The largest cryptojacking breach, in terms of sheer scale, came to light in China after local authorities identified a group of hackers who ran an illicit mining operation for over two years.
Largest Cryptojacking Breach
On July 9, 2018, local news Legal Daily reported a massive cryptojacking spree of a group in China’s Dalian city after suspicious activities pointed to a particular set of IP addresses. The group had over 20 members and successfully infiltrated over a million computers during their two year active period. They took more than $2 million in profits. At the time of writing, nine members have been arrested and the remaining are on bail.
The suspects work at a local technology company and allegedly developed a network of people to aid the crime. Overall, 100 more people have been identified in the case, and they include software vendors and internet cafe owners who propagated the crime by advertising infected plug-ins.
The report loosely translates:
Dalian Shengping Network Technology Co., Ltd. developed the mining monitoring software and integrated mining procedures, and illegally controlled more than 389 million computer hosts nationwide to increase the advertising value through the development of offline agents.
Attractive Ads Lead to Malicious Plugin
As per reports, the group created a set of malicious plugins for the less-secure Chinese browsers which did not detect any innate threat. The popular Google Chrome and Apple Safari browsers are blocked in China as part of the country’s “Great Firewall.” The plugins were touted by the 100 agents as useful additions to the PC experience, such as increasing browser speed. Ads were placed on popular websites to increase the citizens’ exposure. If a user clicked on the ads, an embedded malware installed the malicious plugin without notifying the victim. The software then used computing power to mine cryptocurrencies.
The criminals were apparently conversant with cryptocurrency mining, as the software was designed to use computing power to mine Siacoin, Digibyte, and Decred instead of infamous cryptojacking choice Monero (XMR). This strategy is presumably due to the low computing power required for mining altcoins, which means quieter CPUs and thus, a lower likelihood of the crime being identified.
$2 Million in Profits
The malware was designed to operate only when a victim’s computer utilized less than 50 percent of available power, so as to prevent any excessive load. The obtained cryptocurrency was quickly sent to the hackers’ wallets and converted to fiat. Reports indicate a total of 26 million altcoins were obtained, and the racketeers came away with over $2 million over the time of their operation.
For the local police authorities, the case was another win against cryptojackers. In January 2018, they received information from Tencent about a malicious virus circulating in the area and were successful in identifying and catching a group who infiltrated victim PCs with a Trojan virus that mined altcoins.