Inadvertently making cyber criminals rich: A comprehensive study of cryptojacking campaigns at internet scale

Hugo L.J. Bijmans; Tim M. Booij; Christian Doerr

Inadvertently making cyber criminals rich: A comprehensive study of cryptojacking campaigns at internet scale

Hugo L.J. Bijmans, Tim M. Booij, Christian Doerr

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

37 Citations (Scopus)

311 Downloads (Pure)

Abstract

Since the release of a browser-based cryptominer by Coinhive in 2017, the easy use of these miners has skyrocketed illicit cryptomining in 2017 and continued in 2018. This method of monetizing websites attracted website owners, as well as criminals seeking new ways to earn a profit. In this paper, we perform two large studies into the world of cryptojacking, focused on organized cryptomining and the spread of cryptojacking on the Internet. We have identified 204 cryptojacking campaigns, an order of magnitude more than previous work, which indicates that these campaigns are heavily underestimated by previous studies. We discovered that criminals have chosen third-party software - such as WordPress - as their new method for spreading cryptojacking infections efficiently. With a novel method of using NetFlow data we estimated the popularity of mining applications, which showed that while Coinhive has a larger installation base, CoinImp WebSocket proxies were digesting significantly more traffic in the second half of 2018. After crawling a random sample of 49M domains, ~20% of the Internet, we conclude that cryptojacking is present on 0.011% of all domains and that adult content is the most prevalent category of websites affected.

Original language	English
Title of host publication	Proceedings of the 28th USENIX Security Symposium
Publisher	USENIX Association
Pages	1627-1644
Number of pages	18
ISBN (Electronic)	9781939133069
Publication status	Published - 2019
Event	28th USENIX Security Symposium - Santa Clara, United States Duration: 14 Aug 2019 → 16 Aug 2019

Publication series

Name	Proceedings of the 28th USENIX Security Symposium

Conference

Conference	28th USENIX Security Symposium
Country/Territory	United States
City	Santa Clara
Period	14/08/19 → 16/08/19

Access to Document

sec19-bijmansFinal published version, 1.11 MB

Cite this

@inproceedings{d388fd7094df49f6b7d47c964e2b37b7,

title = "Inadvertently making cyber criminals rich: A comprehensive study of cryptojacking campaigns at internet scale",

abstract = "Since the release of a browser-based cryptominer by Coinhive in 2017, the easy use of these miners has skyrocketed illicit cryptomining in 2017 and continued in 2018. This method of monetizing websites attracted website owners, as well as criminals seeking new ways to earn a profit. In this paper, we perform two large studies into the world of cryptojacking, focused on organized cryptomining and the spread of cryptojacking on the Internet. We have identified 204 cryptojacking campaigns, an order of magnitude more than previous work, which indicates that these campaigns are heavily underestimated by previous studies. We discovered that criminals have chosen third-party software - such as WordPress - as their new method for spreading cryptojacking infections efficiently. With a novel method of using NetFlow data we estimated the popularity of mining applications, which showed that while Coinhive has a larger installation base, CoinImp WebSocket proxies were digesting significantly more traffic in the second half of 2018. After crawling a random sample of 49M domains, ~20% of the Internet, we conclude that cryptojacking is present on 0.011% of all domains and that adult content is the most prevalent category of websites affected.",

author = "Bijmans, {Hugo L.J.} and Booij, {Tim M.} and Christian Doerr",

year = "2019",

language = "English",

series = "Proceedings of the 28th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "1627--1644",

booktitle = "Proceedings of the 28th USENIX Security Symposium",

note = "28th USENIX Security Symposium ; Conference date: 14-08-2019 Through 16-08-2019",

}

Inadvertently making cyber criminals rich: A comprehensive study of cryptojacking campaigns at internet scale. / Bijmans, Hugo L.J.; Booij, Tim M.; Doerr, Christian.
Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019. p. 1627-1644 (Proceedings of the 28th USENIX Security Symposium).

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Inadvertently making cyber criminals rich

T2 - 28th USENIX Security Symposium

AU - Bijmans, Hugo L.J.

AU - Booij, Tim M.

AU - Doerr, Christian

PY - 2019

Y1 - 2019

N2 - Since the release of a browser-based cryptominer by Coinhive in 2017, the easy use of these miners has skyrocketed illicit cryptomining in 2017 and continued in 2018. This method of monetizing websites attracted website owners, as well as criminals seeking new ways to earn a profit. In this paper, we perform two large studies into the world of cryptojacking, focused on organized cryptomining and the spread of cryptojacking on the Internet. We have identified 204 cryptojacking campaigns, an order of magnitude more than previous work, which indicates that these campaigns are heavily underestimated by previous studies. We discovered that criminals have chosen third-party software - such as WordPress - as their new method for spreading cryptojacking infections efficiently. With a novel method of using NetFlow data we estimated the popularity of mining applications, which showed that while Coinhive has a larger installation base, CoinImp WebSocket proxies were digesting significantly more traffic in the second half of 2018. After crawling a random sample of 49M domains, ~20% of the Internet, we conclude that cryptojacking is present on 0.011% of all domains and that adult content is the most prevalent category of websites affected.

AB - Since the release of a browser-based cryptominer by Coinhive in 2017, the easy use of these miners has skyrocketed illicit cryptomining in 2017 and continued in 2018. This method of monetizing websites attracted website owners, as well as criminals seeking new ways to earn a profit. In this paper, we perform two large studies into the world of cryptojacking, focused on organized cryptomining and the spread of cryptojacking on the Internet. We have identified 204 cryptojacking campaigns, an order of magnitude more than previous work, which indicates that these campaigns are heavily underestimated by previous studies. We discovered that criminals have chosen third-party software - such as WordPress - as their new method for spreading cryptojacking infections efficiently. With a novel method of using NetFlow data we estimated the popularity of mining applications, which showed that while Coinhive has a larger installation base, CoinImp WebSocket proxies were digesting significantly more traffic in the second half of 2018. After crawling a random sample of 49M domains, ~20% of the Internet, we conclude that cryptojacking is present on 0.011% of all domains and that adult content is the most prevalent category of websites affected.

UR - http://www.scopus.com/inward/record.url?scp=85075933542&partnerID=8YFLogxK

M3 - Conference contribution

T3 - Proceedings of the 28th USENIX Security Symposium

SP - 1627

EP - 1644

BT - Proceedings of the 28th USENIX Security Symposium

PB - USENIX Association

Y2 - 14 August 2019 through 16 August 2019

ER -

Inadvertently making cyber criminals rich: A comprehensive study of cryptojacking campaigns at internet scale

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this