During Market Boom, Monero Cryptojacking Fell for First Time Since 2018

New research from Palo Alto Networks' Unit 42 tracks the rise and fall of illicit XMR mining in the cloud.

AccessTimeIconApr 6, 2021 at 10:00 a.m. UTC
Updated Sep 14, 2021 at 12:36 p.m. UTC

New research has found that cryptojacking, or the illegal use of someone else’s computing resources to mine cryptocurrencies, has quietly decreased for the first time since 2018.

Unit 42, the global threat intelligence team at Palo Alto Networks, which conducted and published the research as part of a larger “Cloud Threat Report,” first started tracking cryptojacking in 2018. 

The report focuses specifically on the illicit mining of privacy coin monero, given its popularity with hackers, the authors say. The research was conducted from September 2020 through February 2021. 

“Globally, 23% of organizations with cloud workloads experienced cryptojacking from July through September 2020, compared to only 17% from December 2020 through February 2021, according to our findings,” the report states.

Monero and cryptojacking

According to Unit 42 researcher Nathaniel Quist, cryptojacking is both an issue and appealing to attackers for two reasons. 

First, the cloud has lots of CPUs and lots of virtual machines, said Quist, which can translate to big mining profits. Second, the cloud is hard to monitor. Quist said miners can run undetected for a long time, and without any detection mechanisms in place, they may run until the user finds an inflated cloud usage bill and realizes that something is wrong.

“There is currently a heightened awareness by cloud security teams towards the significance, impact and risks of cryptomining operations and we believe the initial steps are being taken to better secure cloud environments,” Quist said. 

Researchers saw that the lowest number of network connections took place at the highest market price points, which may indicate that mining operators were performing the majority of their mining during bear markets before selling during high price runs.

While XMR is the most popular coin for cloud mining, Unit 42 also looked at the network  connections for ether, bitcoin, litecoin and dash. In each case, XMR mining connections significantly outperformed the other mining operations.

Vulnerabilities galore

While cryptojacking itself was down, that doesn’t mean there wasn’t an increase in other kinds of cybercrime associated with increased demand for cloud computing products. 

Looking from October 2019 to February 2021, Unit 42’s research indicates that cloud security incidents exploded by 188% in the second quarter of 2020 (April to June) as nationwide lockdowns went into effect. 

The team also found that while organizations and businesses were quickly able to move their workflow to the cloud, automated security measures lagged behind. 

And these kinds of security incidents didn’t discriminate by industry. The retail industry saw incidents increase by 402% while manufacturing and government increased by 230% and 205%, respectively. 

It wasn’t just security incidents that increased either, but also the risk to sensitive data. 

Surprisingly, the Unit 42 research found that 35% of businesses globally let their cloud storage resources be publicly accessible from the internet. Thirty percent of those organizations exposed some form of sensitive data to the internet, making it potentially vulnerable. This data included personally identifiable information, intellectual property and healthcare and financial data. 

“This finding was shocking, given that anyone who knows the right URLs can access the data without passwords or other authentication,” the researchers wrote. 

There have been numerous instances of researchers and attackers accessing inadvertently exposed data in this way.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Read more about