Not a Bitcoin owner? You could (still) be at risk

Crypto-Mining Attacks and Their Impact On Businesses

It’s difficult to not notice the recent surge in reports on crypto-mining attacks. Spreading through Facebook Messenger and YouTube ads while infecting thousands of websites, the recent surge in crypto-mining attacks has been grabbing headlines.

The word “crypto-mining” indicates some form of association with crypto-currency – are they hackers that only target people or companies that own Bitcoin?

Not quite. Like all hackers, crypto-miners are equal-opportunity attackers. They have targeted European water utilities, UK government websites, a Russian nuclear plant and even exploited a leaked NSA vulnerability. Everyone is fair game.

Epidemic Proportions

Before you ask, it’s not fake news.

Check Point’s threat intelligence database, ThreatCloud, draws data from over 80,000 Check Point gateways and millions of endpoints across the globe. By looking at the global threat landscape, we can clearly see that crypto mining attacks have been on the rise.

Mining attacks first emerged in 2011 as a relatively insignificant niche among other cyberattacks. However, as Bitcoin and Monero values skyrocketed towards the end of 2017, the crypto-mining business became extremely lucrative. The chart below illustrates the alarming growth in the number of crypto-mining attacks.

Global trends regarding crypto mining attacks malware

These attacks target organizations across the world. The map below shows the global distribution and prevalence of mining attacks detected by Check Point in December 2017.

Cryptomining Industry 101

Put briefly, using blockchain technology, crypto mining is the process of sealing new transactions into the crypto-currency’s public ledger.

Sealing a block of transactions is akin to solving a complex puzzle, and the ledger itself is essentially a chain of sealed transaction blocks, otherwise known as a block-chain. The first miner (i.e. person or computer) to complete this complex calculation is awarded with some fresh and highly coveted coins. The mathematical proof-of-work (PoW) that a miner has successfully solved the puzzle acts as the seal for the transaction.

By asking miners to solve complex cryptographic puzzles, the mining process intentionally requires resource-intensive computation. Miners, in turn, are incentivized the good old-fashioned way – cold hard cash.

Consequentially, mining has become big business. Very big business.

Every 10 minutes, Bitcoin commits a new block of transactions to its ledger and awards 12.5 BTC to its miner. At Bitcoin’s current exchange rate ($10,515 as of 7 Mar 2018), that’s around $130,000 paid to miners every 10 minutes, or $6.8bn per year.

You read that right. The Bitcoin mining industry generates revenues of $6.8 billion a year.

And that’s just Bitcoin, which in one of many crypto currencies.  Each cryptocurrency creates its own mining ecosystem. Monero, for example, rewards its mining community with $430M annually.

Unsurprisingly, entrepreneurs are looking for their slice of the pie. In fact, they have been investing heavily in huge, energy-hungry data centers filled with mining computers. The potential gains are vast enough that  many of the larger coin-mining data centers draw more electricity than the entire population of Ireland, while crypto-mining data centers in Iceland threaten to consume all of the country’s power.


The Criminal Side of Crypto-Mining

Of course, wherever there is money to be made, criminals lurk not far behind, finding ways to cut corners.

Instead of investing in data-centers, crypto-mining criminals cut that corner by hacking into other people and groups’ machines, and criminally exploiting their CPU power without the user’s consent or knowledge.  They leverage all their victims’ collective CPU power in order to perform the computation-intensive block-chain calculations and award themselves with new coins.

Indeed, when it comes to mining targets, anything goes: PCs, mobile, servers, industrial systems, and even Tesla cars. In every CPU lies a hidden miner, waiting to taken hostage by hackers.


Why Crypto-Mining Attacks?

Simplicity, profitability, and leeway.

Mining attacks, often referred to as cryptojacking, are relatively simple to enact yet have the potential to generate huge financial returns. Indeed, a recent study conducted by Check Point uncovered a single threat actor who earned $3M from mining Monero.

Along with that, many of these attacks are still in a legal gray area – just running some extra crypto-mining javascript on the victim’s browser is not yet an actual crime.


