5 Percent of Monero in Circulation Was Mined Through Malware, Research Finds

Published at: June 13, 2018

A June 11 report by network and enterprise security company Palo Alto Networks has found that around 5 percent of all Monero (XMR) in circulation was mined maliciously.

According to the research, the mining has been done via cryptojacking, the practice of using other users’ computers’ processing power to mine for cryptocurrencies without the owners’ permission.

Josh Grunzweig of the Unit 42 threat research team collected data - around 470,000 unique samples - on how many cryptojacking miners have been identified within the Palo Alto Network WildFire platform.

The report finds 3,773 emails connected with mining pools, 2,995 mining pools URLs, 2,341 XRM wallets, 981 Bitcoin (BTC) wallets, 131 Electroneum (ETN) wallets, 44 Ethereum (ETH) wallets, and 28 Litecoin (LTC) wallets.

According to Grunzweig, Monero has an “incredible monopoly” on the cryptocurrencies targeted by malware, with a total of $175 mln mined maliciously (about 5 percent of all Monero now in circulation). Monero has a total market cap of around $1.9 bln, trading for around $119 and down around 10 percent over a 24 hour period to press time.

Of the 2,341 Monero wallets found, only 55 percent (or 1,278) have more than 0.01 XMR (currently worth around $1.19).

The report also notes that the data does not include web-based Monero miners or other miners they could not access, meaning that the 5 percent is most likely too low of a calculation.

Distribution of cryptocurrencies targeted by malicious miners. Source: Palo Alto Networks

According to the report, the total hashrate for Monero cryptojacking - around 19 mega-hashes per second (MH/s) bringing in about $30,443 a day - is equal to about 2 percent of the Monero network’s global hashing power. The report states that the top three hashrate sources mine around $2,737, $2,022 and $1,596 each day.

In an email to Cointelegraph, Justin Ehrenhofer of the Monero Malware Response WorkGroup wrote that because Monero is “built without any explicit use cases,” people “may take advantage of Monero's privacy and accessible proof of work features for their own illegitimate personal gain.”

For this reason, the malware workgroup is a body of volunteers that work on educating crypto users about how to avoid malware and being cryptojacked:

“The Monero community is interested in helping victims of unwanted system mining and other nefarious actions [...] We will never be able to prevent every machine from being compromised. The proportion of coins estimated to be mined with Monero speaks largely to the number of machines that are compromised. In addition to mining Monero, they could be sending spam and monitoring users. We hope that our contributions will limit unwanted behavior at the source.”

Yesterday, Japanese police reported they have opened an investigation into a case of Monero cryptojacking with the use of the Coinhive mining software. Last week, a security team found that over 40,000 computers were infected with mining malware, including for Monero, from industries including finance, education, and government.

Tags
Related Posts
Researchers Uncover Threat of ‘Unusual’ Virtual Machine Crypto Mining
Cybersecurity firm ESET has detected what it describes as an unusual and persistent cryocurrency miner distributed for macOS and Windows since August 2018. The news was revealed in a report from ESET Research published on June 20. According to ESET, the new malware, dubbed “LoudMiner,” uses virtualization software — VirtualBox on Windows and QEMU on macOS — to mine crypto on a Tiny Core Linux virtual machine, thus having the potential to infect computers across multiple operating systems. The miner itself reportedly uses XMRig — an open-source software used for mining privacy-focused altcoin monero (XMR) — and a mining pool, …
Altcoin / June 24, 2019
Trend Micro: Outlaw Hacking Group’s Botnet Is Now Spreading a Monero Miner
Cybersecurity company Trend Micro claims to have detected a web address spreading a botnet featuring a monero (XMR) mining component alongside a backdoor. The malware was described on Trend Micro’s official blog on June 13. Per the report, the firm attributes the malware to Outlaw Hacking Group, as the techniques employed are almost the same used in its previous operations. The software in question also holds Distributed Denial of Service (DDoS) capabilities, “allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.” Trend Micro also believes that the creators of the malware in question are …
Altcoin / June 13, 2019
Trend Micro Detects Major Uptick in New Strain of XMR Malware Targeting China-Based Systems
Cybersecurity firm Trend Micro has detected a major uptick in monero (XMR) cryptojacking malware targeting China-based systems this spring. The news was revealed in an official Trend Micro announcement on June 5. As previously reported, cryptojacking is an industry term for stealth crypto mining attacks that work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. The XMR-focused malware — which wields malicious PowerShell scripts for illicit mining activities on Microsoft-based systems — reportedly surged against Chinese targets in mid-May. Hitting a peak on May 22, the wave of cryptojacking …
Altcoin / June 6, 2019
Cybercriminals Sneak in Crypto Mining Malware via Confluence Software Exploit
Cybercriminals are now reportedly exploiting known vulnerability CVE-2019-3396 in the software Confluence, a workspace productivity tool made by Atlassian, according to a report by security intelligence firm Trend Micro Inc. on May 7. The exploit that has been developed allows cybercriminals to stealthily install and run a monero (XMR) miner on a vulnerable computer, as well as covering up the mining activity by using a rootkit to hide the malware’s network activity and toll on the host’s central processing unit (CPU). According to an Atlassian security advisory, the vulnerability in question only applies to some older versions of Confluence. The …
Altcoin / May 7, 2019
Report: Number of Routers Affected by Crypto Malware Doubled Since August, Reaching 415K
The number of MikroTik routers affected by cryptojacking malware has repotedly doubled since summer 2018, reaching 415,000, security researcher VriesHd tweeted Sunday, Dec. 2. Since August, VriesHd has been reporting on crypto malware that targets routers and forces them to mine cryptocurrencies along with the researchers from Bad Packets Report. They revealed that routers by Mikrotik, a Latvian manufacturer of network equipment, were compromised by at least 16 different types of malware including Coinhive, a cryptojacking software mining privacy-oriented cryptocurrency Monero (XMR). By September the estimated number of compromised routers surpassed 280,000, according to Bad Packets. In the recent tweet …
Altcoin / Dec. 6, 2018