Illicit crypto mining

von Pavel Laskov / 20.5.2019

Since the dramatic surge of Bitcoin’s value in December 2017, crypto mining has become an established instrument of the digital economy, as an elegant incentive mechanism for trust and consensus building in distributed systems. Crypto miners are able to increase their profits by cutting the physical costs of mining itself, and the opportunity of letting others bear the costs by exploiting security gaps can be of great interest to miners. This is where illicit crypto mining becomes a cybercrime issue.

Mining is essential for digital currencies and many other technologies based on the idea of a distributed ledger. It is a common misconception that mining is driven by the greed of digital prospectors trying to find rare numbers of little genuine value. In fact, mining – a proof-of-work technique based on cryptographic puzzles – is an elegant incentive mechanism needed for trust and consensus building in distributed systems. A network node that first solves a cryptographic puzzle can add a new block to an irrevocable chain of transactions, including the reward paid to the miner behind that node. Therefore, this miner is only interested in having valid transactions in the block, to avoid losing their reward if the block is later rejected by other nodes on the network.

Increasing mining profitability

Profitability of mining depends on the relationship between the value of the reward and the physical cost of mining. The latter comprises the investment in hardware and electricity and cooling costs. To prevent uncontrollable minting of new rewards, the difficulty of cryptographic puzzles in digital currencies is pegged to the available computing resources, which results in an approximately constant transaction rate. Hence, investing in new hardware does not automatically bring the desired advantage as long as other players in the network do the same. Only by deploying more powerful hardware than that of their competitors can a miner give a node a competitive advantage. This feature has fuelled the development of specialised hardware known as application-specific integrated circuits (ASICs) intended solely for computation of specific hash functions deployed in typical cryptographic puzzles.

Needless to say, mining is at its most profitable when the costs are borne by a third party. This trivial observation explains why mining has become attractive for monetisation of security incidents. By deploying mining software on compromised devices, cybercriminals can generate a steady stream of profits. In contrast to other monetisation techniques such as ransomware, distributed denial-of-service (DDoS) attacks or trading with stolen credentials, mining is much more reliable as it directly generates financial transactions for its beneficiary. So it is no surprise that an 8,000-fold growth in crypto mining malware was observed by security experts in the fourth quarter of 2017, when Bitcoin’s value reached its peak.

Malware equipped with Bitcoin mining software was first reported as early as 2011. With the Bitcoin price less than USD 10.00, the economic feasibility of mining malware remained uncertain for a while. Two years later, the first botnets deploying Bitcoin mining were reported by Brian Krebs and a group of researchers from the University of California, San Diego. Estimated earnings from several botnet campaigns added up to approximately USD 100,000.00, a modest success for the substantial effort involved in setting up and maintaining a botnet infrastructure. The subsequent rise of ASICs for Bitcoin mining has quickly made CPU-based mining, including botnets, infeasible.

The revival of illicit mining is connected to the development of strongly anonymous and ASIC-resistant cryptocurrencies such as Monero or Bytecoin. Deployment of memory-intensive hash functions such as CryptoNight makes investing in ASICs unprofitable for currencies such as these and promotes their egalitarian nature. Strong anonymity techniques ensuring unlinkability of transactions increase user privacy and prevent retrospective blockchain analysis. Obviously, both features are very open to abuse, and it did not take long before new techniques for illicit mining came into existence.

Perhaps the most characteristic feature of modern illicit mining is that it is built primarily on legitimate components. Legitimate mining, especially for ASIC-resistant cryptocurrencies, is seldom carried out by individual computers, since their hashing power is still too low to deliver a realistic chance of being the first one to solve the cryptographic puzzle. As an alternative, individual computers may be connected to mining pools, which bundle resources in exchange for profit-sharing. Communication between “worker” nodes and a pool owner typically uses the Stratum protocol, designed to implement pooled mining. Various implementations of Stratum exist that can be easily built into both server- and client-side software.

Another legitimate technology that is widely deployed for malicious purposes is browser mining. Modern browsers are heavily reliant on client-side execution of code written in JavaScript. This language can also be used to implement the Stratum protocol and the mining functionality. The efficiency of such a code can be greatly improved by using WebAssembly technology, enabling execution of highly efficient native code in JavaScript. In mid-2017, a first implementation of a Monero-mining browser plug-in was offered by German company Coinhive to web content providers for deployment on their websites. The deal was as follows: When a plug-in is deployed on a website, it is offered to the website’s visitors as an alternative to advertisement. By giving consent to run the plug-in while staying on a website, users carry out mining in exchange for having no advertisement displayed. The profits from mining are split between the website owner and Coinhive, the latter claiming a 30% share.

