A 29-year-old man from Ukraine has been arrested for his involvement in a large-scale cryptojacking scheme that took advantage of hacked accounts to create 1 million virtual servers and mine $2 million in cryptocurrency. According to reports from Europol, the suspect was the mastermind behind this operation, which involved hijacking cloud computing resources for crypto-mining purposes.
The cybercriminals involved in this scheme used the computing resources of other servers to mine cryptocurrency, hence making a profit at the expense of the compromised organizations. This led to degradation in CPU and GPU performance of the affected organizations, as well as increased power usage, which they had to pay for.
A report from Sysdig estimated the damage from such cryptojacking activity to be around $53 for every $1 worth of Monero (XMR) the cybercriminals mined on hijacked devices. Europol was first alerted to this cryptojacking attack in January 2023 by a cloud service provider who was investigating compromised cloud accounts on their platform.
After learning of the attack, Europol, the Ukrainian police, and the cloud provider worked together to develop operation intelligence that could be used to track down and identify the hacker. The suspect was eventually arrested on January 9th, and the authorities seized computer equipment, bank and SIM cards, electronic media, and other evidence of illegal activity.
Reports from the Ukrainian cyberpolice revealed that the suspect had been active since 2021, using automated tools to brute force the passwords of 1,500 accounts of a subsidiary of one of the world’s largest e-commerce entities. The threat actor then used these accounts to gain access to administrative privileges, which were used to create more than 1 million virtual computers for use in the crypto-mining scheme.
The suspect was found to be using TON cryptocurrency wallets to move the illegal proceeds, with transactions equal to roughly $2 million. He now faces criminal charges under Part 5 of Art. 361 (unauthorized interference in the work of information, electronic communication, electronic communication networks) of the Criminal Code of Ukraine.
To mitigate the risk of such attacks in the future, it is recommended to monitor for unusual activity like unexpected spikes in resource usage, implement endpoint protection and intrusion detection systems, and limit administrative privileges and access to critical resources only to those needing them. Additionally, regularly applying security updates on all software and enabling 2FA for all administrative accounts are crucial steps in protecting against external threats.
The collaboration between Europol, the Ukrainian police, and the affected cloud provider in identifying and apprehending the suspect demonstrates the need for continued vigilance and cooperation in combating cybercrime, especially in cases involving the exploitation of cloud resources for illegal purposes. This arrest serves as a cautionary tale for cybercriminals engaged in similar activities and highlights the importance of proactively safeguarding against cryptojacking and other forms of illicit cyber activities.