Report Finds Big Losses for Cryptojacking Victims

According to a new report from Sysdig, the unified leader in cloud containers and security, it costs $430,000 in cloud accounts for an attacker to generate $8,100 in cryptocurrency revenue. The report confirms that cryptojacking remains a primary motivation for opportunistic attackers, exploiting vulnerabilities and weak system configurations. Using honeynets around the world, Sysdig’s Threat Research Team (Sysdig TRT) has extensively analyzed TeamTNT and geopolitical activities over the past nine months. Sysdig was able to draw conclusions about TeamTNT, the explosion of malicious payloads on Docker Hub and the increase in DDos attacks after the start of the Russian/Ukraine war.

The rapid shift to containers and the cloud has increased opportunities for attackers to steal data, seize assets, and gain illicit network access. It’s clear that container images have become a real attack vector rather than a theoretical risk.

Main conclusions

  • Attacks on the container supply chain spawn cryptominers. Cryptomining is the most common result of cloud and container-based engagements. Attackers are filling public repositories such as Docker Hub with dangerous container images that contain cryptominers, backdoors and many other unwanted surprises, often disguised as legitimate popular software. 36% of malicious Docker Hub images contain cryptominers. Embedded secrets are the second most prevalent, which highlights the persistent challenges of secret management.
  • Attackers earn $1 for every $53 charged to a victim. TeamTNT is a notorious cloud-targeted threat actor that generates most of its criminal profits through cryptojacking. Sysdig TRT assigned over $8,100 worth of cryptocurrency to TeamTNT, which was mined on stolen cloud infrastructure, costing victims over $430,000. The full impact of TeamTNT and similar entities is unknown, but at $1 in profit for every $53 charged to the victim, the damage to cloud users is extensive.
  • DDoS attacks arise during conflict. The conflict between Russia and Ukraine includes a cyberwarfare component with government-backed threat actors and civilian hacktivists taking sides. The goals of disrupting IT infrastructure and utilities led to a fourfold increase in DDoS attacks between 4Q21 and 1Q22.
  • Cybercriminals take sides, enabled by civilian volunteers. More than 150,000 volunteers have joined anti-Russia DDoS campaigns using Docker Hub container images. Threat actors target anyone they perceive as sympathetic to their opponent, and any unsecured infrastructure is targeted to leverage attack scaling.

what people are saying

“Security teams can no longer be lulled into the idea that ‘containers are too new or too ephemeral for threat actors to worry about,’” said Stefano Chierici, senior security researcher at Sysdig and co-author of the report. “The attackers are in the cloud and they are getting real money. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators.”

“The Ukrainian government has globally crowdsourced its cyberwarfare efforts. This was unprecedented, but it shows that digital transformation has extended far beyond classic IT use cases,” said Michael Clark, director of threat research and co-author of the report. “Willing and reluctant participants have contributed their infrastructure to DDoS outages.”


About Sysdig

Sysdig is leading the cloud and container security standard. The company pioneered cloud-native runtime threat detection and response, creating Falco and Sysdig-oss as open source standards and key building blocks of the Sysdig platform. With the platform, teams can find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions, and compliance. From containers and Kubernetes to cloud services, teams get a single view of risk from origin to execution, with no blind spots, guesswork, or black boxes. The world’s largest and most innovative companies trust Sysdig.

Leave a Comment