Bitcoin’s Tulip mania attacking Facebook!


● Stealth Cryptocurrency mining on your device.

● Desperate attempt Digmine, a stealth mining bot.

● Originated in South Korea, Discovered by Trend Micro.

● Harnesses computer resources by corrupting Facebook.

● 6-fold increase in mining malwares and introduction of Laopi.

● Melting of phone after two days of infection.


In the burgeoning tulipmania of bitcoin and other cryptocurrencies, the greed to earn more and more profits by stealthy means is also increasing. Hackers and cybercriminals are devising devious ways to exploit technologically challenged people and their computers. Facebook is probably home to the most such people on the planet, which makes it an easy platform to disseminate malware.

According to a report in the Independent, security researchers at Trend Micro have discovered malware that infects Facebook Messenger in order to surreptitiously mine cryptocurrency. The mining bot, called Digmine, harnesses CPU resources in the background to mine Monero, an anonymous coin which currently trades for around $350 with a current market value of $5.7 billion. The virus seems to have originated in South Korea and has also been reported in Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. Given the way that it propagates, it could easily reach other countries if Facebook users aren’t careful.


As Bitcoin and all other cryptocurrencies consume a lot of power to validate every transaction, it has become lucrative for criminal gangs to infect computers en masse through the widely installed Facebook Messenger to do the job, earning them cryptocurrency in return. With a finite supply of 21 million Bitcoins, a handful of opportunistic individuals and organisations are making use of powerful computers to hoard as much of the supply as possible.

“The increasing popularity of cryptocurrency mining is drawing attackers back to the mining botnet business,” a Trend Micro spokesman said. “And like many cybercriminal schemes, numbers are crucial — bigger victim pools equate to potentially bigger profits. The fact that they’re piggybacking on popular platforms such as social media to spread their malware is unsurprising.

This is a desperate attempt by cryptocurrency miners to parasitize the resources of host machines to gather profits. The malware is disguised in a video file using the name and will appear to come from someone in your contacts list whose machine has already been compromised. It is activated only via the desktop version of Messenger on Google Chrome and does not currently affect mobile versions of the instant chat software. It can give hackers a backdoor into your Facebook account which can then be used to target everyone in your contacts list, spreading the malware even further.

Facebook said: “We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger…If we suspect your computer is infected with malware, we will provide you with a free antivirus scan from our trusted partners.”


According to a cyber-security firm “If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. The abuse of Facebook is limited to propagation for now but it wouldn’t be impossible for attackers to hack the Facebook account itself down the line”.

Digimine primarily installs a cryptocurrency miner called miner.exe, which is a modified version of an open-source Monero miner known as XMRig. This silently mines the Monero crypto-coin in the background, sending profits to hackers. The bot also installs an auto-start mechanism which launches Chrome with a malicious extension that allows the attackers to access the victim’s Facebook profiles and spread the malicious video file to their friends list via Messenger. Chrome extensions can only be installed via official Chrome Web Store; however, the hackers have bypassed this by launching the browser, along with the malicious extension, via command line.

Trend Micro, the discoverer says, “The extension will read its own configuration from C&C server. It can instruct the extension to either proceed with logging into Facebook or will open a fake page that will play a video. The decoy website that plays the video also serves a part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components.

This mania has resulted in a six-fold increase in incidents of malware that hack computers to mine cryptocurrencies according to IBM Managed Security Services. They are typically designed to stay in the victim’s system for as long as possible and infect as many machines as possible. “Bigger victim pools equate to potentially bigger profits,” Trend Micro wrote.

Source: Data: IBM Managed Security Services

There is ambiguity among reports available claiming Bitcoin or Monero mining but Bitcoin requires far too much computational power to be mined profitably this way, even if millions of ordinary computers were hijacked. Bitcoin miners today operate vast data centers containing thousands of machines specifically built for mining bitcoin. Instead, these miners most commonly try to generate Monero.

Reports by Anthony Cuthbertson claims that Loapi, a mining software discovered by Russia-based cybersecurity firm Kaspersky, physically broke a test phone used to study the malware after just two days of the device being infected with it. “Because of the constant load caused by the mining module and generated traffic, the battery bulged and deformed the phone cover”, the Kaspersky blog states.

The cryptocurrency mining mania is adding to Facebook’s book of negativity, alongside spam, clickbait, fake news, and other malware. It pays to be a little more vigilant if you are a heavy social media user, and certainly do not click on or download files or links sent to you, even by close friends, without confirming that they sent them intentionally.


1. Lenart Bermejo and Hsiao-Yu Shih, Trend Micro Blog-Digmine Cryptocurrency Miner Spreading via Facebook Messenger, Availabale at

2. Karen Hao, Beware of contracting a cryptocurrency-mining virus from Facebook Messenger ,Available at

3. Margi Murphy, Cryptocurrency mining virus spreads across Facebook Messenger, Available at

4. Cameron Bishop, Beware of Monero Coin Mining Malware Digimine, Available at

5. Anthony Cuthbertson, Loapi Cryptocurrency Mining Malware Is So Powerful It Can Melt Your Phone, Available at

6. Kaspersky Blog,

— — — — — — — — — — — — — — — — — — — — — — — — — — — -


Harshit Gurjal is a computer science student pursuing engineering degree. He is a researcher with Dr. Khurana’s group pioneering new tools for crypto-currency analysis.

Harshit Gujral

Mr. Raamesh Gowri Raghavan is an award winning poet, a well-known advertising professional, historian, and a researcher exploring the interface of science and art. He is also championing a massive anti-depression and suicide prevention effort.

You can know more about Raamesh at:

And here’s Raamesh telling his life story:

Raamesh and Sukant are working together on several projects on the intersection of science, technology, and art, and also projects on mental health.

Dr. Sukant Khurana runs an academic research lab and several tech companies. He is also a known artist, author, and speaker. You can learn more about Sukant at or and if you wish to work on biomedical research, neuroscience, sustainable development, artificial intelligence or data science projects for public good, you can contact him at or by reaching out to him on linkedin

Here are two small documentaries on Sukant and a TEDx video on his citizen science effort.

Emerging tech, edtech, AI, neuroscience, drug-discovery, design-thinking, sustainable development, art, & literature. There is only one life, use it well.