A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth

TL;DR

This paper presents the largest-scale measurement and analysis of crypto-mining malware over twelve years, revealing campaign structures, profit estimates, and underground infrastructure supporting illicit mining activities.

Contribution

It introduces an automated measurement pipeline analyzing 4.5 million samples, providing comprehensive insights into the scale, profits, and techniques of crypto-mining malware campaigns.

Findings

Multi-million dollar earnings from illicit campaigns

Over 4.4% of Monero linked to illicit mining

Widespread use of underground services like Pay-Per-Install

Abstract

Illicit crypto-mining leverages resources stolen from victims to mine cryptocurrencies on behalf of criminals. While recent works have analyzed one side of this threat, i.e.: web-browser cryptojacking, only commercial reports have partially covered binary-based crypto-mining malware. In this paper, we conduct the largest measurement of crypto-mining malware to date, analyzing approximately 4.5 million malware samples (1.2 million malicious miners), over a period of twelve years from 2007 to 2019. Our analysis pipeline applies both static and dynamic analysis to extract information from the samples, such as wallet identifiers and mining pools. Together with OSINT data, this information is used to group samples into campaigns. We then analyze publicly-available payments sent to the wallets from mining-pools as a reward for mining, and estimate profits for the different campaigns. All this together is is done in a fully automated fashion, which enables us to leverage measurement-based findings of illicit crypto-mining at scale. Our profit analysis reveals campaigns with multi-million earnings, associating over 4.4% of Monero with illicit mining. We analyze the infrastructure related with the different campaigns, showing that a high proportion of this ecosystem is supported by underground economies such as Pay-Per-Install services. We also uncover novel techniques that allow criminals to run successful campaigns.