Ukrainian arrested for infecting US cloud provider with cryptomining malware

A Ukrainian national was arrested last week for allegedly infecting the servers of “a well-known” American cloud service provider with a cryptomining malware, according to Ukrainian police.

A 29-year-old hacker from the southern city of Mykolaiv is believed to have illicitly mined over $2 million in cryptocurrency over the past two years.

The police said they searched the suspect’s three properties, seizing his computer equipment, bank cards and other electronic devices to collect evidence.

The hacker’s arrest in early January followed “months of collaboration” between Ukrainian authorities, Europol, and the cloud provider affected by the scheme. Authorities didn’t name the affected cloud company, but Ukraine’s police said it’s a well-known American firm.

The unauthorized use of cloud computing resources is one of several ways cybercriminals can illicitly mine digital coins.

“By stealing cloud resources to mine cryptocurrencies, the criminals can avoid paying for the necessary servers and power, the cost of which typically outweighs the profits,” Europol said. “The compromised account holders are left with huge cloud bills.”

Starting in 2021, the suspect infected the servers of “one of the world's largest e-commerce companies” by hacking 1,500 accounts of a subsidiary, the police said. The attacker used self-developed software for an automatic password-testing method known as a brute force attack.

Using compromised accounts, the hacker gained remote access to the targeted system and then infected it with cryptomining malware. He used more than a million virtual computers to run the malware, police said.

The affected cloud provider approached Europol in January 2023 with information regarding compromised cloud user accounts. Europol shared this information with Ukrainian authorities, who subsequently opened an investigation.

This is not the first time a cloud service has been compromised for cryptomining. Earlier in May, researchers tracked a financially motivated hacker group attacking Amazon Web Services (AWS) accounts to set up illicit mining operations.

The attackers began their operation by finding publicly exposed AWS access credentials or hacking into services like GitLab to collect them.

Malicious hackers also have other methods for abusing a target's computing power for cryptomining. For example, they once distributed pirated versions of video editing software Final Cut Pro to install cryptominers on individual Apple devices. Such malware also has been found inside JavaScript libraries uploaded on the official npm package repository.