Cyber criminals getting good at cryptojacking your devices

Robert Hoogendoorn
Nov 28, 2019 · 5 min read

Cyber criminals are cryptojacking your devices and stealing computing power to mine cryptocurrencies, and they are getting very good at it. It’s one of the major upcoming cyber crimes in recent years. These type of hackers are in search for computing power to run crypto mining software, most of the time Monero. They search for a security weakness, install some software and reap the rewards. This way they are using computing power from companies and common individuals to generate Monero. But how does it work exactly?

Cyber criminals that are cryptojacking aren’t super hackers, but they use existing vulnerabilities to their own benefit. Most of the time they use well known exploits and search for badly updated computers and servers. In other cases they hope that consumers are dumb enough to click on a link, or visit a certain website. It’s all about getting that little piece of software on the other computer and get it running.

American internet security firm Bad Packets discovered ‘opportunistic mass scanning activity’ on Docker servers on November 26th. This is an example of typical cryptojacking activity. Most of the time hackers are just looking for a weakness in one of the APIs. As soon as a weakness is found, they start an Alpine Linux OS container. This software downloads and runs a script, and in addition that script will install XMRRig, which is basic mining software for Monero.

Docker servers are enterprise solutions, and it’s not very likely that normal individuals use these at home. That doesn’t mean that you and I are safe though. Cryptojacking happens in all kinds of ways, and for the hackers it doesn’t matter whether they target commercial companies or individuals. Therefore it’s very important to be aware of the possibilities of cryptojacking.

The whole hype about cryptojacking started with Coinhive. This website plugin would use the computing power of the website’s visitors to mine for Monero. The service launched in 2017 as a way for website owners to generate some money, but quickly became the center of internet drama.

Websites used the software without telling their visitors, which caused a first backlash. On top of that there — of course — hackers who installed the Javascript code into websites, without the original owners knowing about it. At its peak Coinhive was used for approximately 62 percent of all cryptojacking activity. Increased mining difficulty, blockchain forks, and the downturn of the crypto market, made them decide the cease operations in March 2019. That didn’t mean that cryptojacking would stop, but cyber criminals just got a lot more sophisticated.

Installing a plugin on your website is a simple way to use computing resources from other people. Cryptojacking is on the rise and it’s not very likely to stop any time soon. In 2018 the amount of crypto-mining malware increased with 4467 percent. This number was obviously driven by Coinhive, but it wasn’t the only source. In the first quarter of 2019 the amount of ransomware attacks grew by 188 percent, while crypto mining grew another 29 percent.

A website security company reported in October 2019 that hackers were using vulnerabilities in old WordPress plugins. In addition they would create copies of popular plugins to trick users. When this plugin is installed, it runs an executable that gives the hackers access to the server. Even when the plugin is removed, the hacker still has access. As a result he can use the internet server to mine Monero. In similar fashion hackers are hiding code inside .WAV audio files, which is executed when the file is played.

McAfee Labs reported that cyber crime is becoming a lot more sophisticated. Hackers are searching for vulnerabilities, and any internet device with computing power will do. Last year malware targeting Internet-of-Things (IoT) devices grew with 200 percent. These internet connected devices, like routers and IP cameras, don’t generate lots of mining power, but it’s volume that the hackers are after. Power is in the numbers.

A Slovakian software security firm Eset has uncovered that cyber criminals behind the Statinko botnet are now deploying cryptocurrency mining software. To do this they target YouTube and its 2 billion monthly users. They upload videos that resonate well with certain audiences, and provide links to trigger people. Upon clicking, software can be installed on the viewer’s computer.

The hackers behind Statinko aim for users from Russia, Ukraine, Belarus and Kazakthstan. But by moving their criminal activity to YouTube, they could be looking for an expansion. According to Eset already 500 thousand devices have been infected by the mining software. Reportedly YouTube is already removing content and channels that contains traces of Statinko’s code. But it’s unlikely that Statinko will stop, and therefore it’s important for users not to click any links from unknown sources.

They way the cyber criminals spread their cryptojacking malware on YouTube is similar to other hacking campaigns. It’s all about tricking the consumer into clicking and thereby activating certain software. However, sometimes things can get very complicated. On November 26th Microsoft reported on cryptojacking malware called Dexphot. This malware has infected 80 thousand computers worldwide since October 2018.

If someone has XMRRig running on their computer, it’s quite easy to deactivate it. The Dexphot attack however, is much more sophisticated and would even reinstall itself when defenders try to remove the malware. The cryptojacking malware would use all kinds of tactics to evade security, using different entry points.

Dexphot even received regular updates. Underlining the ability to evolve over time into an ever changing threat. This is next level malware, and underlines how important it is to stay safe on the web.

Is your computer becoming slow, or is your processor working overtime? Sounds like your computer might be mining Monero for somebody. Perhaps it’s a good idea to install some quality internet security software. To prevent cryptojacking, live by these golden rules:

  • Never click on shady links and websites.
  • Never open e-mails and its attachments from unknown sources.
  • Install ad blocking browser extensions, or just use Brave.
  • Keep your software, browser extensions, and mobile apps up-to-date.
  • And if you run a business, keep your APIs closed, and educate your employees!

Originally published at NEDEROB.

The Startup

Get smarter at building your thing. Join The Startup’s +787K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Robert Hoogendoorn

Written by

Content Creator & Optimization Expert. Building Play to Earn. Learning about blockchain every day, sharing my knowledge and passion.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +787K followers.

Robert Hoogendoorn

Written by

Content Creator & Optimization Expert. Building Play to Earn. Learning about blockchain every day, sharing my knowledge and passion.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +787K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store