Ukrainian arrested for infecting US cloud provider with cryptomining malware


A Ukrainian national was arrested last week for allegedly infecting the servers of a “famous” US cloud service provider with cryptomining malware, according to Ukrainian police.

A 29-year-old hacker from the southern city of Mykolaiv is believed to have illegally mined more than $2 million in cryptocurrency over the past two years.

Police said they searched the suspect’s three properties, seizing his computer equipment, bank cards and other electronic devices to gather evidence.

The hacker’s arrest in early January followed “months of collaboration” between Ukrainian authorities, Europol and the cloud provider involved in the project. Authorities did not name the cloud company involved, but Ukrainian police said it was a well-known American company.

Unauthorized use of cloud computing resources is one of the many ways cybercriminals can illegally mine digital coins.

“By stealing cloud resources to mine cryptocurrencies, criminals can avoid paying for the necessary servers and energy, the cost of which typically exceeds the profits.” Europol said. “Compromised account holders are left with huge cloud bills.”

As early as 2021, the suspect infected the servers of “one of the largest e-commerce companies in the world” by hacking into 1,500 accounts of a subsidiary, police said. The attacker used self-developed software for an automatic password testing method known as a brute force attack.

Using compromised accounts, the hacker gained remote access to the targeted system and then infected it with cryptomining malware. He used more than a million virtual computers to run the malware, police said.

The affected cloud provider contacted Europol in January 2023 with information regarding the compromised cloud user accounts. Europol shared this information with Ukrainian authorities, who then opened an investigation.

This is not the first time a cloud service has been compromised for cryptomining. Earlier in May, researchers tracked a group of money-motivated hackers attack Amazon Web Services (AWS) accounts to set up illicit mining operations.

The attackers began their operation by finding publicly exposed AWS access credentials or hacking services like GitLab to collect them.

Malicious hackers also have other methods to abuse a target’s computing power for cryptomining purposes. For example, they once distributed Hacked versions of Final Cut Pro video editing software to install cryptominers on individual Apple devices. Such malware has also been found in JavaScript libraries uploaded to the official npm package repository.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Daryna Antoniuk

Daryna Antoniuk is a freelance journalist for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe, and the state of the Ukraine-Russia cyberwar. She was previously a tech journalist for Forbes Ukraine. His work has also been published in Sifted, The Kyiv Independent and The Kyiv Post.

Leave a comment