In March this year, one of our CDC analysts found a lone hacker dropping bitcoin mining software on a hacked PC. Heads were scratched: what is this person up to? At current “difficulty” level, we thought there was absolutely no way this person was going to get any ROI on bitcoin mining. What was going on here?
Bitcoin mining is the principle, that by crunching numbers, you will have a small chance to “find” a bitcoin. At the same time, you’re maintaining the integrity of the block chain – which is the ultimate purpose of mining.
I remember back in 2012, when we mined bitcoin through “mining pools”. Mining pools offer the principle that several miners share the rewards, so there was a high chance on small earnings instead of a small chance on high earnings. One of my friends mined half a bitcoin before he lost interest. It cost him a brand new NVIDIA card and three months of electricity (and it led him to a negative ROI).
Five years later, Bitcoin mining “difficulty” (which is the chance you “find” a bitcoin) has exponentially increased. Today, it is 500 times less likely you mine a bitcoin than back in 2012 with the same hardware. Even back then the process had slim margins. Now bitcoin mining is the domain of Chinese Bitcoin mining farms. By setting up these farms in cold areas, they can cut some cooling costs. They pretty much monopolize mining.
Cyber criminals, apart from adopting bitcoin as a money laundry technology, recognized the potential for mining. However, the bitcoin algorithms, in their minds, weren’t fair to them. They turned to altcoins (alternative crypto currencies) such as Litecoin, which had a friendlier algorithm for mining to which led to a larger ROI.
In 2013, the first Litecoin mining botnets showed up. Criminals “borrowed” their victims’ CPU power and a bit of bandwidth to mine Litecoins. Victims would experience PC slowdowns, but the damage was usually restricted to a few dollars’ worth of electricity. This doesn’t seem that bad if you compare it with ransomware or fraud. Thus, crypto currency mining attacks were considered “victimless crimes”. No victim is going to report 45 cents of stolen electricity bill to the police.
Although in the end when risk was low, rewards were too low for most criminals. Using botnets for mining soon diminished, as criminals with a low risk appetite turned to ransomware attacks. Criminals, it seemed, were much more comfortable “getting” bitcoins from victims, than mining them. However, some of the risk averse criminals have stayed at it.
Our CDC has seen criminals mining Monero with screen saver like malware, which is another altcoin with a friendly algorithm. The Monero miner only kicks in after inactivity, hiding itself so the victim doesn’t experience slowdowns. In one campaign that spanned several months, we have seen wallets accumulating 60 thousand dollars’ worth of Monero. Not bad, but it is nowhere near what some of the most experienced criminals are making.
In our CDC, it was clear that the lone hacker was oblivious to all of this. Sometimes, you need to take things at face value. CDC’s conclusion was our lone hacker was an “old school” script kiddie and not a talented one for that matter. Of course, this person could still get access to a PC, and the situation might have been worse had this person been savvy. The PC was quarantined and reinstalled.
Crypto currency mining attacks seem to be a “victimless crime.” As with all things, if there’s little risk, there’s little reward. The premier league cyber criminals are gunning for higher ROI with higher risk but some of the minor-league actors are still seeing a viable business model in this. As in sports, some of the more talented actors in the minor leagues will push into the major – where we might see this attack type in mainstream again.