View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Monero’s Money Mining Malicious Malware Monopoly  


By CBR Staff Writer

Palo Alto Networks malware researcher Josh Grunzweig has identified a massive 470,000 unique malware samples that hijack computers to mine cryptocurrency.

Of the samples, an “incredible monopoly” (84 percent) focus on mining Monero (XMR), he said in a Unit 42 (the company’s threat detection arm) report published Monday.

“I’ve found myself continually being in the position of researching a new threat or campaign that results in the delivery of a cryptocurrency miner… I began to investigate how many cryptocurrency miners have historically been identified within Palo Alto Network’s WildFire platform. In doing so, I found a radical upward trend,” he said.

Monero: Popular to mine with malware

Sampling the Wares

The researcher collected 629,126 total malware samples and analysed 3,773 emails used to connect with mining pools for the research.

He identified links to 2,341 Monero wallets; 981 Bitcoin (BTC) wallets; 131 Electroneum (ETN) wallets, 44 Ethereum (ETH) wallets and 28 Litecoin (LTC) wallets.

A massive 531,663 of the malware samples were mining Monero, he found. Those behind the malware have made nearly $144 million from their activity, he estimated.

“I extracted a total of 2,341 Monero wallets from the analyzed sample set… Looking at the top ten mining pools used by this malware, I determined that all but one allows for anonymous viewing of statistics based off of the wallet as an identifier. This anonymous viewing is intentional, as it allows users to anonymously connect and use various mining pools without inputting any personal identifiable information.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

He added: “By querying the top eight mining pools for all 2,341 Monero addresses, I was able to determine exactly how much Monero has been mined historically with a high degree of accuracy. By querying the mining pools themselves, instead of the blockchain, we’re able to say exactly how much has been mined without the fear of the data being polluted by payments to those wallets via other sources.”

“Incredibly Profitable”

Defeating cryptocurrency miners being delivered via malware is a difficult task, as many malware authors limit the CPU utilisation, or ensure that mining operations only take place during specific times of the day or when the user is inactive, Palo Alto Networks noted. Additionally, the malware itself is delivered via a large number of methods, requiring defenders to have an in-depth approach to security.

“Palo Alto Networks customers have a number of means to combat this threat on their networks, including Traps and Wildfire detections for cryptocurrency miners delivered via malware. Additionally, the stratum App-ID may be used to identify cryptocurrency mining activity and take appropriate actions on it,” the report concluded.



Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.