One of, if not the, most prominent motivators for threat actors is money. Whether it’s botnet owners renting out their services for DDoS attacks, tech support scammers cold-calling people to convince them there are problems with their computers, or point-of-sale Trojan horses siphoning off credit card numbers, making money is at the root of much of the threat-related activity we see today.

By far, the most prominent money-making threat scheme of 2018 has been malicious cryptomining. This is a topic Cisco Talos threat intelligence has been researching for some time now. To the mind of an attacker, it’s almost the perfect crime: it hides behind the scenes, it requires little-to-no interaction from the target, and can be highly lucrative.

But before we delve deeper into the threat aspect, let’s take two steps back and talk about cryptocurrencies and cryptomining.

What is cryptocurrency?

At the lowest of levels, cryptocurrencies are digital currencies that are unassociated with centralized banking systems, such as those run by various countries or economic zones around the world. Cryptocurrencies first rose to prominence close to ten years ago with the advent of Bitcoin, though the cryptocurrency market now boasts thousands of different digital currencies.

One feature that has made cryptocurrencies so popular is the blockchain: the public, digital ledger used to validate the coins and transactions. A major draw of blockchain technology is that it is difficult to modify or tamper with, thanks to cryptography and its distributed nature, which help secure transactions using cryptocurrencies.

What is cryptomining?

Whether it’s referred to as coin mining, cryptocurrency mining, or cryptomining for short, this is the process by which new coins are created or earned. While there are slight variations between coins, mining is largely the process of validating transactions on the blockchain, whereby those carrying out the processing are paid a fee for their efforts. In effect, you can earn coins by helping to validate the blockchain and the transaction ledger contained within.

In some cryptocurrencies, such as Bitcoin, new coins can also be generated when a new block of transactions is added to the blockchain. This is in essence an example of how new coins are “mined” while validating transactions on the blockchain.

What’s so bad about that?

In all actuality, nothing. Neither cryptocurrencies nor cryptomining are inherently malicious. There are plenty of well-intentioned people out there today using cryptocurrencies and participating in cryptomining activities. The one key aspect that separates your regular, everyday cryptomining from what we consider malicious cryptomining: Consent.

There is often little difference between cryptomining software that a user installs on their own and cryptomining software installed by a malicious actor. In fact, in many cases they’re exactly the same. The difference is that the malicious cryptomining software is running without the owner’s knowledge. And any software that runs on a device without the owner’s knowledge is cause for concern.

How did malicious cryptomining rise to prominence?

Prior to malicious cryptomining, ransomware had become the darling of malicious money-making enterprises. But as users became wise to the techniques used by computer-locking malware, and enterprises became better at preventing the disaster that ransomware threatened, malicious actors began to look elsewhere.

Malicious cryptomining also had some distinct advantages over previous money-making schemes. With ransomware, there never was a guarantee that the user of the device would pay out. They could have regular backups at the ready or they just didn’t care about what resided on the compromised device. In either case, reimaging the device solves the problem.

Even more risky, law enforcement agencies throughout the world began to crack down on ransomware attackers. As arrests tied to ransomware went up, more and more adversaries were drawn to the less risky prospect of peddling malicious cryptomining software.

Over the past couple years and into the first half of 2018, the value of cryptocurrency skyrocketed. As with anything software-related and valuable, malicious actors take notice, especially as it coincided with a decline in effectiveness of ransomware.

There were other distinct advantages that helped malicious cryptomining grow. One of the most appealing factors is how cryptomining falls into a grey area in terms of threats. Given how little difference there is between legitimate cryptomining and malicious cryptomining, many users that fall prey to the latter aren’t as concerned as they would be if they found another threat on their systems. If it’s simply mining coins in the background, and isn’t doing anything inherently malicious, why worry? There is an obvious appeal to attackers in this case, where they can reap the benefits without disturbing those they are taking advantage of.

A wolf in sheep’s clothing is still a wolf

Upon deeper reflection there are plenty of reasons to be concerned about malicious cryptomining.

As with any piece of software on a computer, cryptomining requires resources. And a piece of software that takes too many resources can have a negative impact on overall system performance. Not only that, but the use of extra resources requires extra power to facilitate it. It may not add up to much on one system, but multiply the cost over the number of endpoints in an organization, and you could see a noticeable rise in power costs.

