Biggest blow against botnets by Europol – Monero hashrate falls massively

With “Operation Endgame,” Europol attacked the so-called “droppers.” This could cause lasting damage to the ransomware infrastructure – but Monero mining is also likely to be affected.

Anyone who observed Monero’s hashrate could see something interesting at the end of May: It fell from 2.9 gigahash on May 29th to 1.78 gigahash on May 31st, losing more than a third within two days and is now at its lowest level in three years.

The reason for this unprecedented case could be found in The Hague, namely at Europol’s headquarters. This is where “Operation Endgame” took place between 27 and 29 May. It culminated in a strong blow against so-called “droppers”.

Droppers are malware. They infect other systems but do not cause any damage themselves. Instead, they serve as a Trojan horse for other malware, as their gateway. In the increasingly division of labor world of cybercrime, droppers generally do not use the access themselves, but sell it to other cybercriminals on the darknet.

In what Europol called the “largest operation ever against botnets,” numerous European police units worked together under the leadership of France, Germany and the Netherlands. In a concerted operation, they shut down more than 100 servers, confiscated more than 2,000 domains, searched 16 houses – 11 of them in Ukraine – and arrested four people – three of them in Ukraine. Ukraine was apparently an operational center for the droppers.

Operation Endgame took out numerous droppers, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. These infected and opened other systems in their own ways. By taking out the droppers, Europol attacked an important cybercrime infrastructure, which could actually be a smart move to permanently inhibit the spread of malware.

Following the operation, eight cybercriminals are on the run and have been placed on the “Europe’s Most Wanted” list. During the investigation, Europol found that one of the main suspects earned at least 69 million euros in cryptocurrencies by renting the drop to ransomware hackers. “The suspect’s transactions are continuously monitored and the legal requirements to confiscate them in the future have already been met.”

According to Europol, the damage caused by the botnet infections in Europe amounts to several hundred million euros. The operation will continue, the police organization explains: There will be further arrests, and more droppers and botnets will be shut down.

Although the press release only mentions ransomware, it is quite conceivable that the droppers were also used for cryptojacking. Cryptojacking means that mining software is installed that works without the user’s knowledge or consent. Europol arrested a cryptojacker in Ukraine in January.

Because of its resistance to ASIC and GPU mining, Monero is particularly well suited for cryptojacking. The currency is not only lucrative to mine with the CPU – the only safely available and competitive component of infected systems – but also saves the effort of laundering the coins due to the standard anonymity of transactions. It was already known in 2018 that Monero is the preferred coin of cryptojackers.

It will be difficult for Europol to prove these activities, especially the proceeds from them, but the timing of the massive drop in Monero’s hashrate during Operation Endgame is far too fitting to be a coincidence.