Malware Alert $175 Million in Monero Mined via Malicious Programs: Report


Level 84
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
The popularity of crypto-currency malware has been skyrocketing over the past year, and the segment appears to have been highly lucrative for cybercriminals, a new Palo Alto Networks report reveals.

With the number of malware samples ultimately delivering crypto-miners well over the half a million mark, it’s no wonder that miscreants are able to profit from this type of nefarious activity. To these, one can add the JavaScript, or web-based, malicious mining operations, which are highly lucrative as well.

Looking into the proliferation of crypto-mining malware, Palo Alto’s Josh Grunzweig discovered information on around 630,000 malicious samples, 3,773 emails used to connect with mining pools, and 2,995 mining pool URLs.

Over 530,000 malware samples target Monero, roughly 53,000 target Bitcoin, and 16,000 target Cryptonite (XCN), with the rest spread across the remaining currencies. The researcher also identified 2,341 Monero (XMR) wallets, 981 Bitcoin (BTC) wallets, 131 Electroneum (ETN) wallets, 44 Ethereum (ETH) wallets, and 28 Litecoin (LTC) wallets.

Given the clear interest cybercriminals have in Monero, the researcher focused on this virtual coin as well. In addition to the 2,341 Monero wallets extracted from the analyzed sample set, he also managed to determine the mining pools used, and discovered that, of the top ten mining pools used by this malware, all but one allows for anonymous viewing of statistics based off of the wallet as an identifier.

“By querying the top eight mining pools for all 2,341 Monero addresses, I was able to determine exactly how much Monero has been mined historically with a high degree of accuracy. By querying the mining pools themselves, instead of the blockchain, we’re able to say exactly how much has been mined without the fear of the data being polluted by payments to those wallets via other sources,” he notes.

Thus, Grunzweig determined that a total of 798613.33 XMR has been mined to date, representing around 5% of all Monero in circulation. Web-based Monero miners and miners the researcher doesn’t have visibility into aren’t included here.

While half of the 2,341 wallets identified have been unable to generate a meaningful amount of Monero, the remaining batch obtained over $140 million, the researcher estimates. According to Grunzweig, “a total of $175m has been found to be mined historically via the Monero currency.”

1,278 (55%) of the identified wallets earned 0.01 XMR (~$2.20) or more and only a small subset earned a significant (100 XMR or greater) amount of coins. Only 99 wallets (less than 2% of all wallets identified) have received over 1,000 XMR, and 16 wallets (0.68% of all wallets) have obtained over 10,000 XMR.

Looking at the total hashing power, the research revealed the attackers only used 2% of the global hashing power mining the Monero network. At around 19MH/s, the hashrate would result in approximately $30,443 per day being mined.

“To date, the popularity of malicious cryptocurrency mining activity continues to skyrocket. The large growth of malware mining cryptocurrencies is a direct result of a previous spike in value, which has since corrected to a value that is more in line with expectations. As this correction has taken place, only time will tell if cryptocurrency miners will continue in popularity. It is clear that such activities have been incredibly profitable for individuals or groups who have mined cryptocurrency using malicious techniques for a long period of time,” Palo Alto concludes.