A Quick Look at the Underground World of Crypto-Mining Malware

The fast-rising cybercrime, crypto-mining malware, has been a matter of concern lately. Many investigations and studies have been carried out to ascertain how the not-so-easy-to-spot insidious operations work. Although these investigations have helped to debunk lots of myths, very little light has been shed on binary-based crypto-mining malware. While web-browser cryptojacking, the commonly known form of crypto-mining malware, has got all of the attention. This necessitated the need for in-depth research on the entire underground ecosystem of crypto-mining malware.

In this article, we will take a quick look at the in-depth research conducted by a member of Computer Science and Technology of the University of Cambridge.

First, what is crypto mining?

Crypto mining is a normal wealth-accumulation process of the global crypto ecosystem that rewards miners for solving a complex mathematical problem. The reward is usually the cryptocurrency mined from the process.

Second, what is crypto-mining malware?

Crypto-mining malware is a form of cybercrime that leverages unsuspecting crypto-mining equipment in the mining of cryptocurrency for cybercriminals.

The Research

The research analyzed about 4.4 million malware samples from 2007 to 2018. It was conducted by applying both static and dynamic analysis to extract information from the aforementioned samples. The information extracted is then employed in grouping the samples into campaigns. To estimate the profits for the different campaigns, the researchers analyzed publicly-available payments sent to the wallets from the mining pools.

The Findings

The research showed that Monero (XMR) is the commonly used cryptocurrency in the underground ecosystem of crypto-mining malware. Over 4.32% of Monero available in circulation today was mined by illicit crypto mining activities. Conversion to US dollar place the total amount to about $57M. The report also stated that, more often than not, campaigns that employed third-party infrastructure such as PPI, achieve more success in the underground space.

Another finding showed that campaigns circumvent detection by using idle mining or domain aliases to contact mining pools. Domain Aliases are known to prevent minor blacklisting approaches as such they gain uninterrupted access for their illicit activities. Additionally, there exist other cybercriminals who run successful campaigns with legitimate infrastructures such as GitHub and Dropbox.

Lastly, the report listed crypto-pool, minexmr, and dwarfpool to be the most commonly used Monero mining pools.

Reason for the Success

Among other known reasons, the report stated that one of the major reasons for success in this space is its relatively low cost and high return investment. Little or no attention from the AV industry is yet another reason for the high amount of success recorded in this space.


To discourage cybercriminals from using this space, the report suggests that regular changes in the Proof-of-Work (POW) algorithm should be incorporated in the global crypto ecosystem as these miners would have to update their mining software from time to time. This will increase the cost of acquisition of software and maintenance of their botnets.

Sharing Is Caring: