Ukrainian arrested for infecting US cloud provider with cryptomining malware

Jason Macuray
A 29-year-old hacker from the southern city of Mykolaiv is believed to have illicitly mined over $2 million in cryptocurrency over the past two years.

A Ukrainian national was arrested last week for allegedly infecting the servers of “a well-known” American cloud service provider with a cryptomining malware, according to Ukrainian police.

A 29-year-old hacker from the southern city of Mykolaiv is believed to have illicitly mined over $2 million in cryptocurrency over the past two years.

The police said they searched the suspect’s three properties, seizing his computer equipment, bank cards and other electronic devices to collect evidence.

The hacker’s arrest in early January followed “months of collaboration” between Ukrainian authorities, Europol, and the cloud provider affected by the scheme. Authorities didn’t name the affected cloud company, but Ukraine’s police said it’s a well-known American firm.

The unauthorized use of cloud computing resources is one of several ways cybercriminals can illicitly mine digital coins.

“By stealing cloud resources to mine cryptocurrencies, the criminals can avoid paying for the necessary servers and power, the cost of which typically outweighs the profits,” Europol said. “The compromised account holders are left with huge cloud bills.”

Starting in 2021, the suspect infected the servers of “one of the world’s largest e-commerce companies” by hacking 1,500 accounts of a subsidiary, the police said. The attacker used self-developed software for an automatic password-testing method known as a brute force attack.

Using compromised accounts, the hacker gained remote access to the targeted system and then infected it with cryptomining malware. He used more than a million virtual computers to run the malware, police said.

The affected cloud provider approached Europol in January 2023 with information regarding compromised cloud user accounts. Europol shared this information with Ukrainian authorities, who subsequently opened an investigation.

This is not the first time a cloud service has been compromised for cryptomining. Earlier in May, researchers tracked a financially motivated hacker group attacking Amazon Web Services (AWS) accounts to set up illicit mining operations.

The attackers began their operation by finding publicly exposed AWS access credentials or hacking into services like GitLab to collect them.

Malicious hackers also have other methods for abusing a target’s computing power for cryptomining. For example, they once distributed pirated versions of video editing software Final Cut Pro to install cryptominers on individual Apple devices. Such malware also has been found inside JavaScript libraries uploaded on the official npm package repository.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

High-Severity Flaws Uncovered in Bosch Thermostats and Smart Nutrunners

Next Post

British Library restores access to online collection following ransomware attack

Related Posts

8,000+ Domains of Trusted Brands Hijacked for Massive Spam Operation

More than 8,000 domains and 13,000 subdomains belonging to legitimate brands and institutions have been hijacked as part of a sophisticated distribution architecture for spam proliferation and click monetization. Guardio Labs is tracking the coordinated malicious activity, which has been ongoing since at least September 2022, under the name SubdoMailing. The emails range from "counterfeit
Omega Balla
Read More

Critical RCE Vulnerability Uncovered in Juniper SRX Firewalls and EX Switches

Juniper Networks has released updates to fix a critical remote code execution (RCE) vulnerability in its SRX Series firewalls and EX Series switches. The issue, tracked as CVE-2024-21591, is rated 9.8 on the CVSS scoring system. “An out-of-bounds write vulnerability in J-Web of Juniper Networks Junos OS SRX Series and EX Series allows an unauthenticated, network-based attacker to cause a
Jason Macuray
Read More

Russian-Linked Hackers Target 80+ Organizations via Roundcube Flaws

Threat actors operating with interests aligned to Belarus and Russia have been linked to a new cyber espionage campaign that likely exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to target over 80 organizations. These entities are primarily located in Georgia, Poland, and Ukraine, according to Recorded Future, which attributed the intrusion set to a threat
Siva Ramakrishnan
Read More