Cryptomining – performing the zillions of cryptographic calculations you need to earn hot-topic cryptocurrencies such as Bitcoin, Monero or Ethereum – is a massive global industry these days.
With Bitcoins worth about $10,000 each, you can see the attraction.
But to get serious about cryptomining, you’re looking at setting up hundreds or thousands of high-powered compute servers, which typically means renting space in a data centre where electricity is cheap and cooling is easy – such as Iceland.
Or you can cheat.
Break into someone’s network and install cryptomining software onto their computers so you can steal their electricity and CPU power – laptops are good, servers are better, and supercomputers are the best of all.
Or break into their web server and sneakily add in browser-based cryptomining code, written in JavaScript, that mines whenever anyone visits their website.
Or take over their guest Wi-Fi access point and inject cryptomining content wherever their customers go.
There’s even an open-source toolkit called CoffeeMiner that will inject rogue cryptomining code into Wi-Fi traffic automatically – all you have to do is to plug in your own anonymous cryptomining ID and the earnings come to you.
When mining turns into jacking
When cryptomining is done illegally, without authorisation, it turns into the aptly-named crime of cryptojacking.
And cryptojacking has become a serious global problem.
There’s even a malware family known as WannaMine – a portmanteau name that borrows the “Wanna” from the exploit-based spreading technique of the WannaCry ransomware worm, and “Mine” from, well, from the process of cryptomining.
Frankly, WannaJack would be a better name: in this sort of attack, the crooks don’t just break in and find a couple of computers to take over – they set loose a worm that automatically distributes their cryptojacking attack around your network.
The criminal equation behind a worm-driven cryptojacking attack is very simple: the more CPUs you have mining for you, the more money you make.
Cryptojacking may feel like a victimless crime, at least when you compare it to ransomware – what’s a few dollars of electricity between you and the crooks?
But cryptojacking is a clear and present danger:
- There’s a reputational cost. What else did the crooks implant during the breach?
- There’s a regulatory cost. What happens after you report the breach, which you’ll need to do?
- There’s an opportunity cost. How many customers couldn’t access your services because the crooks were using all your processing power?
Fighting back!
Find out more about cryptojacking, how it works, and what you can do about it, in our plain-talking new threat report Standing up to cryptojacking – Best practices for fighting back. (Direct link – no registration required.)
Learn the practical steps you can take to avoid being a victim of cryptojacking!
R. Dale Barrow
JavaScript for cryptomining – about as efficient as bringing down an old-growth Douglas fir with a nail file. Good luck!
Paul Ducklin
For Bitcoins, you are right. For Monero, not so much.
Optimised browser JavaScript (check out the search term “Web Assembly”) is only a small factor slower than native code.
The reason why JavaScript mining is useless for Bitcoining is the same reason that native code mining is useless these days on a regular CPU – you just can’t compete with specialised hardware that is superfast at SHA256 hashes, which is pretty much all you need for Bitcoinage.
Monero relies on an algorithm called CryptoNight that was designed to use a bit of everything in its hashing, so that specialised processors such as ASICs and GPUs don’t have any particular advantage.
Therefore you can usefully mine Monero via regular code on a regular CPU, and thus you can mine via JavaScript in a browser. You aren’t going to get rich quickly, or even at all, if you just have one browser on one computer.
But the crooks don’t care because it’s not costing them anything (assuming they don’t get caught, that is) – and, of course, they aren’t limited to one browser because they aren’t playing by the rules.
David Bennett
I was thinking about Po.et – Jarrod Dicker’s project for an open-source blockchain Ledger to classify, identify, and monitor content throughout its entire life cycle.
If every mined coin could have a source stamped into it to distinguish authentic from shady, then maybe digital currency has a future.
Otherwise, the core problem with digital – that the original and the copy are indistinguishable – marks the end of cryptocurrencies.