Cryptojacking and Cryptocurrency Mining
A report from Google’s Cybersecurity Action Team in 2021 revealed that a staggering 86% of the compromised Google Cloud instances they examined were exploited for cryptocurrency mining. The report highlighted a relatively obscure cryptocurrency known as Chia. The practice of hijacking compromised systems to mine cryptocurrencies is termed cryptojacking. Various cryptocurrencies, such as Bitcoin, Ethereum, and Monero, utilize the processing power of computers through a method called “proof-of-work.” This article aims to delve into a different category of cryptocurrencies known as “proof-of-storage,” which relies on ample storage capacity rather than computational power. Chia is a notable example of this type of cryptocurrency, which has been detected in customer cloud infrastructures.
Understanding Cryptocurrency Valuations
It’s essential to note that this discussion will simplify many complex topics significantly, using pricing data and statistics relative to the time of writing. The total market capitalization of all cryptocurrencies hovers around $2 trillion, with Bitcoin accounting for nearly half of this figure. In contrast, the market cap for all proof-of-storage cryptocurrencies is less than 1% of the total, with Filecoin valued at $3.8 billion, Chia at $300 million, Signum at $3 million, and other coins like Arweave, Storj, and Siacoin valued under $1 million. While these coins may also be described using terms like “proof-of-space-time” or “proof-of-capacity,” we will refer to them collectively as “proof-of-storage” since they utilize extensive storage resources, such as hard drive space.
A Brief History of Cryptocurrencies
Bitcoin, the pioneer of cryptocurrencies, was introduced in 2009. The first proof-of-storage coin, Signum (originally known as Burstcoin), emerged in 2014, followed by Filecoin in the same year. Chia was developed in 2021 by the creator of the BitTorrent protocol. Many proof-of-storage cryptocurrencies provide actual data storage services for users. The miners in this ecosystem offer their available hard drive space to others, who then compensate them for utilizing that storage. Filecoin exemplifies this model, boasting 28 exabytes (EB) of storage, with only 2 EB currently in use. For context, one EB equals 1,000 petabytes (PB) or 1 million terabytes (TB).
Incentives and Penalties in Proof-of-Storage
To maintain data integrity, miners are required to make an upfront collateral payment and face penalties if they fail to respond to data requests promptly. This mechanism ensures that miners reliably store data and keep it accessible. For Filecoin, the minimum storage capacity miners must offer is around 11 TB, necessitating a collateral payment of roughly $500. Although some cryptocurrency aficionados may find this discussion overly simplified, the critical takeaway is that miners must invest some capital to start mining, and financial penalties are in place for negligence regarding data storage. This requirement makes it less appealing for cryptojackers, who typically have less control over the reliability of the resources they exploit.
The Unique Nature of Chia
Chia stands out among proof-of-storage coins as it does not involve the storage of useful data, meaning no initial collateral is required from miners. If a miner fails to store the expected data or does not respond to requests promptly, they simply forfeit their opportunity to earn profits. This characteristic makes Chia particularly attractive for cryptojackers, who may quickly lose access to their illicitly obtained resources once discovered.
Market Trends and Chia’s Price Decline
The interest in various cryptocurrencies often fluctuates with their market prices and the challenges associated with mining profitability. Chia’s price has plummeted significantly from approximately $1,500 in 2021 to around $33 today, which has dampened enthusiasm for this cryptocurrency. Nevertheless, due to the absence of initial financial requirements, Chia remains appealing for cryptojackers.
Challenges of Cloud Mining
Mining cryptocurrencies in cloud environments is generally not cost-effective, leading cloud service providers to prohibit such activities. However, cryptojackers do not concern themselves with the economics of mining or violations of service agreements. Proof-of-work mining can exploit any computing resources, including EC2 instances, containers, or Lambda, while proof-of-storage can target various storage solutions. For instance, there have been tutorials (which have since been removed) demonstrating how to mount an S3 bucket as a local filesystem on an EC2 instance for mining purposes.
Financial Implications of Chia Mining
Chia generates files that are 108 GB in size. Storing this volume of data on S3 incurs a cost of $2.48 per month, not including access fees, while the estimated earnings from mining would be merely $0.03 per month. This setup results in a net loss for anyone paying the cloud bill, but cryptojackers do not bear these costs. Although individual earnings may seem negligible, the potential for large-scale operations is significant. A cryptojacker could theoretically earn around $27,000 per month by utilizing 110 PB, resulting in a cloud bill of approximately $2.5 million monthly. Such activities could eventually disrupt the coin’s market price, although currently, Chia employs 33 EB of storage across all miners.
Storage Options and Cryptojacking Strategies
Various storage methods can be exploited in this context, so monitoring S3 expenses alone may not suffice. Interestingly, some discussions have surfaced online regarding attempts to leverage Filecoin storage to mine Chia, although this approach is not financially viable.
Increasing Awareness of Storage Exploitation
While considerable attention has focused on the misuse of computing power for cryptocurrency mining, less emphasis has been placed on the potential for storage abuse. In 2023, one online storage provider limited the amount of storage available in their “unlimited tier,” explicitly citing Chia mining as a contributing factor. As providers discontinue unlimited storage options, it raises questions about whether Chia mining is influencing these changes.
Unique Threats of Proof-of-Storage Cryptojacking
Proof-of-storage cryptojacking poses distinct challenges. Unlike compute resources, which can hit service quotas on platforms like AWS—requiring attackers to request limit increases—S3 buckets do not have similar constraints. Although there are limits on the creation of buckets, there are no limitations on the data volume that can be uploaded to a single bucket. On Azure, users can create up to 250 storage accounts per region, with a limit of 5 PB per account, allowing for significant storage utilization across the platform. Google Cloud Platform (GCP) appears to have no storage limitations.
Detection and Monitoring Strategies
The creation of AWS EC2 instances or other computing resources triggers CloudTrail events, making the detection of proof-of-work cryptojacking more straightforward. However, CloudTrail does not automatically log data-level events for S3, and certain data activities lack audit logs altogether. While the creation of S3 buckets does generate CloudTrail events, the utilization of existing resources may go unrecorded.
Detection strategies can include monitoring unexpected increases in costs. The binaries associated with cryptocurrency mining can be identified through static or runtime detection based on their hashes or content. Chia is an open-source initiative, and its binaries are accessible for download from their official GitHub repository. Related projects include chiapos, madmax, and bladebit. The large 108 GB storage files generated by Chia begin with the phrase “Proof of Space Plot.” Additionally, miners require port 8447 (TCP) to be open, so identifying this accessible port may indicate Chia mining activity. Network lookups to chia.net subdomains may also suggest the use of this cryptocurrency miner. Any signs of compromised users or resources warrant investigation. Customers utilizing Wiz can leverage built-in detections for Chia miners and check for any workloads with port 8447 open.
Final Thoughts on Defending Against Cryptojacking
The use of storage space for cryptomining introduces unique challenges for cybersecurity defenders. Many defensive strategies against proof-of-work cryptomining can be adapted to address proof-of-storage cryptojacking as well. Although proof-of-storage cryptojacking is not as prevalent as its proof-of-work counterpart, it remains a concern that defenders should remain vigilant about.
