Should You Block All Monero-Related Domains? Crypto Scams Set To Rise in 2022

The plans for everyone’s 2022 cryptocurrency investment strategies have already started. I’ve seen articles listing the “Hottest Cryptocurrencies” of the new year, what the best buys will be, and which currencies will surpass Dogecoin—and those are just the top results on Google at the moment of writing this article.

But what’s missing from a lot of the discussion around cryptocurrency is the impact this trend is having on security.**
**

My prediction for 2022 is that crypto-related cyber attacks will reach new heights. Between ransomware payments, phishing attacks, and cryptojacking, crypto is playing a huge role in the threat landscape of 2021 and will have an even bigger part to play early next year.

Around the time it was discovered that hackers stole millions on the cryptocurrency exchange Bitmart, the Tor2mine cryptominer malware has “evolved”, and Taiwanese hardware vendor QNAP announced a new strain of cryptomining malware targeted their network-attached storage devices, we saw a massive spike in traffic at DNSFilter to cryptomining domains:**
**

What’s most interesting about the domains that we’ll look like is that they are all domains related to the cryptocurrency Monero (abbreviated as XMR).

It’s a unique cryptocurrency because as reported in June of 2021, cybercriminals have started using it for ransomware payments instead of bitcoin. Transaction details are completely hidden: Sender, recipient, and the amount of the transfer are all disguised. Whereas with bitcoin, those external the transaction can see which wallets received or sent funds.

Monerois the same coin that the Pirate Bay announced it would be mining for when it disclosed it would start cryptojacking its users back in 2018.

**
**The cryptocurrency is still relevant. In fact, the largest traffic to our network under the category of “cryptomining” is easily to Monero-related domains.

**
One of the domains that falls under that “cryptomining” category is supportxmr[dot]com. The domain has a field for users to enter their Monero addresses in order to see their stats. The majority of the links on this page, in the lower-right footer and at the top, and the highlighted text “help section” are not actually hyperlinked. This is indicative that a domain is highly suspicious:
**

Looking into this domain, I noticed the domains related to it were highly suspicious per AlienVault:
The majority of these related domains do not resolve, while at least two are parked, two were Domain Generation Algorithms (DGA are domains often used by malware to connect back to a  host, like in the case of the SUNBURST attack), and one is a valid business domain.

Another domain that caused the spike in traffic is a mining pool: minexmr[dot]com. A mining pool is when cryptocurrency miners pool their computational resources to increase the likelihood they will find crypto on the blockchain. It makes for a more successful mining operation when you have more power to draw from. Unfortunately, this same methodology is used by threat actors in cryptojacking scenarios, where they utilize website visitors’ computers (without their knowledge) to mine cryptocurrency and cause a severe drain on their devices. And of course, there is always the possibility that a mining pool is a front for some type of scam.

**
**Mining pools are not deceptive in nature, but according to multiple sources (in addition to our own categorization) this site has malicious intent. ThreatCrowd is one site that agrees with our diagnosis where multiple users have voted that this site is in fact malicious:

AlienVault shows that this domain houses at least two malicious files:

Unfortunately, mining pools (Monero or not) like this are a breeding ground for malicious actors. They can put the infrastructure to work via cryptojacking, or they might choose to embed malicious files in an attempt to steal crypto from the miners themselves.

One example of cryptomining malware is Crackonosh, which again is used specifically to mine Monero.

Taking a broader look at Monero, I was curious to see how often we categorized Monero-related sites as deceptive.

Sites that include the term XMR (that Monero abbreviation used in both of the domains above) are blocked via security categories on our network 43.56% of the time. Sites using the term Monero are blocked via security categories 4.13% of the time.

This raises the question: Should network administrators block XMR domains on their network? If nearly 50% of them are malicious and their use is generally meant for cybercriminals and not your traditional cryptocurrency investor, there’s a strong case to be made for this decision.

But rather than block these domains based on the type of cryptocurrency they provide, administrators are better off blocking access to cryptomining sites as a whole. Cryptomining sites include cryptojacking, but it also includes any mining pool sites with questionable intent.

**
Not all DNS security providers have a cryptomining category.Check out the benchmark report to see who does, and how they fare in head-to-head comparisons.**