The SecureMac Guide to Understanding Cryptocurrency and Cryptojacking

Laptop Image

You may have heard about the spike in “cryptojacking” malware for macOS. You know it’s a threat, and that it has something to do with cryptocurrency, but the details may be a little hazy.

This guide will give you enough technical background to cryptocurrency to understand how cryptojacking works — and how to keep yourself safe.

Let’s start with the basics. What is cryptojacking?

Cryptojacking is a fairly new phenomenon, but security researchers say that it's on the rise, and is quickly becoming one of the most prevalent digital threats.

CRYPTOJACKING

verb | to cryptojack

Definition of Cryptojacking
: The unauthorized use of other people’s computers in order to mine cryptocurrency. The term comes from the combination of "hijacking" and "cryptocurrency".

How is cryptojacking a threat to Mac users?

Cryptojacking malware can cause slowdowns, drain battery life, and degrade system performance.

Cryptojacking malware can tax a computer’s resources — in extreme cases, enough to cause permanent hardware damage.

Cryptojacking incentivizes bad actors to create malicious web pages, and to flood search engine results with bogus ads, making the Internet a more dangerous place overall.

Cryptojacking malware is profitable enough that there are now variants specifically targeted at macOS, making it a threat that affects all computer users.

Cryptocurrency vs traditional currency

To understand cryptojacking, you have to understand what cryptocurrency is. The best way to do this is by comparing it to traditional currency.

Similarities

  1. Cryptocurrency is, like traditional currency, a medium of exchange: You can use it to buy and sell goods and services.

  2. There are many cryptocurrencies (e.g. Bitcoin, Monero, Ethereum), just as there are many different currencies.

  3. Cryptocurrencies can be converted into other currencies, just like traditional currency. You can change bitcoin to ether, monero to euros, etc., just as you would change dollars to yen.

Differences

  1. Cryptocurrency “printing” is decentralized. Cryptocurrencies have no central issuing authority such as the reserve bank of a nation state.

  2. Cryptocurrency record-keeping is decentralized. Cryptocurrencies don’t require an institution to keep financial records or verify transactions in the same way that the banking industry does for traditional currency.

  3. Cryptocurrency cuts out the middleman. It allows for secure, tamper-proof financial transactions between individuals, all without the involvement of a government or trusted intermediary institution.

Why does cryptocurrency have value?

So why would anyone agree to ship a new iPhone in exchange for .12 bitcoin, or allow you to use their Airbnb rental for 10 monero per week? The simple answer is that cryptocurrencies have value because people believe that they do, and agree to accept them as payment for goods and services.

Depending on your economic and political views, this may strike you as quite similar to fiat currency.

Who keeps track of crypto transactions?

So, how can cryptocurrency networks keep records without a central authority like a bank?

The “crypto” in cryptocurrency refers to cryptography, and is the key to understanding how all of this is possible.

In traditional banking, if Person A requests a wire transfer of $20 to Person B, the bank checks Person A’s account to make sure they have sufficient funds, debits the money from their account, credits $20 to Person B’s account, and keeps a record of the transaction.

But how can this be accomplished when there is no bank?

The answer is something called a “distributed ledger”, which is exactly what it sounds like: a record of transactions (a ledger) which is not controlled by an institution, but instead is spread out (distributed) over a computer network and maintained by many different people.

Every node on the network has its own copy of the ledger, which is updated as new transactions are posted to the network. Anyone on the network can write a transaction and broadcast it for everyone else to see. If the transaction is determined to be valid, then the other network nodes will include it in their copies of the ledger (more on how a transaction is deemed valid or invalid below).

In other words, the network as a whole keeps track of how much money everyone has.

Packet Capture Sample
A sample flow of a regular ledger.
Packet Capture Sample
A sample flow of a distributed ledger.

How can crypto fraud be prevented?

As you may have noticed, there is a fundamental problem here. If anyone can write a transaction and broadcast it to the network, how can fraud be prevented? What’s to stop Person A from sending someone else’s money to themselves — for example, writing a transaction that says “Person B gives $100 to Person A” and then posting it to the network?

This is where cryptography comes in — specifically, a form of cryptography called “public key cryptography”.

In public key cryptography, a cryptographic algorithm generates a pair of very large, mathematically linked numbers: a public key and a private key. The public key can be given out freely; the private key must be kept secret.

Crucially, the algorithm used to create public–private key pairs is “one-way” only, meaning that even if you know someone’s public key, you won’t be able to figure out the private key linked to it — which is why it’s safe to give out your public key!

