Stealthy crypto miners loot altcoins with GitHub trial accounts

Listen to this article.

A mysterious automated crypto mining operation has been caught using more than 30 free GitHub accounts to produce a raft of obscure tokens in a suspected dry run before it turns its attention to more well-known currencies.

According to a report from The Register, the operation, dubbed Purpleurchin, has been using the GitHub accounts, alongside more than 2,000 Heroku and 900 Buddy devops accounts to power its mining efforts.

The tactic is called “freejacking,” and involves taking over the computing power allocated for free trial accounts on continuous integration and deployment (CI/CD) service platforms.

Researchers say the team responsible has so far only mined a handful of little-known tokens, including Sugarchain, Tidecoin Onyx, Yenten, Sprint, and Bitweb, and as such will only have seen very low profit margins.

However, it’s suspected that they’re just warming up and using the relatively small-scale scheme as a smokescreen for something far more lucrative — possibly even an attack on the underlying blockchain that could, in theory, net millions in bitcoin or monero.

“We can say with a medium amount of confidence that the actor has been experimenting with different coins,” researchers told The Register (our emphasis).

“This large-scale operation could be a decoy for other nefarious activities.”

Read more: This Bitcoin Core update will protect full node operators from hacks

Purpleurchin’s plot could leave real users out of pocket

Despite providers like GitHub using a number of tactics — including increasingly complicated CAPTCHA forms and requiring credit card information — to combat attacks like these, this team is thought to be particularly sophisticated.

According to researchers, each of the free GitHub accounts is costing the platform’s owner, Microsoft, $15 per month, with the free accounts from Heroku and Buddy costing around $10.

“At these rates, it would cost a provider more than $100,000 for a threat actor to mine one monero (XMR),” experts told The Register.

Unfortunately, for legit cloud service users, these costs will likely be passed onto them by GitHub et al. to cover the shortfall at their end. Illegal mining operations could also take up resources that reduce the performance afforded to paying customers.

For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.