Cryptocurrencies are hot. According to, there are now over 1300 cryptocurrencies with new initial coin offerings (ICOs) accelerating all the time. Even Kodak is getting into the act with KODAKcoin. And currently, the price trajectory of Bitcoin is higher than a North Korean rocket, with Blockchain saving the world one application at a time.

Cybercrime, which quickly adopted cryptocurrency as the payment method in the ransomware plague, is now turning its eye to other uses for cryptocurrency technology. We are seeing stolen account and credit card shops use the peer-to-peer DNS technology in Blockchain as a technique for bullet proofing their offerings. Jokers Stash (see Figure A), which has been linked to the Sonic Drive-In breach, is using .bazaar top level domains as an alternative to traditional DNS and tor-based naming systems.

Figure A: Joker’s Stash website offering stolen account details uses a .bazaar domain, as shown in the URL at the top of this screen shot.

In addition, the bandwagon for placing JavaScript that operates a coin mining function onto vulnerable websites and referred advertisements, #minevertising, has started to gallop away.

We are seeing ads (see Figure B) on the dark markets offering to inject Monero JavaScript coin-miners with a criminal’s unique identifier. The result is that anyone who visits a compromised website is infected with malware that hijacks 100% of its CPU cycles to mine Monero cryptocurrency on the criminal’s behalf. This activity has been named cryptojacking.

Figure B: Online ad offering Monero mining malware.

A stream of high-profile sites already have fallen victim to being injected with mining JavaScript from CBS’s and are probably two of the most notable cases to date.

The trend of the referred domains in cryptojacking JavaScript (Figure C) shows how quickly this technique (Read more...)