Crypto Mining Malware Has Netted Nearly 5% of All Monero, Says Research

Hackers have mined at least 4.32 percent of the total monero in circulation, worth nearly $40 million today, according to new research.

AccessTimeIconJan 10, 2019 at 5:00 a.m. UTC
Updated Sep 13, 2021 at 8:47 a.m. UTC

Monero (XMR) is by far the most popular cryptocurrency among criminals deploying mining malware, according to a new study.

Two researchers, Sergio Pastrana and Guillermo Suarez-Tangil, from Universidad Carlos III de Madrid and King’s College London, respectively, published their report last week, estimating that hackers have mined at least 4.32 percent of the total monero in circulation.

Pastrana and Suarez-Tangil write:

“Overall, we estimate there are at least 2,218 active campaigns that have accumulated about 720K XMR (57M USD). Interestingly just a single campaign (C#623) has mined more than 163K XMR (18M USD), which accounts for about 23% of the total estimated. This campaign is still active at the time of writing."

The researchers, however, are not sure whether, or what portion, of malware owners have cashed out their crypto, due to lack of information and the fluctuating prices of cryptos. At press time, the value of the XMR total cited is almost $40 million.

Around 4.4 million malware samples were analyzed over a 12-year period from 2007 to 2018, and and 1 million malicious miners were identified, the paper says.

Tactics adopted to distribute malware varies, but the pair say that a "common yet effective approach is to use legitimate infrastructure such as Dropbox or GitHub to host the droppers, and stock mining tools such as claymore and xmrig to do the actual mining."

After monero, which the pair said is "most prevalent," bitcoin came in at second favorite crypto for illicit mining, though its popularity has decreased over the years. Bad actors also experimented with other altcoins such as dogecoin or litecoin during 2013 and 2014 and then shifted back to bitcoin and monero, probably because these are more profitable, the researchers suggest.

Of the malware-associated wallets identified by the team, monero was 56 percent more represented than bitcoin, while zcash came in third place.


More generally, instances of crypto-mining malware increased by well over 4,000 percent last year, according to research from McAfee published in December – growth that saw it rapidly overtake the previous favorite, ransomware, over the period.

Back in November, research from Israel-based cybersecurity firm Check Point Software Technologies showed that a monero mining malware, dubbed KingMiner, is evolving through time to avoid detection.

Monero image via Shutterstock; tables via the report 


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.