Security Experts:

Connect with us

Hi, what are you looking for?



$175 Million in Monero Mined via Malicious Programs: Report

The popularity of crypto-currency malware has been skyrocketing over the past year, and the segment appears to have been highly lucrative for cybercriminals, a new Palo Alto Networks report reveals.

The popularity of crypto-currency malware has been skyrocketing over the past year, and the segment appears to have been highly lucrative for cybercriminals, a new Palo Alto Networks report reveals.

With the number of malware samples ultimately delivering crypto-miners well over the half a million mark, it’s no wonder that miscreants are able to profit from this type of nefarious activity. To these, one can add the JavaScript, or web-based, malicious mining operations, which are highly lucrative as well.

Looking into the proliferation of crypto-mining malware, Palo Alto’s Josh Grunzweig discovered information on around 630,000 malicious samples, 3,773 emails used to connect with mining pools, and 2,995 mining pool URLs.

Over 530,000 malware samples target Monero, roughly 53,000 target Bitcoin, and 16,000 target Cryptonite (XCN), with the rest spread across the remaining currencies. The researcher also identified 2,341 Monero (XMR) wallets, 981 Bitcoin (BTC) wallets, 131 Electroneum (ETN) wallets, 44 Ethereum (ETH) wallets, and 28 Litecoin (LTC) wallets.

Given the clear interest cybercriminals have in Monero, the researcher focused on this virtual coin as well. In addition to the 2,341 Monero wallets extracted from the analyzed sample set, he also managed to determine the mining pools used, and discovered that, of the top ten mining pools used by this malware, all but one allows for anonymous viewing of statistics based off of the wallet as an identifier.

“By querying the top eight mining pools for all 2,341 Monero addresses, I was able to determine exactly how much Monero has been mined historically with a high degree of accuracy. By querying the mining pools themselves, instead of the blockchain, we’re able to say exactly how much has been mined without the fear of the data being polluted by payments to those wallets via other sources,” he notes.

Thus, Grunzweig determined that a total of 798613.33 XMR has been mined to date, representing around 5% of all Monero in circulation. Web-based Monero miners and miners the researcher doesn’t have visibility into aren’t included here.

While half of the 2,341 wallets identified have been unable to generate a meaningful amount of Monero, the remaining batch obtained over $140 million, the researcher estimates. According to Grunzweig, “a total of $175m has been found to be mined historically via the Monero currency.”

1,278 (55%) of the identified wallets earned 0.01 XMR (~$2.20) or more and only a small subset earned a significant (100 XMR or greater) amount of coins. Only 99 wallets (less than 2% of all wallets identified) have received over 1,000 XMR, and 16 wallets (0.68% of all wallets) have obtained over 10,000 XMR.

Looking at the total hashing power, the research revealed the attackers only used 2% of the global hashing power mining the Monero network. At around 19MH/s, the hashrate would result in approximately $30,443 per day being mined.

“To date, the popularity of malicious cryptocurrency mining activity continues to skyrocket. The large growth of malware mining cryptocurrencies is a direct result of a previous spike in value, which has since corrected to a value that is more in line with expectations. As this correction has taken place, only time will tell if cryptocurrency miners will continue in popularity. It is clear that such activities have been incredibly profitable for individuals or groups who have mined cryptocurrency using malicious techniques for a long period of time,” Palo Alto concludes.

Related: Cryptocurrency Theft Tops $1 Billion in Past Six Months

Related: Avoid Becoming a Crypto-Mining Bot: Where to Look for Mining Malware and How to Respond

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.