There is an incredible diversity of cryptocoins to mine, but many of these so-called “cryptojacking” attacks are targeted at just one, Monero. This post answers why.

Last week, I wrote about cryptojacking through the Web browser.  In the short time we’ve been in 2018, using other people to mine cryptocurrency for you is already become one of the new year’s top security trends.  Last week, attackers apparently obtained $3 million in cryptocurrency by installing miners on unprotected Jenkins servers.

The first reason is obvious.  As the price of Monero has increased, attacks have greater rewards.  The US dollar price of Monero coins has increased from $40-50 in August last year to $300 today:

monero-price-chart.png

(This chart comes from Coin Market Cap.)

The second reason is slightly less obvious.  The Monero ecosystem has a property called “unlinkability” that prevents observers from figuring out the recipient of a transaction.  In the better-known Bitcoin system, all transactions are in the public record and can be traced.  Even though the owner of a particular Bitcoin may not be known, any transactions can be fully traced. When ransomware is paid, the ransom transaction is in the public record and efforts to “launder” the proceeds may fail, as they did for WannaCry perpetrators last year.  Transactions in Monero are not visible to the public by default, making it an attractive payment system for attackers.  Once the Monero coins have been mined, it’s much easier to get away with the proceeds.

And finally, Monero is resisting centralized mining operations based on specialized hardware.  In part, that’s because the CryptoNight hash is, in the words of CMU professor Dave Andersen, “a brilliantly designed proof-of-work function targeting the strengths of modern CPUs — native AES encryption and fast 64 bit multipliers — tuned to use a scratchpad exactly the size of the per-core L3 cache on Intel CPUs (about 2MB)…”  As a result, it’s profitable to mine Monero on general purpose CPUs, something that the Monero community stated as a design goal in the most recently released update.  Keeping the Monero mining ecosystem from being dominated by ASICs means that taking over CPUs will remain profitable.

As you can see, Monero has all the ingredients to be attractive for attackers.  It has reasonable returns without specializing mining hardware, can be received without being traced or linked to your identity, and the value of the currency itself has increased rapidly in recent months.  We’ll continue to provide ongoing coverage and analysis as new cryptojacking attacks are worthy of comment.