Hackers are cashing in on Zcash.
Image: Flickr/Farhan Perdana (Blek)
Zcash is a new virtual currency that claims to be more anonymous than bitcoin, and has garnered interest from academics, investors, and criminals. Perhaps thanks to the latter group, hackers are allegedly installing software on unsuspecting users' computers that forces them to mine Zcash for the hackers' own profit.
The mining software is distributed via links for things like pirated software, according to a blog posted on Monday by Kaspersky Lab security researcher Aleks Gostev. Once installed, it forces a person's computer to mine Zcash—basically solving math problems for a reward in the currency—and funnels the funds back to the attacker. According to Gostev, around 1,000 possibly infected computers have been identified. This many zombie computers mining Zcash could generate as much as $75,000 a year in income, Gostev wrote.
"Downloading mining software to a PC doesn't necessarily have severe consequences for a user's data," Gostev wrote me in an email. "However, it does have the effect of increasing the energy consumption level of their machine, which results in more expensive electricity bills."
"Another consequence is a heavy load on the PC's RAM, because mining software consumes up to 90% of available memory," he continued, "which leads to a significant performance slowdown."
According to Zooko Wilcox, founder and CEO of Zcash, the most users can do at this point is protect themselves.
"Unfortunately, we have no way to prevent this kind of thing, since Zcash is an open source network, like Bitcoin, that nobody (including us) controls," Wilcox wrote me in an email. "Our recommendation to security companies that detect this kind of activity, like Kaspersky, is that their software should alert users when potentially malicious software (like that described in their blog post) is detected, and give the user the option of shutting it down or, if it was deliberately installed by the user, allowing it to run."
This sort of thing isn't unique in the world of virtual currencies. Bitcoin, for its part, has seen a number of botnet mining pools over the past several years. Even some bitcoin alternatives, like Dogecoin, have been fertile grounds for similar attacks. Botnet mining on these currencies has mostly died out because they were designed so that mining difficulty increases over time and the rewards continually diminish. In this situation, even an army of regular PCs can't compete with the specialized hardware employed by big-business miners, known as ASICs.
Wilcox contended in an email that it's incorrect to describe non-consensual Zcash mining as a "botnet," writing, "A botnet is where you have a controller that can deploy software automatically to a large number of compromised machines."
The potential difference for Zcash, however, is that the currency is touted by its creators as being resistant to the use of ASICs, making mining with plebeian hardware a profitable approach over the long-term. Zcash could theoretically be mined on a smartphone. This may make Zcash mining less resource-intensive and thus more decentralized, but, somewhat ironically, it may also have the unintended side effect of making botnet mining a consistently attractive option, despite diminishing returns.
"It would just mean that more honest miners would pay for electricity and make less profit"
However, according to Marco Krohn, Chief Financial Officer at cryptocurrency mining firm Genesis Mining, the current state of botnet mining on Zcash as described by Kaspersky's Gostev isn't of much concern. Only if a botnet manages to infect 250,000 computers, exceeding 10 percent of the whole network's mining power, Krohn said, would miners see any effects.
"Even if a Botnet did start mining Zcash on that scale it would likely not be much of a problem for the currency as a whole," Krohn wrote in an emailed statement. "It would just mean that more honest miners would pay for electricity and make less profit."
But while bigger electricity bills aren't a problem for professional miners, the average person might not appreciate the financial strain. According to Gostev, users should check their security software to make sure blocks legitimate software from being used for malicious purposes, which might be disabled by default.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.
Update: This article has been updated with comment from Zcash CEO Zooko Wilcox.
Correction: A previous version of this article referred to the distributed software as "malware," but it is more correct to refer to it simply as "mining software." This article has been updated to reflect this.