Cryptojacking: Hackers Just Want to Borrow your CPU

“A white neon in the shape of the dollar sign at night” by Jimi Filipovski on Unsplash

As cryptocurrency proliferation continues, digital thieves see opportunity. It’s easy to understand why, the cryptocurrency space is “pre-regulation” and it’s an industry where nascent technology is used by people who don’t fully understand it to hold and transfer entirely digital assets. If that doesn’t sound like an “attack surface” I don’t know what does.

Business Insider reported that over $650 million in cryptocurrency was stolen in the first quarter of 2018. Many of these are thefts are phishing attacks, where users have their login credentials stolen. A newer tactic called cryptojacking is gaining popularity. In these attacks computers are tricked into mining cryptocurrency on behalf of an attacker.

When computers “mine” cryptocurrency, they are essentially renting out their computer to the distributed network that powers the cryptocurrency. In return for donating their computer’s computational resources to the network miners are rewarded with a combination of transaction fees and brand new cryptocurrency entering the money supply. There are complex algorithms that mediate this process just as there is complex policy regarding how new $100 bills enter the money supply.

Different cryptocurrencies have different exact mechanics but the general principle remains the same: contribute some computational resources to the cryptocurrency network in return for a reward (typically in cryptocurrency).

Bitcoin uses a scheme called “proof-of-work” which requires that miners solve hard computational puzzles. The puzzles are difficult — meaning that solving one puzzle proves that a particular miner is contributing a lot of computational power to mining bitcoin. This scheme is sometimes described as “unnecessarily” hard, but that’s only half true.

It’s true that the problems bitcoin miners have to solve are artificially hard. The specific solution to the problem is irrelevant. However, the fact that the problem is difficult does matter. Bitcoin relies on a decentralized group of computers reaching consensus about the transactions that have occurred on the bitcoin network. Adding blocks to the blockchain is an essential part of how the bitcoin network reaches that consensus, and in order to add a block you must solve one of these challenging puzzles. The difficulty of the problems is largely to prevent something called a “51% attack”.

Because of the way bitcoin’s consensus protocol works, it’s possible for attackers to create fraudulent blocks and add them to the blockchain. These frauds are detectable, and miners acting in good faith will not add new blocks following a fraudulent one, which causes the fraudulent transaction(s) to be ignored. As long as a majority of the miners act in good faith, frauds are detected and consensus is formed on legitimate blocks. However, if a malicious entity were able to control 51% or more of the computational power being contributed to the network, they could force an artificial “consensus” and therefore add fraudulent blocks to the public ledger.

Bitcoin scales up the difficulty of the problem so that an attacker would need a prohibitively large amount of computational power to execute a 51% attack. So far that seems to have worked for bitcoin, but some smaller alternative cryptocurrencies have been successfully hijacked. The attacks have yielded significant windfall: one of the reported 51% attacks was worth over $2 million (based on the value of the cryptocurrency at the time of the attack).

A side effect of the artificially difficult proof-of-work scheme is that mining bitcoin typically costs more in electricity than it is worth. Industrious hackers have realized that if you don’t pay for the hardware or the electricity yourself, mining is a lot more profitable. Cryptojackers trick your computer into mining cryptocurrency on their behalf. Sometimes it’s just to make a couple of bucks from transaction fees, sometimes it’s part of a more elaborate 51% attack.

In more straightforward versions of cryptojacking a website operator can simply add a little bit of JavaScript to their website. Lots of websites are powered by JavaScript, and we humans don’t audit the code of every website we visit. As long as your users stay on your website for awhile, and especially if you have lots of users, you can use their computers to mine cryptocurrency.

Embedded advertisements, images, and videos on websites can be designed to carry and execute code as well. Even reputable websites have been compromised in this way, for example ads carrying cryptojacking payloads were found on YouTube earlier this year. Advertisements have long been a source of concern for privacy advocates who worry about tracking cookies and other nefarious data collection tactics. Now advertisements can steal your CPU cycles and profit from you automatically. Isn’t the Internet a beautiful place?

In more advanced versions of the scheme, attackers who might have otherwise installed malware such as keyloggers or VPNFilter are instead extracting value more directly by forcing victims’ computers to mine bitcoin. These malware based attacks aren’t limited to phones and computers either.

Hackers have found ways to hijack all kinds of Internet connected devices. From the obvious targets like web-browsers and cloud computing platforms like Amazon Web Services to the more obscure like wifi-connected toasters and fish tanks. The Internet of Things has proven to be fertile ground for hackers, from the massive DDoS attack against DNS back in 2016, to the fictional refrigerators in the popular HBO series Silicon Valley, hacking the Internet of Things is mainstream and cryptojackers are on the bandwagon.

Some versions of these attacks are fairly benign. In the case of the cryptojacking advertisements a user is harmed in the form of a slightly bigger electricity bill. This version of the attack is easy to execute, isn’t illegal in many of its forms, and costs the average victim a few dollars. Other cases, like a hijacked AWS account, are more costly and more clearly illegal. In the case of a 51% attack the entire population of cryptocurrency users is defrauded, although only some of them will actually be cheated out of their cryptocurrency.

New technologies always hold the potential for new cyber attacks. As the field of cryptocurrency matures, we should expect versions of cryptocurrency theft to mature alongside them. Just like you’d research a stock you want to buy or a safe to hold your valuables, cryptocurrency investors should be aware of the kinds of attacks that their coins and exchanges are vulnerable to.