Yahoo hack turned millions of users into unwitting Bitcoin miners

Hackers who used vulnerabilities on Yahoo’s website to install viruses on millions of computers last week likely used the infected systems to mine Bitcoin.

Giora Engel, founder of cybersecurity firm Light Cyber told the BBC that the compromised machines were used to effectively manufacture a network with massive amounts of computing power for the purpose of creating new units of the virtual currency, which went directly into the perpetrators’ pockets. “The malware writers put a lot of effort into making it as efficient as possible to utilise the computing power in the best way,” Engel explained.

Unlike traditional currencies, which are issued by governments, there is no centralized authority minting bitcoins. Instead, they are created through a process called mining, where computers connected to the global Bitcoin network attempt to solve increasingly complicated mathematical equations whose solutions function as a record of recent Bitcoin transactions. These transactions are then entered into the public record, and the miners are rewarded with new bitcoins. 

However, as more people have gotten into Bitcoin mining, it has become increasingly difficult to gain a share of the new bitcoins, which are created at a predetermined set rate. Hence, an arms race has developed, with miners devoting ever more resources toward creating new bitcoins in hopes to grow the size of their haul.

Enterprising hackers, such as the ones who perpetrated the Yahoo attack, have turned to installing software on the systems of the unwitting victims—who then have some of their computing power secretly devoted to mining. While dedicating a portion of the power of a typical home computer to the task would only generate the equivalent of a few pennies per year, installing the malware on millions of computers would produce some serious money.

As the price of Bitcoin has soared, so has the prevalence of this type of Bitcoin mining botnet. Last year, an eSports gaming services company was caught covertly installing Bitcoin mining software on its users’ computers.

The attack on, currently the fourth-most-visited website on the planet, worked by infiltrating site’s ad network. The hackers made it so ads displayed on the site would direct users to an online location that installed malware on their computers.

Details of the hack were first made public in a blog post by Dutch security consulting firm Fox-IT. In the post, Fox-IT estimated the site was spreading malware to users at a rate of 27,000 per hour, with the majority of infections occurring in France, Great Britain, and Romania.

“Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected,” a Yahoo spokesperson said in a statement that noted the site was spreading malware during a period stretching from Dec. 31, 2013, to Jan. 3 of this year. “Additionally, users using Macs and mobile devices were not affected.”

The company has not publicly released how many computers were infected, but some reports have speculated it was as many as 2 million.

Photo by fdcomite/Flickr

Aaron Sankin

Aaron Sankin

Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.