Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

Crypto-Mining Crime Rings: The Newest Reason Why Software Supply Chain Hygiene Matters

March 07, 2018 By Matt Howard

Mining for crypto currencies can make you some serious coin.

This is why more and more people are standing up "mining rigs" to dig for crypto currencies like Bitcoin, Litecoin, Etherum, and Monero.  Basically, it's the modern equivalent of panning for gold .

But, crypto-mining, while potentially lucrative, ain't free.  Indeed, it requires a massive amount of computing power, and therefore energy, to do it well.  The practice has become so popular that it's driving growth at some of the world's largest technology companies including: TSMC, AMD and NVIDIA.

It's also driving growth in criminal activity.

Putting things into perspective -- mining at a cost of 14 cents per kilowatt / per hour is not a profitable endeavor.  Similarly, if you invest $1200 in mining hardware, and you earn $2 mining profit per day -- and assuming there is no leap in coin value -- it could take two years to pay off your hardware investment.

If, however, you could borrow (steal) computing and energy resources from unsuspecting individuals -- then mining would be an incredibly profitable endeavor.  That, of course, is why criminals are actively hacking into computers around the world and doing what’s called mining by malware.

Last month, in one of the biggest malicious cryptocurrency mining operations ever, hackers exploited a vulnerability in Jenkins, a popular open source CI tool, to make $3 million by mining Monero. 

Then, this past week it was discovered that a massive crypto-mining botnet had taken over half a million machines, and may have made its cybercriminal controllers millions of dollars.

It's clear this trend is growing and the topic of what to do has increasingly been popping up. In fact my colleague Bill Karpovich was just on Cheddar talking about this issue - and poignantly said "If 2017 was the year of ransomware, 2018 is going to be the year of crypto-jacking. This is really the perfect cybercrime in many ways."

Here's the bottom line.  There are many, many reasons why organizations should protect their software supply chains.  Crypto-mining is just the latest.

Tags: open source risk management, remote code execution, crypto-mining

Written by Matt Howard

Matt is a proven executive and entrepreneur with over 20 years experience developing high-growth software companies, at Sonatype, he leads corporate marketing, strategic partnering, and demand generation initiatives.