The fact that the two numbers are mathematically entwined means that the public key can be used to encrypt messages that only the corresponding private key can decrypt. This mathematical linkage also lets a sender digitally “sign” a message using their private key, so that other people can verify that they really sent the message.

If you want to check the validity of a given message, and you have both the public key and a digital signature, you can use a special algorithm to test whether or not the digital signature was created with the private key belonging to the public key that sent the message.

In cryptocurrency networks, public keys, or algorithmically shortened versions of public keys, are used as sender and receiver addresses in the transactions published to the network (people aren’t really sending messages that say “Person A”, or using their real names).

0bb430ec786c91782ae14acd1248b612e14beee4 sends $100 to 2e40f37563dc2ea081830cab1a7928b7b5ee2f7c
What a sample cryptocurrency transaction might look like

The transaction would also contain a digital signature which could only have been created with the private key corresponding to the public key being used as the sender address. In this way, everyone knows that the author of the transaction is actually the person who owns the sender address. If someone attempted to send an unsigned transaction to the network, none of the other nodes would accept it as valid, and it wouldn’t be included in their copies of the ledger.

Digital signatures also prevent senders from claiming that they didn’t intend to send the money, because they prove that the transaction originated from the person holding the sender’s private key: after all, no one else could have created the signature!

Security Tip: Be on the lookout for fake cryptocurrency exchanges, these are sometimes set up by criminals in order to fleece unsuspecting crypto enthusiasts. If you're going to use an online exchange, play it safe and stick to one of the reputable, well-known ones.

Who keeps track of crypto account balances?

You know how records are kept, and how fraudulent transactions are prevented. But what’s to stop someone from posting a transaction for more money than they have?

The short answer is that every single cryptocurrency transaction needs to reference past transactions, known as inputs, in order to prove that the sender has enough money to cover the desired transaction. Once a past transaction has been used as an input, it can never again be used for future transactions: Used inputs are effectively “spent”.

If someone attempts to send cryptocurrency, but the network can’t find past input transactions demonstrating that an equal or greater amount of cryptocurrency had previously been transferred to that sender, then the other nodes on the network will reject the transaction as invalid, and will not include it in their copy of the ledger.

In other words, if Person A wants to send $1000 to Person B, their transaction would have to reference never-before-used inputs demonstrating that they had, at some point in the past, received at least $1000. To offer a simplified example:

Input Diagram

This is how distributed ledgers keep track of how much money everyone has to spend. And in the end, this is all that cryptocurrency really is: a record of transactions between addresses.

Who decides which crypto transaction came first?

There is still one remaining technical issue to be explained: How can the nodes of a cryptocurrency network agree on the order of transactions?

It may seem like a small detail, but having an accurate and agreed-upon order of transactions is absolutely crucial if the system is to work. To understand why, consider what would happen if Person A had a balance of $1000, and then made two separate $1000 transactions, one to Person B, and another to Person C, at roughly the same time.

Transaction P Diagram
Transaction P
Transaction P Diagram
Transaction Q

These two transactions can't both be valid, because they reference the same inputs to demonstrate sufficient funds (remember, inputs can’t be reused). But cryptocurrency networks are made up of computers, and it takes time for information to propagate through any computer network. Given a large enough network, some of the nodes would see Transaction P first, and later consider Transaction Q invalid due to insufficient funds, while other nodes would receive Transaction Q first, and then refuse to confirm Transaction P.

This would result in conflicting versions of the ledger throughout the network. The different network nodes would have no way of determining which of the two transactions was in fact the valid one: which came "first". In practical terms, Person B or Person C could end up losing money if they’d shipped out an iPhone thinking that they had been paid, only to discover later that the payment transaction had been rejected by the network: the digital equivalent of a bounced check.

Cryptocurrency mining is the solution to the order of transactions problem, and is the final piece of the puzzle that will enable us to understand why hackers are trying to infect your computer with cryptojacking malware.

Security Tip: If you sell online, and you accept cryptocurrency, always wait for a transaction to be fully confirmed by the network before fulfilling an order. Some unscrupulous people will attempt to "double spend" their cryptocurrency, hoping to get some free goodies using funds that they don't actually have.

What is cryptomining?

Cryptocurrency mining, or cryptomining, is the process that determines the order of transactions in a cryptocurrency ledger. Here's how it works.

New transactions are being broadcast to a cryptocurrency network all the time. But they are considered “unconfirmed” until they are grouped together into a big bundle of valid transactions which is approved by other nodes on the network. If Person A sends you $1000 for your new iPhone, but your copy of the ledger shows the transaction as unconfirmed, then you know that no one else on the network recognizes that $1000 as yours yet, and you’d be wise to hold off on shipping until they do.

