This article was published on July 24, 2019

Unsuspecting victims were cryptojacked 52.7 million times in the first half of 2019


Unsuspecting victims were cryptojacked 52.7 million times in the first half of 2019

Criminals made a staggering 52.7 million cryptojacking hits during the first six months of the year.

According to the latest research from SonicWall, cryptojacking activity rose by 9 percent between January and June 2019 when compared to levels seen in the last six months of 2018.

Cryptojacking refers to when a user’s computing power is hijacked by malware to mine cryptocurrency, which is often triggered by code hidden in websites.

The research also looked into the correlation between Bitcoin’s price and criminal activity.

Chart showing cryptojacking volume vs Bitcoin price via SonicWall

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

The graph above shows that cryptojacking volumes began declining in November and December seemingly mirroring Bitcoin’s declining value.

Its price recovery from February 2019 onwards ushered in an uptick in cryptojacking activity, with hits increasing to 11.82 in March.

When looking at Monero, a privacy-focused cryptocurrency, and its price movements over the same time period, the data tells a similar story.

Cool theory, but…

Despite some obvious similarities between cryptocurrency value and cryptojacking activity, the report points out that it’s difficult to align the attacks with price movements.

Cryptojacking volume vs Monero Price via SonicWall

For example, even though Bitcoin hit year-to-date highs in June, that month showed the lowest cryptojacking volume of the year so far.

As well with Monero, as its price began to rise in February, so did the cryptojacking hits. But again, the theory doesn’t check out completely — Monero’s peak price for the year wasn’t in line with the highest recorded activity, which was in March.

Coinhive: the main culprit

Despite closing down earlier this year, the report says Coinhive remains the top cryptojacking signature.

One reason for this, the report adds, is that compromised websites may have not been cleaned since the infection – even if Coinhive is no longer available and its URL has been abandoned.

This situation leaves potential for a Coinhive revival, and could even, potentially be used by malicious authors in the future. 

For example, bad actors could conceivably register the Coinhive domain and reuse the URL left in the compromised websites. 

Another possibility is that cybercriminals are hoping Coinhive returns to reclaim the URL, making their Coinhive investments useable once again.

Facebook Libra deems caution

As expected, the report also touched on Facebook’s controversial ‘cryptocurrency’ Libra, which will be minted and not mined.

This likely means it won’t be used in traditional cryptojacking attacks. That said, if there’s money to be made, cybercriminals will find a way.

Once Libra launches next year, SonicWall expects many of the early exploits to focus on social engineering and other online scams which will try to manipulate users into sending Libra (via the complementary Calibra digital wallet) on a number of supported applications, including Facebook, Facebook Messenger, and WhatsApp.

We’ve already seen multiple examples of Libra scams, the latest of which forced Facebook into action, after several accounts, pages and groups claimed to sell fake Libra tokens on its own platform and Instagram.

Unfortunately for us all, 2019 is not the year this industry shakes cryptojackers once and for all.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with