Cryptocurrency/Crypto-mining News and Resources

People keep telling me that this is the new ransomware… For the moment, I’m just going to flag things as they come up: maybe with commentary and better organization later. Items will be added with the latest items at the top.

Information Resources

  • Heimdal Security: What Is Cryptojacking And How To Avoid This Attack – “Find out what blockchain is, why criminals want Monero coins and how to keep safe” from cryptojacking
  • Cornell University Library: a multi-author paper on An Empirical Analysis of Traceability in the Monero Blockchain
  • Here are some links to articles that relate to bitcoin from the page Ransomware, Bitcoin, other payment options:
    • If you want a comprehensive explanation of how it’s all supposed to work, I recommend Princeton University’s Bitcoin and Cryptocurrency Technologies by Arvind Narayanan, Joseph Bonneau, Edward Felten,Andrew Miller, and Steven Goldfeder, though it’s long and not particularly cheap. (And, ironically, you can’t buy it with bitcoin.) It assumes that ‘…you have a basic understanding of computer science — how computers work, data structures and algorithms, and some programming experience. If you’re an undergraduate or graduate student of computer science, a software developer, an entrepreneur, or a technology hobbyist, this textbook is for you.’ However, it is written using a fairly conversational tone, so it’s certainly worth a look if you’re reasonably IT-literate.
    • This primer from Princeton is about 296 pages shorter and more consumer friendly. And here’s Bitcoin’s own FAQ.
    • Richard Chirgwin points out that Bitcoiners are just like everybody else: They use rubbish passwords, which may not reassure you.
    • Imperva has published an interesting paper on ‘The secret of Cryptowall’s success‘ based Bitcoin wallet analysis.
    • Bitcoin Wiki
    • Blockchain Blog


20th May 2018

US Securities and Exchange Commission: The SEC Has an Opportunity You Won’t Want to Miss: Act Now! – “The SEC set up a website,, that mimics a bogus coin offering to educate investors about what to look for before they invest in a scam. Anyone who clicks on “Buy Coins Now” will be led instead to investor education tools and tips from the SEC and other financial regulators.” Commentary from Sophos: Don’t invest! The ICO scam that doesn’t want your money

ZDNet: Brutal cryptocurrency mining malware crashes your PC when discovered – “…the cybersecurity firm said the cryptomining malware aims to infect PCs in order to steal processing power for the purpose of mining the Monero cryptocurrency.”

Help Net Security: 25% of companies affected by cloud cryptojacking

12th May 2018

5th May 2018

Help Net Security: Organizations should not overestimate the short-term benefits of blockchain

3rd May 2018

Catalin Cimpanu for Bleeping Computer: New MassMiner Malware Targets Web Servers With an Assortment of Exploits

The Register: Whoa, Gartner drops a truth bomb: Blockchain is overhyped and top IT bods don’t want it – “Didn’t you know it’s panacea to all corporate woes, bro?!”

Gad Naveh for Help Net: Dig this: The future of crypto-mining botnets

Trend Micro: Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground

1st May 2018

Coin Telegraph: Scammers Hijack Verified Twitter Account To Steal Crypto By Posing As Telegram CEO

27th April 2018

The Register: Power spike leads Chinese police to 600-machine mining rig – “Six Bitcoiners cuffed for electricity heist”

25th April 2018

Graham Cluley for ESET: Ethereum cryptocurrency wallets raided after Amazon’s internet domain service hijacked

Help Net Security: Exfiltrating private keys from air-gapped cold wallets

Fortinet: Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner

Bill Harris for Recode: Bitcoin is the greatest scam in history “It’s a colossal pump-and-dump scheme, the likes of which the world has never seen.” Harsh!

23rd April 2018

360 Core Security: Attackers Fake Computational Power to Steal Cryptocurrencies from Mining Pools “Recently, we detected a new type of attack which targets some equihash mining pools.”

21st April 2018

(1|) Help Net: Cryptominers displace ransomware as the number one threat. Summarizes a report from Comodo and also observes: “Another surprising finding: Altcoin Monero became the leading target for cryptominers’ malware, replacing Bitcoin.” Maybe not that surprising: see Cameron Camp’s article for ESET – Monero cryptocurrency: Malware’s rising star

(2) The Next Web: Crypto YouTuber hacked out of $2 million during a livestream. That’s going to undermine his influence on casual investors…

(3) Trend Micro: Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner

15th April 2018

12th April 2018:


[9th April 2018] John E. Dunn for Sophos: Hacker mines up to $1 million in Verge after exploiting major bug


[4th April 2018] Palo Alto Unit 42: Smoking Out the Rarog Cryptocurrency Mining Trojan – “Rarog has been seen primarily used to mine the Monero cryptocurrency, however, it has the capability to mine others.”

[April 4th 2018]

John Leyden for The Register: Badmins: Magento shops brute-forced to scrape card deets and install cryptominers

[3rd April 2018]

[March 31st 2018]

Help Net: Crypto mining runs rampant in higher education: Is it students?