These bundles of transactions are called “blocks”. Each new block contains a reference to the block that came just before it. This links the new block to the previous block. That block contains a reference to the block that came before it. In this way, an ordered chain of blocks is established — a chain which stretches all the way back to the very first block ever broadcast to the network. This linked chain of blocks is called (you guessed it) a “blockchain”:

Blockchain Diagram

Every node on the network is constantly receiving new transactions which have not yet been grouped into a block. Everyone on the network can — if they want — bundle a bunch of these new transactions into a new block and then propose it to the rest of the network as the next block in the blockchain. People who choose to do this are called “cryptocurrency miners”.

If the block of transactions is accepted, all of the transactions in the new block are considered to have happened at the same time, and are considered “earlier” than transactions in subsequent blocks. If there is an unconfirmed transaction on the network that conflicts with the information contained in the new block, it won’t be included in any future block: it will be rejected.

To return to our earlier example, if Person A only had $1000, and sent a payment of $1000 to both Person B and Person C, then whichever of those two transactions made it into a valid block first would be considered the legitimate transaction, and the other one would be rejected by the cryptominers assembling subsequent blocks.

Why do cryptominers need to “solve math problems”?

In many popular introductions to cryptocurrency, the work of cryptominers is often described as “solving math problems”, and left at that. This can be a frustratingly vague “explanation” if you want to understand what miners are actually doing!

In order to see why “math problems” are needed in the first place, consider what would happen if everyone could propose new blocks of valid transactions at will. Different blocks would inevitably be added to the network at the same time — and if some of those blocks contained conflicting transactions, there would be no way for network nodes to know which block they should accept as “first”. In other words, we’d be right back at square one! For this reason, it’s necessary to slow down the block submission and validation process so that this doesn’t happen.

Cryptocurrency networks do this by intentionally complicating the process of adding a new block to the network: In addition to the block itself, the person proposing the block must also include the correct answer to a mathematical problem — a problem that requires a substantial amount of computer processing power to solve.

In other words, cryptocurrencies make it artificially difficult and resource-intensive to add a block to the network, which slows down the addition of new blocks and makes it extremely unlikely that two people will add a valid block at the same time.

What are hashing algorithms?

So far so good, but to understand the mathematical specifics of what cryptominers are doing, you need to know about the cryptographic tool that forms the basis of these math problems: cryptographic hashing algorithms.

There are various hashing algorithms, but one of the most common is SHA-256 (which also happens to be the one used by Bitcoin), so we’ll use this one in our examples.

There are five key things to know about the hashing algorithms used in cryptocurrency:

  1. Hashing algorithms are just functions

    Despite their seeming complexity, hashing algorithms are basically just mathematical functions. Their job is to take an input of any length and return a fixed-length output string. This string is called a “hash”, or a “hash value”. In the case of SHA-256, the length of the hash is 256 bits.

    % echo -n "I'm an example" | shasum -a 256
    31349e20e23c253ce270e29314aa9cf00371ba5a60c234403eb906264d2888d4
    If you run the phrase “I'm an example” through the algorithm, you get a 256-bit value of 31349e20e23c253ce270e29314aa9cf00371ba5a60c234403eb906264d2888d4

    No matter what input you give the SHA-256 hashing algorithm — a single letter, the first thousand digits of pi, the complete works of William Shakespeare — the output will always be a unique, 256-bit string.

  2. Hashing algorithms generate numbers

    The hash in the example above is actually a number, despite the letters. It’s just a number expressed in the hexadecimal system, instead of the decimal system that we’re more used to seeing. In the hexadecimal system, in addition to the 10 symbols of the decimal system (0-9), there are an additional 6 symbols (a-f). Thus each hex digit can express 16 possible values instead of 10. Once you realize that you’re looking at numbers, you can tell at a glance that 31349e20e23c253ce270e29314aa9cf00371ba5a60c234403eb906264d2888d4 is smaller than 41349e20e23c253ce270e29314aa9cf00371ba5a60c234403eb906264d2888d4 in the same way that you’d instantly know that 600 is smaller than 700.

    This will be important later on.

  3. Hashing algorithms generate HUGE numbers

    “All the grains of sand in the world” doesn’t even begin to express how large a 256-bit number is. Trying to guess an entire hash randomly would likely take millions of years, even working with the most powerful computers in existence.

    Even calculating a partial solution to a problem involving hashes takes a substantial amount of computing power.

    This, too, will turn out to be very important for cryptocurrency mining, as we will see.

  4. Hashing algorithms are one-way only

    You can’t “decrypt” a hash. To put it another way, if all you have is a hash value, there’s no way to figure out what input was used to generate it.

