Posted: 4 Min Read Threat Intelligence

Cryptojacking: A Modern Cash Cow

Cryptojacking shook up the cyber security landscape in 2017 and 2018. We take an in-depth look at this cyber crime trend.

One of the biggest cyber security trends of 2018 is cryptojacking, where cyber criminals surreptitiously run coinminers on victims’ devices without their knowledge and use their Central Processing Unit (CPU) power to mine cryptocurrencies.

This has been such a big trend this year that we have published a research paper on this topic, which you can read here, featuring insights and analysis about this cyber security threat.

Cryptojacking surged in the last quarter of 2017, with its growth in popularity coinciding with a surge in the value of cryptocurrencies, including Monero, which is what is mainly mined by CPU miners.

Key points in our research include:

Cryptojacking in the cloud could also cause additional costs for businesses that are billed based on CPU usage.

"Cryptojacking activity peaked in December 2017, with more than 8 million cryptojacking events blocked by Symantec https://symc.ly/2xFGYH4"

What is cryptojacking?

Computer programs called coinminers are used to mine cryptocurrencies. Cryptocurrencies are digital currencies created using computer programs and computing power. Bitcoin is the best-known cryptocurrency, but it cannot be mined using personal computers—it requires specialist equipment to mine.

The cryptocurrency we primarily see mined on personal computers is Monero.

  • File-based coin mining involves downloading and running an executable file on your computer.
  • Browser-based coin mining takes place inside a web browser and is implemented using scripting languages. If a web page has a coin-mining script injected on it, the web page visitors’ computing power will be used to mine for cryptocurrency for as long as they keep the web page open.

Coin mining is not illegal, and many people choose to run files or scripts on their computers to carry out coin mining to make money themselves. Some websites may also use coin mining as an alternative to advertising to generate revenue, which is fine provided customers are told that their CPU power will be used to mine cryptocurrency while they are visiting that website.

The problems arise when people aren’t aware their computers are being used to mine cryptocurrency, or if cyber criminals surreptitiously install coinminers on victims’ computers or Internet of Things (IoT) devices without their knowledge—this is cryptojacking.

What’s the big deal?

The primary impact of cryptojacking is performance-related, though it can also increase costs for the individuals and businesses affected. Potential impacts for device owners include:

  • A slowdown in device performance
  • Overheating batteries
  • Devices becoming unusable
  • Reduction in productivity
  • Increased costs due to increased electricity usage, and for businesses operating in the cloud that are billed based on CPU usage

Unlike threats like ransomware, which immediately disrupt victims’ access to their devices, cryptojacking could be quietly carried out on a victim’s device for a long time before they realize what is happening.

How big an issue is cryptojacking?

The surge in cryptojacking in the last quarter of 2017 was dramatic. It hit its peak in December 2017 when Symantec technologies blocked more than 8 million cryptojacking events. We have seen activity decrease somewhat since then, but in July 2018 we still saw just less than 5 million cryptojacking events blocked, and the growth in activity since September 2017 is stark.

Figure 1. All cryptojacking events blocked by Symantec from January 2017 to July 2018
Figure 1. All cryptojacking events blocked by Symantec from January 2017 to July 2018

Reasons cryptojacking activity increased include:

  • A surge in the value of cryptocurrencies in the final quarter of 2017
  • Lower barriers to entry for cyber criminals
  • Cryptojacking allows cyber criminals to operate without the activity being noticed by victims
  • Even fully-patched devices can be targeted via browser-based coinminers

The steep increase in the value of cryptocurrencies was another key reason cryptojacking activity surged.

The lower barrier to entry was primarily thanks to the Coinhive service, which was launched in September 2017, just before cryptojacking activity increased dramatically. Coinhive, which is a script that mines Monero, was marketed as an alternative to ads for websites seeking to generate revenue. It recommends that its users are transparent with site visitors about its presence, but this hasn’t stopped unscrupulous operators from using it to carry out cryptojacking with the hope that site visitors won’t notice. Since its launch there have been many reports of it being used for cryptojacking without site visitors’ knowledge.

Along with the arrival of Coinhive, the steep increase in the value of cryptocurrencies was another key reason cryptojacking activity surged. At its peak in December 2017 and January 2018, Monero reached values of close to US$500 per coin. It’s hard to know how much money cyber criminals are making from cryptojacking, but the key to making money in this area is scale. A coinminer running on one computer won’t make much money—but a coinminer running on thousands of computers could potentially mine a lot of cryptocurrency.

Figure 2. A cyber criminal with a botnet of 100,000 devices mining cryptocurrencies could make a nice profit in just 30 days
Figure 2. A cyber criminal with a botnet of 100,000 devices mining cryptocurrencies could make a nice profit in just 30 days

What’s the future for cryptojacking?

The future of cryptojacking is something we consider in the whitepaper, and which we also speculated about in ISTR 23. We said then that “the longevity of this activity very much depends on the future value of these cryptocurrencies.” 2018 has seen a drop in cryptojacking activity compared to the final quarter of 2017 but, despite some fluctuations in cryptocurrency values, activity in this area remains significant and it is still one of the primary threats on the cyber security landscape as we enter the final months of 2018.

While we may not see the mass adoption of cryptojacking that occurred at the end of 2017, once cyber criminals are still making money from cryptojacking it will remain a headache for consumers and businesses for some time to come.

Read more of our thoughts on the future of cryptojacking, as well as case studies, and more in-depth analysis of the cryptojacking landscape in our whitepaper on the topic.

About the Author

Brigid O Gorman

Information Developer

Brigid O'Gorman works for Symantec Security Response, writing, editing, and developing content about the threat landscape. She also manages Security Response’s social media. Before joining Symantec, Brigid worked in media roles in Ireland and Australia.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.