Interpol has collaborated with cybersecurity firm Trend Micro to reduce cryptojacking affecting MikroTik routers across South-East Asia, according to a Jan. 8 press release. Though the collaboration reduced the number of affected devices by 78 percent, this is unlikely to have made a significant impact on mining hashrate.
Cryptojacking is a malicious practice where attackers infect common devices with crypto mining malware, utilizing the victim’s resources to mine cryptocurrency. Cybersecurity firm Trend Micro collaborated with Interpol’s Global Complex for Innovation, based in Singapore, to sanitize MikroTik routers infected with mining malware.
As part of the “Operation Goldfish Alpha,” Trend Micro developed a “Cryptojacking Mitigation and Prevention” guidance document, detailing how a vulnerability affecting a common brand of home and enterprise routers led to thousands of devices being infected across the ASEAN region. The document also suggested how victims could use Trend Micro software to detect and eliminate the malware.
In the five months following the definition of the document in June 2019, experts from national Computer Emergency Response Teams and police helped identify and restore over 20,000 affected routers, reducing the number of infected devices in the region by 78 percent.
How much money did the hackers make?
The vulnerability affected all MikroTik routers that feature its proprietary RouterOS. The routers include a wide range of ARM-based CPUs, ranging from single-core 600 megahertz to 72 cores 1 gigahertz processors.
Trend Micro reported that attackers mined Monero (XMR) with the affected devices, which is among the only coins that can be reasonably mined with common CPUs — especially after the RandomX upgrade further shifted the focus to central processing units.
Though hashrate figures vary wildly between different types of ARM processors, benchmarks offered by the Monero community allow to estimate an average 300 hashes per second for some common ARM processors, commonly found in smartphones.
With 20,000 devices and at Jan. 9 network hashrate figures, the attackers would currently make an estimated $13,000 per month from infected routers, according to the CryptoCompare calculator. However, estimates put the number of affected devices globally at 200,000 since 2018, well before the introduction of RandomX. Before the upgrade, hashrates for ARM processors were much lower — around 10 hashes per second.
Mining profitability has varied significantly in the last two years, but the monthly revenue from the cryptojacking attack is likely to have amounted to between five and six figures.
It is unclear whether the mining software could be updated through the various hard forks that occurred since. Even if the malware was still active in late 2019, its profitability was low compared to the hundreds of millions of dollars lost to exchange hacks during the entire year.