Crypto Mining Malware Hijackers Net $1.2 Million a Month as GitHub Found Most Responsible for Hosting Scripts

Cryptocurrency seems to be a hotbed for theft and hacking, and TheNextWeb clearly pointed out that cryptojackers have a certain appreciation for using Monero. In a new article from the news website, researchers from Universidad Carlos III de Madrid and King’s College London have determined that about 720,000 XMR of the circulating supply from Monero has been mined through malware.

The revenue has not clearly been determined, because the amount of fiat currency withdrawn depends entirely on the day and time when the funds were pulled out. However, over the last four years, the researchers believe the total earnings to be almost $57 million. They also discovered that, more than any other website to sell mining hardware, GitHub was the primarily host of these malware mining purchases.

There seems to be a small group of hackers that is controlling this “show,” as TheNextWeb puts it. The hackers appear to be mining secretly to steal power by joining a mining pool or mining independently, which both have an advantage.

A mining pool improves the odds of getting paid for the mining, while eliminating the need for other equipment that is specifically geared towards mining. Much of the XMR collected via cryptojacking campaigns is going to crypto-pool, a mining pool that shows around $47 million mined within the pool thus far.

Based on the information collected, researchers have found 2,472 cryptojacking campaigns, though about 99% of them have less than 100 XMR in their earnings, which is about $4,700.

They wrote, “We also observe that, while majority of the campaigns earn very little, there are a few campaigns overly profitable. This indicates that the core of this illicit business is monopolized by a small number of wealthy actors.”

The hackers are not going through illegitimate websites for the most part, opting for GitHub and Dropbox (among others) to spread the malware. They develop malware “droppers” in the form of a virus that requires a download for operation, subsequently installing other malware under the radar. Most of the time, the malware is just the mining tools from Monero, through a GitHub download.

The researchers noted, “We observe that GitHub is the most popular site used to host the crypto-mining malware. This is because GitHub hosts most of the mining tools, which are directly downloaded – for malicious purposes – by droppers. Additionally, GitHub is also used to host modified versions of the miners (e.g. by removing the donation capabilities or adding further capabilities).”

Other public file-sharing sites are listed in the research paper as being favored by these cryptojackers, like Bitbucket, Dropbox, and Google.

The mining malware with Monero was revealed to also be hosting torrents and attachments in Discord channels. As recently as September, TheNextWeb reports,

“The Monero community was forced to rebuke cryptojackers who had been terrorizing the internet, after government routers in the US were discovered to be housing mining malware.”