The cryptocurrency bubble of 2017 and 2018 drew an extraordinary amount of attention to an experimental asset class historically favored on the dark web.1 As newcomers quickly discovered, there were two ways to procure crypto: buying it or mining it. With blockchains heavily dependent upon miners to verify high volumes of transactions, miners were in turn rewarded with small amounts of cryptocurrency. Shortly after Coinhive’s September 2017 release of a script that allowed website owners to monetize traffic by having visitors mine for Monero on their browsers, underground threat actors grasped its potential for illicit use and gave birth to a worldwide cryptojacking fervor.2 From popular websites to high powered CPUs supporting critical infrastructure, bad actors engaged in aggressive campaigns to surreptitiously insert malware into anything that could be used as computing resources for mining. However, by March 2019, cryptocurrency was in a bear market and Coinhive had shut its doors.3 Security researchers have since observed a massive drop in cryptojacking rates,4 thus casting doubt on its future and whether the practice has fallen out of favor amongst hackers.
When cybercriminals realized that they could create a source of passive income by exploiting Coinhive’s mining script, they wasted no time building armies of unwitting crypto miners online that filled the pockets of anonymous ringleaders. A study conducted in mid-2018 revealed that cryptojacking was responsible for an estimated 35% share of all web threats.5 Coinhive’s script remained the overwhelming favorite, and Monero’s built-in privacy features6 made it particularly difficult for investigators to trace the proceeds from cryptojacking operations back to a real world identity. To make matters worse, cryptojacking went from being a nuisance that temporarily robbed devices of computing power to a potential public safety hazard when researchers in February 2018 uncovered mining scripts in a water treatment facility that could have destabilized critical functions.7 High electrical bills associated with malicious miners can be a financial drain, but the interruption of processor availability in industrial control systems can be catastrophic. However, as 2018 progressed, it became evident that the cryptocurrency bubble had popped, and the prices of even the strongest names like bitcoin had plummeted. With crypto fading away from news stories, Coinhive’s closure in early 2019 further drew into question whether cryptojacking would also weaken.
In March 2020, researchers from the University of Cincinnati and Lakehead University sought to determine whether cryptojacking had lost its thunder.8 After examining 2,770 websites that had been previously known to run cryptojacking scripts, the study found that only one percent were still mining after the Coinhive shutdown. Of note, they identified eight unique scripts still in operation, some of which are running on websites that have upwards of a million visitors per year. It also appears that code obfuscation has become critical to avoiding detection.9 This data arguably shows that while cryptojacking has lost its popular appeal, there remain pockets of cybercriminals who continue to adapt and see the opportunity to engage in a relatively low risk, high reward practice.
The Future Risk:
Cryptojacking may be out of the headlines, but it’s unlikely to disappear anytime soon. Where vulnerabilities exist, threat actors will continue to take advantage of the effortless monetization of access to victim endpoints or servers. Moreover, as the ongoing COVID-19 crisis has shown, the global panic in financial markets has surprisingly not decimated the price of cryptocurrencies. With the pandemic serving as the latest sign that the crypto market is probably here to stay, a scenario involving higher prices in the years ahead for bitcoin and other favorites may further incentivize threat actors to get off the sidelines and pursue new mining projects. For now, ensuring that a security infrastructure is well suited to detect cryptojacking malware is a good first step for companies seeking to minimize financial leakage during a challenging time for businesses where every dollar counts.
Author: Dennis Lawrence
1. Cornish, Chloe and Murphy, Hannah. “What next after cryptocurrency bubble bursts?” Financial Times, August 19, 2018. https://www.ft.com/content/7ed0c3b8-a1f3-11e8-85daeeb7a9ce36e4. Accessed May 14, 2020.
2. Nadeau, Michael. “What is cryptojacking? How to prevent, detect, and recover from it.” CSO, January 23, 2020. https://www.csoonline.com/article/3253572/what-is-cryptojacking-howto-
prevent-detect-and-recover-from-it.html. Accessed May 14, 2020.
3. Cimpanu, Catalin. “Coinhive cryptojacking service to shut down in March 2019.” ZDNet, February 27, 2019. https://www.zdnet.com/article/coinhive-cryptojacking-service-to-shutdown-
in-march-2019/. Accessed May 14, 2020.
4. Varlioglu, Said; Gonen, Bilal; Ozer, Murat; Bastug; Mehmet. “Is Cryptojacking Dead after Coinhive Shutdown?” IEEE, March 13, 2020. https://arxiv.org/pdf/2001.02975.pdf.
Accessed May 14, 2020.
5. Newman, Lily. “The Year Cryptojacking Ate the Web.” Wired, December 24, 2018. https://www.wired.com/story/cryptojacking-took-overinternet/. Accessed May 14, 2020.
6. Anonymous. “How does Monero’s privacy work?” Monero.How, Undated. https://www.monero.how/how-does-monero-privacy-work. Accessed May 14, 2020.
7. Newman, Lily. “Now Cryptojacking Threatens Critical Infrastructure, Too.” Wired, February 12, 2018. https://www.wired.com/story/cryptojacking-critical-infrastructure/. Accessed May 14, 2020.
8. Varlioglu, Said; Gonen, Bilal; Ozer, Murat; Bastug; Mehmet. “Is Cryptojacking Dead after Coinhive Shutdown?” IEEE, March 13, 2020. https://arxiv.org/pdf/2001.02975.pdf. Accessed May 14, 2020.