In a significant crackdown on cybercrime, a 29-year-old from Ukraine has been arrested for orchestrating a lucrative cryptojacking scheme. The scheme reportedly amassed over $2 million (€1.8 million) through illicit means.
The Ukrainian mastermind was detained in the city of Mykolaiv on January 9, following a collaborative effort involving the National Police of Ukraine, Europol, and a major cloud service provider. This arrest was the culmination of months of intensive investigative work.
Europol revealed that the initial tip-off came from a cloud provider in January 2023, after detecting suspicious activities in compromised user accounts. This intelligence was promptly shared with Ukrainian law enforcement agencies.
From the cybersecurity perspective, Ukraine’s Cyber Police disclosed that the American company’s servers were infected with a mining virus by the suspect. The attack dates back to at least 2021, utilizing custom-made brute-force tools to breach around 1,500 user accounts of the company.
The hacker reportedly manipulated these accounts to control the service and established over one million virtual computers to facilitate the malware’s operation. In the course of the investigation, three properties were searched to gather incriminating evidence against the individual.
Cryptojacking, a cybercrime involving the unauthorized use of computing resources to mine cryptocurrencies, is often executed in the cloud by accessing infrastructure through stolen credentials. The aim is to leverage the processing power of the infected hosts for mining cryptocurrencies without the owner’s knowledge or consent.
Microsoft, in a report from July 2023, highlighted that attackers often escalate privileges when the initially obtained credentials don’t grant the desired access. The tactics also include hijacking existing subscriptions to conceal their activities.
This method allows cybercriminals to evade the costs associated with mining infrastructure, exploiting free trials or hijacking legitimate accounts. A notable instance of such a strategy was detailed by Palo Alto Networks Unit 42 in October 2023, where attackers swiftly mined Monero using Amazon Web Services (AWS) credentials pilfered from GitHub repositories.
This article was updated to incorporate additional information from the Cyber Police of Ukraine.