Other Types of Crypto-currency Attacks

Criminals have developed more than just mining techniques to cash in on the staggering inflation of crypto-currency value and popularity.

Wallet Theft – Stealing Directly From a User’s Bitcoin wallet.

New types of malware have emerged which attempt to hijack a wallet’s private key or credentials from a user’s PC. Once cybercriminals gain access to their victim’s wallet, they can easily drain the funds to their own accounts.

And it’s not just new malware. Some old-school banking Trojans such as Trickbot have been quick to join the Bitcoin trend too, adding new features to target a user’s crypto-currency wallet.

Crypto Shuffler – Hijacking Coin Transactions.

If you want to transfer some Bitcoin to someone, you need to type the recipient’s wallet address in a payment form. Wallet addresses, however, are long and cryptic strings, with random numbers and letters that make little sense to the human eye.

This is where crypto-shufflers come in.

Shuffling malware uses a simple trick: when it senses a wallet address that has been copied (i.e. Ctrl-C) to the PC clipboard, it silently replaces it with the attacker’s crypto-wallet address. The unsuspecting victim is unlikely to notice that the random-looking address has been altered when they paste it into a transaction form. Instead of sending funds to the intended recipient, the funds transfer directly to the attacker.

Hacking Exchange Sites

Exchange sites are an important part of the crypto-currency ecosystem as they host user wallets and assist with coin transactions.

Unfortunately, crypto-currency exchange sites are unregulated and often have insufficient protection. In only the first two months of 2018, we have already seen $170 million shaved from BitGrail and $425 million stolen from Coincheck.


The Business Impact

As the majority of businesses do not (yet) accept direct payment using crypto-currencies, they are unlikely to be affected by the various attacks that attempt to steal coins or manipulate transactions.

However, Crypto-mining attacks, do pose real business risks.

As we showed earlier, mining attacks have surged to huge proportions in the past few months, and our data shows that 55% of organizations were a target of crypto-mining attacks in December 2017 alone.

Three Ways Mining Attacks Impact Your Businesses:

  • Consumption of Precious Server Resources

Mining malware is a huge CPU hog, and can easily consume the entire CPU power of your servers, drastically lowering your service availability and increasing hosting and electricity cost.

Should your servers be hosted on an elastic cloud, the environment will auto-scale by spawning additional instances to compensate for the lost computation power, and subsequently increase your cloud hosting costs. If your servers are not set up in an elastic configuration, then the attack could result in a complete denial of service (DoS).

  • Reduced User Productivity

Mining attacks target users in three primary ways:

  1. Just like servers, users’ PCs are infected by cryptojacking malware that installs itself on their OS and crypto-mines 24/7.
  2. A plethora of mobile apps have been discovered (here, here and here) to include mining code. Smartphones are not designed to sustain the heavyweight cryptographic computation required for crypto-mining. In fact, the mining process can overheat mobile devices to a degree that causes phones to deform.
  3. Users may browse to infected or malicious websites. These websites serve web pages that contain javascript code that silently transforms the user’s browser into a CPU-hungry mining machine.

The result of all these attack techniques is the same; user machines slow down and heat up, while the users become ever more frustrated as their productivity declines.

  • Negative Impact on Company Reputation and Customer Satisfaction
    In many cases hackers penetrate and infect an organization’s web servers, embedding mining javascript in the site’s HTML pages.

If this happens to your organization, then you are essentially targeting your site’s visitors! All visitors will see their PC and browser slow down dramatically, while their CPU spikes. This can lead to very poor customer experience, as well as to negative publicity affecting the company’s reputation.



Over the course of this post, we have discussed the steep rise of mining attacks in recent months. Despite the recent drop in Bitcoin value, this trend shows no sign of slowing.

As a result, businesses need to understand that these attacks target organizations across the globe, introducing several new risk vectors to the IT environment.

In our next blog we will look into how organizations can protect themselves against this new menace as part of their overall cyber-defense strategy.