Furthermore, there may be regulatory compliance implications when cryptominers are earning revenue on corporate networks. This holds especially true for those in the financial sector, where strict rules could apply to revenue generated using corporate resources, whether or not those in charge are aware of the practice.

But perhaps most worrying is that the presence of a malicious cryptomining infection, unbeknownst to those running a network, could point to security holes in the network configuration or overall security policies. Such holes could just as easily be exploited by attackers for other means. In essence, if a cryptomining infection is found on a network, what’s to stop other malicious threats from exploiting those same holes to carry out further malicious activity?

How does malicious cryptomining get on a device?

There are a number of ways, though rarely are these delivery methods novel. The methods used to deliver malicious cryptomining software are the same methods used to deliver other malicious threats:

  • Exploiting vulnerabilities in both endpoint and server-based applications
  • Employing botnets to spread cryptomining software to new and previously compromised devices
  • Sending emails that include malicious attachments
  • Leveraging JavaScript that allows for cryptomining in the web browser
  • Utilizing adware threats that install browser plugins that can be used to perform cryptomining

These are just a few of the more common ways malicious cryptomining arrives on a device. Naturally, as with any threat, if there’s a way to compromise a system, attackers will try it.

How do I prevent malicious cryptomining?

As with anything threat-related, a good security posture will go a long way from keeping malicious cryptomining at bay.

  • To detect and block malicious cryptomining, advanced endpoint protection is needed and should be part of a broader defense strategy.
  • You can utilize network security analytics to uncover where cryptomining activity may be occurring in your organization.
  • To prevent cryptomining applications from being installed in the first place, block network connections to web sites known to participate in mining cryptocurrencies.
  • DNS layer security can also be extremely effective in stopping cryptomining, preventing mining transactions from being sent back to the malicious actors.

Overall, if you practice a layered approach to security, with an effective line of defense that includes next-generation firewall, endpoint, security analytics, and DNS layers, you stand a better chance of detecting and preventing cryptomining infections on your network.

What is the current and longer-term outlook?

Over its history, cryptocurrency markets have demonstrated some fairly significant volatility. The sharp rises and sudden falls in cryptocurrency value is paralleled in the malicious cryptomining activity that we have witnessed. For instance, take a look at the overall volume of cryptomining-related traffic that Cisco has witnessed on the DNS layer. While there have been sharp peaks and valleys, the overall takeaway is that cryptomining is trending up as time goes on.

What is interesting is that the values of many popular cryptocurrencies has declined during the same time frame, trending downwards overall. Take Monero for instance, a popular coin used in malicious cryptomining.

There are a few possible reasons that these trends are at odds. It could simply be that malicious actors are continuing to push malicious cryptomining out because of the ease of deployment, the reduced risk if caught, and if users remain unaware or don’t care if it’s on their device, the longer time span cryptomining software will likely reside on a device, earning them more money.

Alternatively, it’s possible we’re seeing an overall increase in cryptomining activity specifically because the values of cryptocurrencies are declining. In order for a malicious actor to maintain revenue streams as the value of cryptocurrencies decline and their “return on infection” drops, more malicious cryptomining infections are required.


Money is and likely always will be one of the chief motivators for malicious actors in the threat landscape. In many ways malicious cryptomining can be looked at as a way for attackers to make a fast buck with little overhead, while the targets are less worried about the implications the threat on their devices when compared to others. Still, the indirect costs are nothing to ignore, and should be addressed regardless.

For more information, read our whitepaper on how to defend your network from cryptomining. If you’re ready to take the next step, check out the features of our DNS security solution and request a 14-day free trial. And as always, we welcome your comments below.


Love these types of posts? Subscribe to the Threat of the Month blog series and get alerted when new threats are identified. 


Update: Our Talos Threat Intelligence group has completed two new blog posts about the state of cryptomining that may be of interest to our readers. Nick Biasini’s post elaborates on the history of cryptomining in 2018, including notable attack strategies and his predictions for 2019. They’ve also analyzed the activities of three notable cryptomining groups : Rocke, 8220 Mining Group and Tor2Mine. 


Ben Nahorney

Threat Intelligence Analyst

Cisco Security