Notwithstanding the aggressive commission rate, the business model of browser-based mining has several security pitfalls. Firstly, its legitimation by means of acquiring user consent can easily be circumvented by faking the user response. In fact, more than half of the websites that currently deploy the Coinhive plug-in do not even bother to ask for user consent. Secondly, the plug-in can be injected into websites by attackers. Since the plug-in is not officially classified as malware, the act of injecting it into a website is often not detected as malicious activity by web security tools. Furthermore, deployment of Coinhive’s code on end-user devices enables attackers to study its functionality by reverse-engineering and re-implementing it themselves. As a result, several analogous tools have been found in the wild that do not share their profits with Coinhive.

Understanding the functionality of browser-based crypto mining is a challenging task. Several recent scientific studies have addressed this problem by developing tools for identifying JavaScript mining code and running them for Alexa Top 1 Million sites. The subsequent static and dynamic analysis of extracted code provides valuable insights into the technical and operational aspects of illicit mining campaigns. For example, an analysis such as this shows that 60% of all illicit mining is still carried out using Coinhive’s code base. Extraction of wallet addresses, typically hardcoded in the JavaScript code, enables identification of coherent mining campaigns (under the reasonable assumption that a wallet address is never shared between different campaigns). It is also interesting to note that the majority of mining campaigns use public mining pools while easily circumventing simple detection mechanisms, such as a heuristic, intended to prevent a large number of different IP addresses being linked to the same wallet address.

Besides browser-based mining, conventional mining tools are also commonly used as a payload delivered by malware. Implementing this strategy is even more straightforward, since all the attacker has to do is download and install the appropriate mining tool. A recent study demonstrated that the crypto mining malware ecosystem is dominated by three mining tools. Similar to browser-based mining, public pools are also the preferred method of monetisation for crypto mining malware.

How profitable is illicit crypto mining? Once a wallet address associated with an illicit mining campaign is known, it is possible to estimate the campaign’s earnings, since most of the mining pools publish information about payouts to individual wallets. Using this feature, it was estimated that the largest malware-based mining campaign known to date had earned over XMR 163,000.00, which would be worth USD 18 million if it were immediately cashed out. For the 2,218 campaigns identified in the mining malware study, the profit estimate exceeded XMR 720,000.00 (USD 57 million at the time of earning). Overall, it is estimated that for Monero, illicit mining accounts for approximately 5% of global mining profits.

For browser-based mining, it is possible to estimate an upper boundary on mining profits in the absence of knowledge about wallet addresses. By analysing the popularity of websites on which mining code has been found, it is possible to approximate the hashing power of user devices to which code such as this has been delivered and convert it into potential earnings. This analysis reveals that the average monthly profit from all browser-based mining campaigns is less than USD 200,000.00. Hence, browser-based mining is significantly less profitable than malware-based mining.

To conclude, illicit mining is already a tangible threat that affects millions of users. While losses from illicit mining are not as dramatic as those from ransomware, industrial espionage or sabotage, this threat should not be underestimated. Illicit mining increases the operational costs of cryptocurrencies and reduces the profits of legitimate players in the crypto mining ecosystem. On the other hand, profitability of illicit mining for attackers will spur the development of new exploitation techniques that may potentially increase attackers’ computation power. The rapid increase in connectivity of computing devices implies that a larger share of computing resources is being exposed to potential mining attacks. As demonstrated by the Mirai botnet in the realm of DDoS attacks, the widespread compromise of Internet of Things (IoT) devices can have an impact, even on key players in the Internet economy such as Twitter, Amazon and Netflix. A similar attack on the cryptocurrency ecosystem cannot be ruled out.

Implementing security standards

Detection and mitigation of malicious mining is gaining increasing attention in the scientific community. It is relatively straightforward to detect mining on user devices if detection software can measure physical characteristics of a device such as temperature, CPU utilisation and memory consumption. Cryptographic operations carried out by mining leave a very typical trace of CPU and memory operations, which can be analysed using machine learning techniques, for example. However, maintaining such detection software on hundreds of millions of user devices is a formidable task that can only be tackled if this software is built into standard security mechanisms. Alternatively, some techniques have recently been developed to identify malware in network traffic, including our own work at the University of Liechtenstein. Effective mitigation techniques are currently still not available for the broad user base, and further research and development are needed to protect IT systems against potential large-scale attacks.



Prof. Dr. Pavel Laskov

Pavel Laskov ist Professor am Institut für Wirtschaftsinformatik und Inhaber des Hilti-Lehrstuhls für Daten- und Anwendungssicherheit der Universität Liechtenstein. Seine Forschung befasst sich mit der Entwicklung von reaktiven Sicherheitsmechanismen, insbesondere zur Erkennung und Abwehr neuartiger Angriffe.

Verwandte Artikel