Cybercriminals are pivoting their attack strategies based on profit calculations, abandoning traditional ransomware and malware in favor of stealthier coin-mining operations that hijack computing reso
Cybercriminals are pivoting their attack strategies based on profit calculations, abandoning traditional ransomware and malware in favor of stealthier coin-mining operations that hijack computing resources without triggering suspicion. This shift reflects a calculated reassessment of what generates returns, according to new research from IBM's security division.
The unauthorized installation of cryptocurrency miners on victim systems—known as cryptojacking—represents a low-friction method for attackers to siphon processing power. Victims experience degraded device performance, elevated electricity consumption, and potential hardware damage from sustained high-CPU operation, all without realizing their machines have been compromised.
IBM's latest annual threat assessment reveals that cryptojacking incidents surged dramatically in 2018, nearly doubling the frequency of ransomware campaigns during the same period. The economic incentive driving this trend is apparent: as digital assets like Bitcoin climbed toward $20,000 through 2018, the mathematics of illicit coin production became increasingly attractive.
"Attackers follow money," explained Wendi Whitmore, who leads IBM's X-Force Threat Intelligence group. "When we observe declining malware deployment, diminishing ransomware activity, and rising targeted operations, it points to a single driver—criminals maximizing their earnings. Despite 11.7 billion records compromised or exposed during the preceding three years, extracting value from stolen personal information demands expertise and infrastructure. Instead, threat actors are exploring alternative monetization strategies. Computing power has emerged as a commodity of choice, creating opportunities to quietly repurpose corporate infrastructure and personal machines for digital currency generation."
Malicious actors are engineering increasingly sophisticated variants of coin-mining code designed to penetrate both enterprise environments and individual systems. These programs incorporate advanced evasion techniques to broaden infection scope and extend their duration undetected.
Geopolitical circumstances have intensified certain actors' interest in this vector. Nations facing isolation through economic measures—particularly those in Eastern Europe and North Korea—view algorithmic currency generation as a revenue stream. North Korea, constrained by international penalties related to nuclear developments, directed computational resources toward blockchain mining throughout 2018. A prominent academic institution within the country was identified mining Monero, the privacy-focused digital asset, during early 2018.
North Korea's cybercriminal apparatus, however, continues pursuing more direct acquisition methods. The notorious Lazarus Group, a state-linked hacking collective, successfully penetrated five cryptocurrency trading platforms across 2017 and 2018, extracting approximately $571 million in digital holdings, according to an analysis released by Group-IB in October 2018. The same group previously orchestrated a $81 million theft from Bangladesh's central banking system in 2016.
