Study: Cryptocurrency value spikes encourage more illicit mining

The amount of illicit cryptocurrency mining closely follows the value of Monero, according to new research.

According to Talos, security researchers noted that as the value of Monero increased, so did the volume of illicit mining detected in the wild. Researchers chose to track Monero because it is the cryptocurrency of choice among cyber criminals.

"Monero is a favorite for illicit mining for a variety of reasons, but two key points are: It's designed to run on standard, non-specialized, hardware, making it a prime candidate for installation on unsuspecting systems of users around the world, and it's privacy-focused," said researchers.

Researchers needed to figure out an efficient way to track cryptocurrency mining activity to test their hypothesis. They relied on network-based detections as crypto mining is typically done in the clear — non-encrypted — on the wire and is, therefore, detectable. Researchers said this ensures the crypto-miner is properly installed and functioning since it generates the applicable network traffic.

To track mining detection, they tracked the rate that certain Snort rules targeting crypto miners fired. The researchers tracked Monero activity between November 2018 and June 2021.

“The first thing we noticed is that no matter what, cryptomining is extremely popular. Even at its lowest point, we were seeing millions of events associated with crypto mining activity. We were also floored to see how much mining activity has risen since we first started writing about this in 2018. Today, we see more than double the volume we were observing several years ago,” said Nick Biasini, a threat researcher at Cisco Talos.

Researchers observed that mining activity does have some dependence on the value of the currency.

“The most crypto mining activity we've ever seen has occurred in the last couple of months when Monero hit its all-time high,” said Biasini.

Outside of the short price drop in early 2021 — before the massive spike — the graph tracks almost identically to the value of the currency

“This was honestly a pretty surprising correlation since it's believed that malicious actors need a significant amount of time to set up their mining operations, so it's unlikely they could flip a switch overnight and start mining as soon as values rise,” said Biasini.

“This may still be true for some portion of the threat actors deploying miners, but based on the actual data, there are many others chasing the money.”

With many countries now considering a crackdown on cryptocurrency use, this pattern may quickly change.

“Detection for crypto mining can be spread into a variety of different places including blocking mining-related domains, to enforcing limitations on the end system preventing the mining from starting and lots of network-based detection, which this research is based on,” said Biasini.