[March 29th 2018]

[March 28th 2018]

[March 26th 2018]

[March 23rd 2018]

[March 22nd 2018]

[March 20th 2018]

Sam Biddle for The Intercept: THE NSA WORKED TO “TRACK DOWN” BITCOIN USERS, SNOWDEN DOCUMENTS REVEAL. ‘Classified documents provided by whistleblower Edward Snowden show that the National Security Agency indeed worked urgently to target Bitcoin users around the world — and wielded at least one mysterious source of information to “help track down senders and receivers of Bitcoins…”’

Thomas Claburn for The Register: Bitcoin’s blockchain: Potentially a hazardous waste dump of child abuse, malware, etc: “Boffins warn of legal risks from arbitrary data distribution”. Summarizes this academic paper “A Quantitative Analysis of the Impact of Arbitrary Blockchain Content on Bitcoin“.

[March 18th 2018]

[March 13th 2018]

[March 12th 2018]

(1) Paul Ducklin for Sophos: Cryptomining versus cryptojacking – what’s the difference?

(2) Bleeping Computer tells us: Microsoft Stops Malware Campaign That Tried to Infect 400,000 Users in 12 Hours
ZDNet is even more enthusiastic: Windows security: Microsoft fights massive cryptocoin miner malware outbreak – “Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.”
Other players in the security industry were more restrained (as per the entry for March 8th below), notably myself, Sean Sullivan and Luis Corrons, quoted in an article by Kevin Townsend: Microsoft Detects Massive Dofoil Attack. Kevin didn’t quote me in full, so here’s (most of) what I said:

I don’t read that article as actually saying that Defender detected that particular campaign and no-one else did/does (which isn’t the case: note that some of the hashes in the figures show a VirusTotal score), or claiming that Microsoft actually disrupted the campaign, or even that it was the first product to detect this particular iteration of Dofoil or the Coinminer it’s delivering. If there’s a suggestion that detection by other products was tested, I missed it.

If it gives the impression that this detection ‘proves’ that all such attacks will be detected by Defender, well, that’s what AV products (often) do, but the phrase ‘hostage to fortune’ springs to mind. But the way I read it, Windows Defender did a good job of detecting this particular campaign, and deserve credit for it. As does any company that offers prompt/proactive detection of a sophisticated campaign, and there are several that do. 

Do the Defender team have an unfair advantage? Well, I guess they have direct access to the OS developers, but spotting behavioural anomalies is bread-and-butter lab work, and incorporating such detection into cloud protection and machine learning is standard stuff. And I’m sure most labs value good knowledge of OS processes. 

[March 8th 2018]

Microsoft: Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Rather self-congratulatory – sounds as if Microsoft stopped a campaign all by itself and Windows Defender is The Answer to crypto-mining and world hunger, but still…

[March 7th 2018]

[March 5th 2018]

[March 1st 2018]

[28th February 2018]

[27th February 2018]

[24th February 2018]

CNBC: Secretive Chinese bitcoin mining company may have made as much money as Nvidia last year

[23rd February 2018]

[22nd February 2018]

[18th February 2018]

[16th February 2018] FireEye: CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Bleeping Computer: Using the Chrome Task Manager to Find In-Browser Miners

[15th February 2018]: Help Net Security summarizes commentary from Check Point. Cryptomining malware continues to drain enterprise CPU power.

“In January, crypto-mining malware continued to be the most prevalent with Coinhive retaining its most wanted spot impacting 23% of organizations, followed by Fireball in second and Rig Exploit Kit in third impacting 17% of organizations.”

And here’s Check Point’s blog article: January’s Most Wanted Malware: Cryptomining Malware Continues to Cripple Enterprise CPU Power

“Check Point researchers also discovered three different variants of cryptomining malware in its top 10 most prevalent ranking, with Coinhive ranking first, impacting more than one-in-five organizations.”

Help Net Security/Radiflow: When crypto-mining malware hits a SCADA network

[14th February 2018]

Two links from Sophos:

Catalin Cimpanu for Bleeping Computer: Bitmessage Zero-Day Used in Attacks That Steal Bitcoin Wallet Files

Graham Cluley: Salon website gives you a choice: turn off your ad blocker or let us mine cryptocurrencies – IT WANTS TO USE YOUR COMPUTER’S RESOURCES TO MAKE THEM MONEY.
“Yup, Salon is giving you a choice. If you don’t want to disable your ad blocker, maybe you’ll feel comfortable letting it run code from Coinhive which will gobble up your computer’s resources to mine some Monero cryptocurrency.”

Browsealoud compromise (injection of Coinhive): partial but lengthy list of affected sites.

12th February 2018. Bleeping Computer: U.S. & UK Govt Sites Injected With Miners After Popular Script Was Hacked
“Thousands of sites were injected with a in-browser Monero miner today after a popular accessibility script was compromised. With 4,275 sites affected, this included government websites such as,, &”

ESET: US and UK government websites hijacked to mine cryptocurrency on visitors’ machines

“If undetected by a user’s security solution or content- or ad-blocker, the script ran in the background unbeknown to the user until the webpage was closed. A number of the affected websites, including that of the ICO, were also offline for hours in the aftermath of the attack.”

[9th February 2018] BBC: Russian nuclear scientists arrested for ‘Bitcoin mining plot’
“Russian security officers have arrested several scientists working at a top-secret Russian nuclear warhead facility for allegedly mining crypto-currencies.”

[8th February 2018] Zeljka Zorz for Help Net: When crypto-mining malware hits a SCADA network
“Industrial cybersecurity vendor Radiflow […] has recently discovered Monero-mining malware on five servers of a water utility company located in Europe. These servers included […] the control server of the physical processes of the company.