A 29-year-old man in Ukraine was arrested this week for using hacked accounts to create 1 million virtual servers used to mine $2 million in cryptocurrency.
As announced today by Europol, the suspect is believed to be the mastermind behind a large-scale cryptojacking scheme that involves hijacking cloud computing resources for crypto-mining.
By using the computing resources of others' servers to mine cryptocurrency, the cybercriminals can profit at the expense of the compromised organizations, whose CPU and GPU performance is degraded by the mining.
For on-premise compromises, the damage extends to having to pay for increased power usage, commonly generated by miners.
A 2022 report from Sysdig estimated the damage from cryptojacking to be about $53 for every $1 worth of Monero (XMR) the cybercriminals mine on hijacked devices.
Europol says they first learned of the cryptojacking attack in January 2023 from a cloud service provider who was investigating compromised cloud accounts on their platform.
Europol, the Ukrainian police, and the cloud provider worked together to develop operation intelligence that could be used to track down and identify the hacker.
The police say they arrested the hacker on January 9th, when they seized computer equipment, bank and SIM cards, electronic media, and other evidence of illegal activity.
Source: cyberpolice.gov.ua
A separate report by the Ukrainian cyberpolice explains that the suspect has been active since 2021 when he used automated tools to brute force the passwords of 1,500 accounts of a subsidiary of one of the world's largest e-commerce entities.
Europol and Ukraine have not identified the e-commerce company or its subsidiary.
The threat actor then used these accounts to gain access to administrative privileges, which were used to create more than one million virtual computers for use in the cryptomining scheme.
The Ukrainian authorities confirmed that the suspect was using TON cryptocurrency wallets to move the illegal proceeds, with transactions equal to roughly $2 million.
The arrested individual now faces criminal charges under Part 5 of Art. 361 (unauthorized interference in the work of information, electronic communication, electronic communication networks) of the Criminal Code of Ukraine.
Mitigating the risk
Threat actors commonly target cloud services to hijack computing resources for illegal cryptocurrency mining.
Methods to defend against cryptojacking attacks include monitoring for unusual activity like unexpected spikes in resource usage, implementing endpoint protection and intrusion detection systems, and limiting administrative privileges and access to critical resources only to those needing them.
Cryptojackers often exploit documented flaws in cloud platforms to achieve an initial compromise. So, regularly applying the available security updates on all software is crucial to protecting systems against external threats.
Finally, all administrative accounts should have 2FA enabled in case their credentials are stolen.
Comments
gavron - 5 months ago
$53 cost for every $1 mined you say. If that was the case nobody would ever legitimately mine monero.
$2M in profits over 3 years you say. If that was the case then $106M worth of expenses would have been a bit of a "bump" in someone's accounts receivables (unnamed cloud provider) or accounts payable (unnamed customer).
In the middle of a war between Ukraine and Russia a guy was arrested for hacking you say. And the other 99% of Ukranians who regularly hack everyone everywhere with impunity weren't. Right.
This is more of a LEO PR puff piece than anything real.
List names and links to official charging documents please.
Or it didn't happen.
I'm taking the under on this one. It didn't happen.
evendude7763 - 5 months ago
.....there's literally links from the sources in the article....you did read the article before commenting, right?
gavron - 5 months ago
".....there's literally links from the sources in the article....you did read the article before commenting, right?"
Hey thanks for making it about me.
The Europol article had no useful information.
The BleepingComputer followup didn't either, although it did list a different ratio, still too high to make sense.
But hey, if you want to ignore the article or my comment and just be all passive aggressive about calling me out for not reading the article (I did) and commenting on it (I did, but you ignored everything I wrote) you go, girl.
This is all BS. None of these numbers are right. No business would be subject to these kind of invoices and not notice for three years.
When you can comprehend that this is a forum, and discuss the topic, vs asking other people what they read or didn't read, you'll go far, baby.
pigironlifeform - 5 months ago
I'm not sure where you read the different ratios, both the bleepingcomputer article and sysdig report say 53:1 cost ratio for the abused computing resource to cryptocurrency profits earned. I dispute that ratio due to the small sample size, but the reporting matches in both articles.
$106 million in receivables for an unnamed cloud provider is quite small - Amazons AWS, for example, had turnover of around 80 billion. That's 0.1%.
If a single customer had had their accounts payable increase that much, I'd agree it seems suspect, but there's very clear reporting that this abuse was spread over multiple accounts - up to 1500, in 2021, per this article. I believe it would be reasonable to infer these accounts may belong to different companies.
This is a forum, and kindness doesn't cost anything.