    Hashing algorithms are, however, perfectly consistent: Give SHA-256 the same input, and it will give you the same output every single time.

    This is why it takes so much work for cryptominers to find the solution required to add a new block to the blockchain, but only takes an instant for the other network nodes to check their answer.

  5. Hashing algorithms are sensitive to small changes

    The tiniest change in the input that you give to a hashing algorithm will result in a completely different output. This is significant in understanding what happens in cryptocurrency mining.

    % echo -n "I love Apple" | shasum -a 256
    10a2a5973a22c39627e8f2a3a00ee051242ba7d87058746a59b8eccc1a629f10

    % echo -n "I love apple" | shasum -a 256
    73b740f552dcd49ff98882cea5c8b5b1f80acce037bf55063027ca1598a583da
    The tiniest change in the input that you give to a hashing algorithm will result in a completely different output

What “math problems” do cryptominers solve?

In essence, cryptominers are just trying to guess an unknown number. This number is called a “nonce”.

The nonce is the number that will, when added to a new block of transactions, result in a hash of the entire block lower than a certain “target value”. A cryptocurrency network might express this by saying that any valid hash of a new block must begin with three zeros.

000f4941c171e1371dd68370500b2c0e8b99bfc8bbbbf302685f503b75f367
An example of a network requiring 000 as the designated nonce

Any number beginning with only two zeros would be considered “too large”, and so the nonce used to produce it would not be the correct answer to the problem.

And here is where the one-way nature and unpredictability of cryptographic hashing algorithms come into play. There is simply no way to logically determine which number to add to your block of transactions such that it will yield a hash beginning with three zeros. The only way to find the nonce you need is to start trying numbers at random: guessing. And because tiny variations in input create large, unpredictable changes in output, you can’t use the hashes generated by your wrong answers to get closer to the right one — you just have to keep guessing.

If the target value is fairly easy, as in the above example, it might be possible to use your computer to randomly guess the nonce quickly, because the likelihood of finding some hash beginning with three zeros isn’t that remote. But if the target value requires you to provide a hash with 15 leading zeros, then your chance of randomly guessing the nonce you need is far lower: The mathematical problem is much more difficult to solve.

Once someone finds a nonce that solves the problem, they can submit their proposed block to the network for verification. The other nodes on the network can use the hash of the block plus the nonce to check that the resulting hash value is below the target value (as mentioned above, this only takes a fraction of a second). If the block checks out, then it is accepted as the legitimate newest block in the chain, and is added to the node’s ledger.

Cryptocurrency networks adjust the difficulty of the mathematical problem required to add a new block to the network based on how much aggregate computing power is present on the network, not based on how much time it would take any one person to find the correct solution. This is done so that, on average, it will take the desired amount of time for the combined computing power of the entire network to mine a block: for someone to find the right answer by sheer luck. This varies from network to network: For example, Bitcoin tries to produce a new block every ten minutes; Monero, every two minutes. Cryptocurrency networks are looking for a happy medium: They want the problem to be hard enough that miners won’t be solving it at the same time, but easy enough that new blocks will be produced in a timely fashion and allow pending transactions to be confirmed without unnecessary delay.

How do people make money with cryptomining?

At this point, you may be wondering why anyone would want to spend their valuable computing resources to help determine the order of blockchain transactions. The answer is simple: financial reward.

If a cryptocurrency miner finds the nonce and their block is accepted by the other nodes on the network, they are entitled to add one extra transaction to the new block: the “block reward”. This is a special transaction declaring that some agreed-upon amount of cryptocurrency is credited to the miner who created the block.

The block reward doesn’t come from anyone else; in effect, it’s created “out of thin air” (which answers the question of how new cryptocurrency is “printed” without a government). In most cryptocurrencies, the block reward is lowered periodically in order to prevent inflation.

Security Tip: Crypto scams are big business for cybercriminals, so watch out for shady schemes that promise to "double your bitcoin". Never send cryptocurrency to an unknown wallet address, and remember that if it sounds too good to be true, it probably is.

This, then, is why cryptomining is called “mining”: Because similar to mining gold or silver, it is a way for a cryptocurrency miner to expend effort in order to generate income, in a way that affects the total amount of a valuable commodity in circulation.

Can anyone mine cryptocurrency?

Yes, but also no.

Because of the randomness involved in guessing the correct solution to the problem, cryptocurrency mining is sometimes compared to a lottery, or a race to solve a math problem. In one sense this is true, since luck is involved, and the first person with the correct answer wins! But in another sense, cryptomining isn’t really a fair contest, because the more computing power you have at your disposal, the more random guesses per second you can make, thus increasing your odds of finding the nonce before anyone else.

