Banbreach managed to track Internet traffic and detect all devices on the Internet with public IP addresses, which made it possible to examine traffic passing through routers.
In the course of its research, Banbreach grouped populated areas of India into three categories from most to least dense. According to the report, 45 percent of the infected routers in India are in the least densely populated areas.
#Cryptojacking in #India: Nearly 30,000 #MikroTik routers in India are infected with #Coinhive. Here's what it looks like today via two different search engines. (h/t @bad_packets for finding this originally) pic.twitter.com/ue9klBY0kS
— Banbreach (@Banbreach) October 5, 2018
“For the top three cities with the most infected routers, the growth has been 500 percent.”
Vipin Nathaw, a security enthusiast from Mumbai, tweeted that he “found the same thing in the router provided by [his] Internet service provider (ISP) a couple of days ago. Probably all the routers used by them are infected and outdated.”
While CoinHive is not an inherently malicious code — charities have employed it and analogs like it — it has become popular among hackers for illicitly mining cryptocurrency on web surfers’ computers or crypto jacking. Its code uses a part or all of the computing power of a browser to mine altcoin Monero (XMR).
Related research reportedly suggests that the total output of all machines “infected” with CoinHive generate over $250,000 in XMR every month.
A study conducted in June found that XMR has an “incredible monopoly” on the cryptocurrencies targeted by malware. $175 million of Monero — around 5 percent of all XMR in circulation at the time of the report — had been mined maliciously.