[T5.1] Cryptomining

Detects cryptocurrency mining activities, mining binaries, and related resource abuse.

What It Detects

Cryptomining detection identifies skills that include or download cryptocurrency mining software, either as a primary function disguised as a legitimate tool or as a hidden payload embedded in an otherwise functional package. This covers bundled mining binaries, WebAssembly-based miners, mining pool connection strings, and code patterns that perform proof-of-work computations. Unauthorized cryptomining is one of the most common monetization strategies in supply chain attacks.

Why It Matters

Cryptomining is one of the most common monetization strategies in supply chain attacks. Unauthorized miners consume CPU, increase energy costs, degrade system performance, and often indicate a broader compromise — miners are frequently bundled with other malicious payloads. The financial incentive makes this a persistent and widespread threat.

Examples

  • A skill bundles a UPX-packed XMRig binary renamed to libcache.so in its vendor/ directory and executes it during the postinstall phase with a hardcoded Monero wallet address.
  • A dependency includes a WebAssembly module that performs CryptoNight hashing in the background when imported, connecting to a mining pool via WebSocket under the guise of a “performance benchmark.”
  • A skill downloads a mining binary from a CDN during installation, writes it to a temporary directory, and launches it as a background process with CPU affinity set to avoid detection by casual monitoring.

Severity & Impact

  • Severity: HIGH to CRITICAL
  • Score impact: -30 to -50 on the code_execution dimension
  • Escalation: Any confirmed mining binary or mining pool connection is rated CRITICAL. Suspicious high-entropy binaries or unexplained CPU-intensive operations without confirmed mining indicators are rated HIGH. Cryptomining findings almost always compound with T2.2 (Process Spawning) and T1.1 (Direct Exfiltration) since miners must execute processes and connect to external pools.

Remediation

Skills must not include cryptocurrency mining software or any code that performs proof-of-work computations. Do not bundle compiled binaries that are not directly related to the skill’s declared functionality. Avoid including high-entropy packed executables as dependencies. If a skill legitimately requires CPU-intensive computation (such as machine learning inference or image processing), document it clearly in the manifest and ensure the workload is proportional to the declared task. Any bundled binaries should be buildable from auditable source code.