A 29-year-old Ukrainian national has been arrested in connection with running a "sophisticated cryptojacking scheme," netting them over $2 million (€1.8 million) in illicit profits.
The person, described as the "mastermind" behind the operation, was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following "months of intensive collaboration."
"A cloud provider approached Europol back in January 2023 with information regarding compromised cloud user accounts of theirs," Europol said, adding it shared the intelligence with the Ukrainian authorities.
The Cyber Police of Ukraine, in a separate announcement, said the suspect “infected the servers of a well-known American company with a miner virus” at least since 2021, using custom brute-force tools to infiltrate 1,500 accounts of the firm.
“Using the compromised accounts, the hacker gained access to the management of the service,” the agency said. “To ensure the operation of the malware, the hacker created more than one million virtual computers.”
As part of the probe, three properties were searched to unearth evidence against the suspect.
Cryptojacking refers to a type of cyber crime that entails the unauthorized use of a person's or organization's computing resources to mine cryptocurrencies.
On the cloud, such attacks are typically carried out by infiltrating the infrastructure via compromised credentials obtained through other means and installing miners that use the infected host's processing power to mine crypto without their knowledge or consent.
"If the credentials do not have the threat actors' desired permissions, privilege escalation techniques are used to obtain additional permissions," Microsoft noted in July 2023. "In some cases, threat actors hijack existing subscriptions to further obfuscate their operations."
The core idea is to avoid paying for the necessary infrastructure required to mine cryptocurrencies, either by taking advantage of free trials or compromising legitimate tenants to conduct cryptojacking attacks.
In October 2023, Palo Alto Networks Unit 42 detailed a cryptojacking campaign in which threat actors were found stealing Amazon Web Services (AWS) credentials from GitHub repositories within five minutes of their public disclosure to mine Monero.
(The story was updated after publication to include information shared by the Cyber Police of Ukraine.)