Government of Egypt Found Cryptojacking Its Citizens

Mar 11 2018

While there have been cases where government employees make use of their work computers to mine for cryptocurrencies, a reverse situation has now emerged in Egypt. It has recently come to light that the government of Egypt, or government-affiliated organizations are using the computers of their citizens to mine for cryptocurrencies. 

This was spotted in a report from the University of Toronto in Canada, which states that the Egyptian government (or an affiliated organization) have infiltrated the computers of Egyptian citizens ‘en masse’ and are mining for cryptocurrencies without the permission or the knowledge of the citizens. The University stated that this is a very complex technique that the government has used, making their mining operations nearly undetectable. 

Here’s a report from QZ explaining the process used by these organizations towards making the citizens mine cryptocurrencies for them: Researchers at the university’s Citizen Lab identified a scheme they call “AdHose” that secretly redirects Egyptian internet users’ web traffic to malware that used their computers to mine the Monero cryptocurrency or display ads. AdHose relies on hardware installed within the networks of Telecom Egypt.

All the cryptocurrency mining is being done by Coinhive, the cryptocurrency mining script notoriously known for cryptojacking activities. Over 5700 devices were found to be affected by AdHose in January. There were two methods being used under this AdHose technique - ‘Spray’ and ‘Trickle’. Under the ‘Spray’ method, websites would redirect users to an ad network which would be running the coinhive script. The other method is the ‘Trickle’ method where many popular websites in the nation including CopticPope.org, formerly a religious website, and Babylon-X.com, a porn site were mining for Monero on the PC of the visitors. 

“On a number of occasions, the middleboxes were apparently being used to hijack Egyptian internet users’ unencrypted web connections en masse, and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts,” the report said.

The hardware using which AdHose has been enforced upon users can also act as a censorship tool. This is being used in the country to block websites such as Al-Jazeera and international human rights websites. Similar setups are also being used in Turkey and Syria where the instead of cryptocurrency mining, these ad networks are injecting spyware into the computers of the users. 

The Coinhive script which is being used to mine for Monero here has been seen several times in the past too. Most notoriously a YouTube ad injected with the Coinhive script was mining for cryptocurrencies on the PCs of viewers. Certain leading Indian news websites too were found to be injected with this script. A recent report has shown that close to 50,000 websites are affected by these mining scripts.

This is a serious issue and there needs to be more awareness about this. Researchers have been looking at how oppressive governments make use of malware and spyware to deny access to certain websites to users - but this is perhaps the first time that a state-sponsored cryptocurrency mining malware is being used.

Comments