Cryptojacking: Back to the Future

A new kind of hacking is in the news - cryptojacking. Redlock, a security research firm, recently revealed that Tesla's servers had been hijacked by hackers who used Telsa's computing power to mine for cryptocurrencies.

A few days later, we learned that the LA Times had also been victimized in a similar incident. Indeed, Redlock estimated that eight percent of firms have experienced a cryptojacking incident - a number that seems certain to increase.

Cryptojacking is the perfect combination of two of the internet's hottest trends - rampant hacking and the massive growth of cryptocurrencies such as Bitcoin, Litecoin, and Ripple (among many, many others). 

Companies that were already desperately trying to stay ahead of hackers seeking their data now have a new worry - preventing hackers from illegally using their infrastructure. Thanks to the increasing complexity of Blockchain puzzles, hackers and miners are now seeking out more powerful computing power by legal, or nefarious, means.

Cryptojacking is certainly not the first time that cryptocurrencies have been associated with shady behavior. Indeed, despite the dreams of its inventors, Bitcoin and other cryptocurrencies have yet to function like real world currencies. To date, cryptocurrencies have only two common uses.

The first is as a means of speculation - a way to invest in what its promoters believe to be the next big thing. The result so far has been a series of boom and bust cycles in the value of cryptocurrencies over the last few years, and an inevitable increase in fraudulent promotion, pump and dump schemes and other types of investment-related fraud.

The second common use of cryptocurrencies is as a means of payment on the dark web. Ransomware providers, extortionists, drug dealers, even rogue states routinely demand payment in cryptocurrency. Moreover, hackers have for years been stealing cryptocoins by hacking so-called cyrptocurrency "wallets.”

The scale of some of these thefts have been mind boggling - some have amounted to significant percentages of all the cryptocoins in circulation and have led to the collapse of cryptocurrency exchanges. Thus, adding illegal mining activity to the list of odious activities associated with cryptocurrency does not fundamentally alter this landscape. 

Ironically, for those who have spent years working in the hacking and computer crime world, cryptojacking does not actually seem like a new thing at all. It is instead a return to the earliest days of hacking. Long before the invention of cryptocurrencies, before the invention of the internet, before anyone had even heard of cybersecurity, computer viruses, or malware, the very first hacking prosecutions were brought against hackers who broke into mainframe computers not to steal data, but rather to illegally use the computing power.

The advent of cheap and ever more powerful personal computers seemed to put an end to that type of hacking, but the same type of hacking in back. Indeed, whether you see the criminality associated with cryptocurrency as a fundamental flaw or an inevitable side effect of a successful currency probably depends on your preexisting sense of whether cryptocurrencies are a bubble-about-to-burst or a revolutionary idea sure to upend the financial system. After all, fraud schemes long predated modern money of any sort, so the fact that criminals are attracted to cryptocurrencies need not be fatal.

It does seem safe to assume, however, that even if the association with criminality does not bring about the demise of the current crop of cryptocurrencies, it is likely to hasten the day that governments decide to regulate them, which will fundamentally change their character.

Putting aside the implications for the future of cryptocurrencies, cryptojacking has implications for those involved in the fight against hacking. First, this new wave of hacking will raise new security concerns for CISOs and CIOs already dealing with a seemingly unending variety of cybersecurity threats. As a result, risk assessments will have to be refined, monitoring efforts revised, and cloud computer contracts reconsidered.

For lawyers who specialize in data breaches and hacking response, cryptojacking creates a series of complicated legal questions, the answers to which will vary from situation to situation:

  • How thoroughly do cryptojacking incidents need to be investigated?
  • What obligations do companies have to their customers, employees, or other stakeholders in the wake of a cryptojacking incident?
  • What are the obligations of management or boards of directors to prevent or respond to cryptojacking incidents?
  • What government enforcement actions might be taken against companies that fail to prevent or report cryptojacking incidents?

Despite the confusion and criminality associated with cryptocurrency, this bubble has persisted for a number of years now and despite a recent rise and fall in value, it’s important to take this seriously as this trend is here to stay.

What’s Hot on Infosecurity Magazine?