedicated binary-based miner delivered as part of a multi-stage malware delivery campaign.
Crypto-mining campaigns allow these actors to effortlessly compete with legitimate cryptocurrency farms, with an exponentially higher profit rate given that they don’t have to pay for any of the used resources.
Moreover, the researchers found that some of the criminals behind crypto-mining malware use large-sized botnets which they update to keep them working if banned from the mining pools they use or when the mining algorithm suffers any changes.
Furthermore, these malicious campaigns use idle mining or domain aliases when contacting the mining pools as detection evasion measures, while others make use of GitHub or DrRopbox to host their binary-based miner droppers.
Previous studies also found that illicit crypto-mining is a highly profitable ‘business’
Other researchers have previously addressed the subject of malicious crypto-mining, with the “Botcoin: Monetizing stolen cycles.” paper from 2014 being the first one studying this subject finding that “in total malicious malware mined at least 4.5K bitcoins (which was worth around $3.2M in 2014).”
This paper’s authors add to those previous findings estimating monthly profits for crooks that run crypto-mining campaigns of over $1,2 per month.
We show that the earnings are massive and that this criminal activity is rooted within the underground ecosystem. In particular, we estimate that earnings are — at least — 57 million USD obtained in 4 years of operation (around 1.2M/month).
A lot has changed since then since these days illicit crypto-mining campaigns mostly mine for Bytecoin or Monero, given that targeting Bitcoin is no longer profitable due to the highly increased energy and hardware requirements.
The study’s authors also describe some of the measures that might hinder crypto-mining malware peddlers’ efforts, with constant changes to the Proof-of-Work algorithm being the one that might be the most effective given that it will have the increase of criminals overall costs as a direct consequence.
Sergio Pastrana and Guillermo Suarez-Tangil are the authors of the “A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth” paper publicly available on the arXiv research electronic archive.