With “Operation Endgame,” Europol targeted the so-called “Droppers.” This could permanently damage the infrastructure of ransomware – but it might also affect Monero mining.
Anyone observing the hashrate of Monero noticed something interesting at the end of May: it dropped from 2.9 gigahash on May 29 to 1.78 gigahash on May 31, losing more than a third within two days and reaching its lowest point in three years.
The reason for this unprecedented drop could be located in The Hague, specifically at the headquarters of Europol. Between May 27 and May 29, the “Operation Endgame” took place there, culminating in a significant blow against the so-called „Droppers.“
Hashrate of Monero according to coinwarz.com
Droppers are a form of malware. They infect other systems but do not cause damage themselves; rather, they serve as a Trojan horse for other malware, acting as their entry point. In the increasingly compartmentalized world of cybercrime, droppers usually do not use the access themselves but sell it on the darknet to other cybercriminals.
In what Europol calls the “largest ever operation against botnets,” numerous European police units, led by France, Germany, and the Netherlands, collaborated. In a concerted effort, they took down more than 100 servers, confiscated more than 2000 domains, searched 16 houses – 11 of which were in Ukraine – and arrested four individuals, three of them in Ukraine. Apparently, Ukraine was an operational center for Droppers.
„Operation Endgame“ took down numerous droppers, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. These malware types infected and opened other systems in their unique ways. By targeting the droppers, Europol struck a critical infrastructure of cybercrime, which could be a smart move to sustainably halt the spread of malware.
Following the operation, eight cybercriminals are on the run and have been added to the „Europe’s Most Wanted“ list. In the course of the investigations, Europol found out that one of the prime suspects earned at least 69 million euros in cryptocurrencies by renting out the dropper to ransomware hackers. “The suspect’s transactions are being monitored continuously, and the legal prerequisites to confiscate them in the future have already been fulfilled.”
The damage caused by infections from the botnet amounts to several hundred million euros in Europe, according to Europol. The operation, the police organization explains, is ongoing: there will be more arrests, and more droppers and botnets will be taken down.
The press release mentions only ransomware, but it is highly conceivable that cryptojacking was also conducted via the droppers. Cryptojacking means installing mining software that works without the user’s knowledge or consent. Already in January, Europol had arrested a cryptojacker in Ukraine.
Due to its resistance to ASIC and GPU mining, Monero is particularly suitable for cryptojacking. The currency is not only lucrative to mine with the CPU – the only reliably available and competitive component of infected systems – but also spares the effort of laundering the coins due to the default anonymity of transactions. As early as 2018, it became known that Monero was the preferred coin of cryptojackers.
It might not be easy for Europol to prove these activities, especially the income generated through them. However, the timing of the significant drop in Monero’s hashrate coinciding with Operation Endgame is too fitting to be just a coincidence.