In the early days of Bitcoin mining, it was possible to mine with the CPU of an ordinary computer. But people soon caught on to the financial value of cryptomining, which triggered a kind of computational arms race among cryptominers.

At first miners used multiple CPUs working together to increase their computational power. They soon turned to the powerful graphical processing units (GPUs) used in video processing and gaming, which could produce far more hashes per second than CPUs could. In time, GPUs were supplanted by the ASIC, or “application specific integrated circuit”, an extremely powerful computer purpose-built for mining cryptocurrency.

CGMiner cryptomining
CGMiner crypytomining on 6 high-end GPUs

Cryptomining has become big business, with large mining organizations operating “mining farms” which are essentially warehouses full of ASICs working on a problem in tandem. At this point — for cryptocurrencies like Bitcoin anyway — no individual cryptominer could ever hope to compete with the computational power fielded by these large mining organizations.

But that’s not quite the end of the story, because “mining pools” have developed as a way for individuals to participate in cryptomining. As the name suggests, members contribute their resources to a common pool of computational power spread out over a network, allowing the mining pool as a whole to compete with other large mining organizations. If the pool successfully wins the block reward, the profits are shared among the members according to an agreed-upon system of distribution (proportionally to the computing power provided by the individual; using a “share” system; etc.). In addition to this, some cryptocurrencies are specifically engineered to prevent the use of ASIC devices in mining them, significantly leveling the playing field for people who want to mine those currencies.

How does cryptojacking actually work?

Cryptomining is a legitimate way to spend computational resources in order to make money. But of course, as the history of mining gold, silver, and diamonds shows us, there will always be unscrupulous people who want someone else to do all the hard work for them. And this, in effect, is what cryptojacking is.

In cryptojacking, hackers essentially use other people’s computers to create a cryptomining pool large enough to win a block reward — but without having to share that reward with the unwilling (and unwitting) pool members. They can do this in several ways.

Some cryptojacking schemes function “in-browser”: Hackers set up websites containing background scripts which, when run by your web browser, perform some of the computational work required to solve a cryptomining problem. The bad guys must trick victims into visiting these sites in order for this to work, ideally in large enough numbers to make it profitable. Interestingly, some legitimate organizations also use browser cryptomining as a funding source, as an alternative to advertising, but this is done through a system of opt-ins and informed consent. Browser-based cryptojacking, on the other hand, is distinguished from this by the fact that it’s done without the knowledge of the site visitor.

The other major form of cryptojacking is cryptojacking malware, which is on the rise and has variants specifically targeting macOS. Like any other kind of malware, cryptojacking malware first needs to infect a victim’s computer. Once on an infected machine, the malware runs almost invisibly in the background, stealing system resources and sending the results of its hashing activities back to a command and control server, which then coordinates the work of all of the infected machines in the hacker’s illicit mining pool.

How can I stay safe?

Cryptojacking uses the processing power of a victim’s computer. From a hacker’s perspective, the longer they can go on using your computer’s resources, the better — which is why they do everything they can to avoid being detected.

Luckily, there are a few basic steps you can take to protect yourself from cryptomining threats.

  1. Use extensions to stop in-browser attacks

    Popular ad blocking browser extensions such as AdBlock can be configured to block cryptomining scripts that may be hiding on the websites you visit. Firefox and Chrome users can make use of extensions like NoCoin and minerBlock, which are specifically designed to defend against browser-based cryptojacking.

  2. Use malware detection tools

    Cryptomining malware is built for stealth, and detecting it is not something most people can do on their own. For this reason, you should always use an effective, regularly updated third-party malware detection tool, such as MacScan. These tools will help you ferret out malicious cryptomining programs, including less obvious threats like the Potentially Unwanted Programs (PUPs) so common on macOS, which may also be engaged in covert cryptomining.

  3. Watch for suspicious behavior

    Always keep an eye out for unusual behavior on your system. Does your computer seem to be running more slowly than usual? Is your battery losing its charge more quickly than before? These can be signs that your computer is being forced to do extra computational work in the background, which can indicate a cryptojacking malware infection. If you notice these symptoms, you should use your malware detection tool to run a system scan immediately.

  4. Avoid likely sources of infection

    Of course, the best way to protect yourself from cryptojacking malware is pretty straightforward: Try not to get infected in the first place! Here, all the basic recommendations for digital security and privacy are applicable: Don’t visit shady websites; don’t download anything from an unknown source; be wary of clicking on links delivered by email; be careful when installing new browser extensions or “helper” apps; and always keep up with your OS updates.