The plans for everyone’s 2022 cryptocurrency investment strategies have already started. I’ve seen articles listing the “Hottest Cryptocurrencies” of the new year, what the best buys will be, and which currencies will surpass Dogecoin—and those are just the top results on Google at the moment of writing this article. But what’s missing from a lot of the discussion around cryptocurrency is the impact this trend is having on security.** ** My prediction for 2022 is that crypto-related cyber attacks will reach new heights. Between ransomware payments, phishing attacks, and cryptojacking, crypto is playing a huge role in the threat landscape of 2021 and will have an even bigger part to play early next year. Around the time it was discovered that hackers stole millions on the cryptocurrency exchange Bitmart, the Tor2mine cryptominer malware has “evolved”, and Taiwanese hardware vendor QNAP announced a new strain of cryptomining malware targeted their network-attached storage devices, we saw a massive spike in traffic at DNSFilter to cryptomining domains:** ** What’s most interesting about the domains that we’ll look like is that they are all domains related to the cryptocurrency Monero (abbreviated as XMR). It’s a unique cryptocurrency because , cybercriminals have started using it for ransomware payments instead of bitcoin. Transaction details are completely hidden: Sender, recipient, and the amount of the transfer are all disguised. Whereas with bitcoin, those external the transaction can see which wallets received or sent funds. Monero it would be mining for when it disclosed it would start cryptojacking its users back in 2018. as reported in June of 2021 is the same coin that the Pirate Bay announced ** **The cryptocurrency is still relevant. In fact, the largest traffic to our network under the category of “cryptomining” is easily to Monero-related domains. ** ** One of the domains that falls under that “cryptomining” category is supportxmr[dot]com. The domain has a field for users to enter their Monero addresses in order to see their stats. The majority of the links on this page, in the lower-right footer and at the top, and the highlighted text “help section” are not actually hyperlinked. This is indicative that a domain is highly suspicious: Looking into this domain, I noticed the domains related to it : The majority of these related domains do not resolve, while at least two are parked, two were Domain Generation Algorithms (DGA are domains often used by malware to connect back to a  host, like in the case of the ), and one is a valid business domain. were highly suspicious per AlienVault SUNBURST attack Another domain that caused the spike in traffic is a mining pool: minexmr[dot]com. A mining pool is when cryptocurrency miners pool their computational resources to increase the likelihood they will find crypto on the blockchain. It makes for a more successful mining operation when you have more power to draw from. Unfortunately, this same methodology is used by threat actors in cryptojacking scenarios, where they utilize website visitors’ computers (without their knowledge) to mine cryptocurrency and cause a severe drain on their devices. And of course, there is always the possibility that a mining pool is . a front for some type of scam ** ** , but according to multiple sources (in addition to our own categorization) this site has malicious intent. that agrees with our diagnosis where multiple users have voted that this site is in fact malicious: Mining pools are not deceptive in nature ThreatCrowd is one site AlienVault shows that : this domain houses at least two malicious files Unfortunately, mining pools (Monero or not) like this are a breeding ground for malicious actors. They can put the infrastructure to work via cryptojacking, or they might choose to embed malicious files in an attempt to steal crypto from the miners themselves. One example of cryptomining malware is , which again is used specifically to mine Monero. Crackonosh Taking a broader look at Monero, I was curious to see how often we categorized Monero-related sites as deceptive. Sites that include the term XMR (that Monero abbreviation used in both of the domains above) are blocked via security categories on our network 43.56% of the time. Sites using the term Monero are blocked via security categories 4.13% of the time. This raises the question: Should network administrators block XMR domains on their network? If nearly 50% of them are malicious and their use is generally meant for cybercriminals and not your traditional cryptocurrency investor, there’s a strong case to be made for this decision. But rather than block these domains based on the type of cryptocurrency they provide, administrators are better off blocking access to cryptomining sites as a whole. Cryptomining sites include cryptojacking, but it also includes any mining pool sites with questionable intent. ** Not all DNS security providers have a cryptomining category. .** Check out the benchmark report to see who does, and how they fare in head-to-head comparisons

Dogecoin

Google

Should You Block All Monero-Related Domains? Crypto Scams Set To Rise in 2022

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

$1B Capitalization: Meme Token Launch Strategy Under the Microscope

(1/100) Crypto Countdown: Golem

06/09/2018: Biggest Stories in the Cryptosphere

07/09/2018: Biggest Stories in the Cryptosphere

$PEPE, a Purple Lamborghini, and More: The Story Continues

Roundup #11: "How I Evaded Sanctions and How You Can To"

$1B Capitalization: Meme Token Launch Strategy Under the Microscope

(1/100) Crypto Countdown: Golem

06/09/2018: Biggest Stories in the Cryptosphere

07/09/2018: Biggest Stories in the Cryptosphere

$PEPE, a Purple Lamborghini, and More: The Story Continues

Roundup #11: "How I Evaded Sanctions and How You Can To"

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps