Early this year a piece of malicious computer code burrowed its way into the website of Britain’s National Health Service. The script acted as a parasite, harnessing the computing power of unsuspecting visitors and using it to generate digital currency, in a practice known as “cryptojacking”.
When computers confirm transactions on a blockchain, the infrastructure that records cryptocurrency transfers, they are rewarded in digital money. As cryptocurrencies such as bitcoin and monero have soared in value, hackers have increasingly engaged in mass theft of processing power for this energy-intensive procedure of “mining” them.
Companies from carmaker Tesla to insurer Aviva have been stung by cryptojacking schemes, which can slow computers and increase server bills. One crypto-mining script lurks on more than 35,000 websites, according to data from PublicWWW, a search engine for internet source code.
Now big tech groups are clamping down. On Monday Google announced it would no longer list extensions for its Chrome browser that mine cryptocurrency, saying 90 per cent of such software uploaded to its web store had violated its policies.
There are legitimate ways of siphoning remote computer power for crypto-mining. Online magazine Salon, for example, has asked readers who use ad-blocking software to lend some processing power to mine the cryptocurrency monero.
“We wanted to diversify revenues,” Jordan Hoffner, Salon chief executive, told the FT in February. “Advertising is fine, but that only took us so far.”
However, most cryptojacking remains illicit. Upa Campbell, vice-president of cyber security company Redlock, said the soaring value of cryptocurrencies meant the theft of computing power had become “much more lucrative” than that of data. The group estimates at least 8 per cent of organisations have suffered a cryptojacking attack.
Electric carmaker Tesla was cryptojacked recently in an attack it said affected internally used engineering test cars. The hackers were able to enter Tesla’s network because part of it was not password-protected, according to RedLock, which spotted the attack. The company’s investigation “found no indication that customer privacy or vehicle safety or security was compromised in any way”, and that it had addressed the vulnerability within hours of learning of it.
Adam Meyers, vice-president of intelligence at cyber security company CrowdStrike, says that while profits can be significant for hackers — he has seen individuals generate $80,000 in three months — they are often going undetected by the companies whose computing power is being leached.
“A company that’s got $100,000 or $1m in Amazon Web Services bills a month may not necessarily notice,” he said.
But there are bigger risks than slowed systems. Once a hacker has gained access, they can sometimes jump to other areas of the network and steal data or intellectual property. For some companies, such as critical infrastructure providers, the very process of taking up computing power could threaten operations.
Ilan Barda, chief executive of Israeli cyber security company Radiflow, says servers used by critical infrastructure companies make good targets for crypto miners — they are strong and reliable yet their software is often not kept current because of fears that an update could take the machines offline.
Although bitcoin is the best known and most valuable cryptocurrency, the anonymous digital coin monero appears to be the most popular among cryptojackers.
“Like all currencies . . . monero can be used for illegal activity,” says Riccardo Spagni, its key developer. “We do not condone the use of our technology for any nefarious or illegal activity, including cryptojacking.”
At the root of many cryptojackings, including that of the NHS, is Coinhive, software created by a secretive team of developers that offers the chance to “monetise your business with your users’ CPU power”.
A Coinhive representative who responded to an email sent to the group said the company, which “just started as a small experiment”, was based in Germany and took a 30 per cent cut of all the monero mined using its service.
But the person, who declined to be identified, said the team had closed 200 accounts that had used its code to cryptojack without permission, and that hackers had only made modest gains.
“None of the hacks we’ve seen so far have been worth it for the attacker. Some of the attackers got away with up to 0.5XMR [$171] from their hacks, but in most cases no payouts have been made whatsoever.”