Skip links

Purpleurchin cryptocurrency miners spotted scouring free GitHub, Heroku accounts

A stealthy cryptocurrency mining operation has been spotted using thousands of free accounts on GitHub, Heroku and other DevOps outfits to craft digital tokens. GitHub, for one, forbids the mining of coins using its cloud resources.

The Sysdig Threat Research Team said at Kubecon this week it uncovered the activity, dubbed Purpleurchin. Specifically, the researchers found more than 30 GitHub, 2,000 Heroku, and 900 Buddy devops accounts – plus accounts with other cloud and continuous integration and deployment (CI/CD) service providers – being abused to quietly power Purpleurchin’s crypto-asset-generating operations.

While scouring cloud compute resources to mine coins isn’t a new tactic – and usually against the terms of service – the people behind this particular endeavor employed a number of sophisticated automation and obfuscation techniques, we’re told.

Sysdig estimated each of those 30 free GitHub accounts cost the Microsoft-owned giant $15 per month, and the free tier accounts from Heroku, Buddy and others cost providers between $7 and $10 per month. “At these rates, it would cost a provider more than $100,000 for a threat actor to mine one Monero (XMR),” Sysdig researcher Crystal Morin claimed. One XMR is worth $146 right now.

The service providers, of course, aren’t simply going to eat the unnecessary costs. They’ll pass them along to legitimate, paying customers, which means higher cloud computing prices all around, it’s suggested.

Plus, illicit mining operations gobbling up compute resources may also affect the performance of paying customers’ applications, which makes this nefarious activity doubly expensive for companies using these cloud services.

Purpleurchin may be in it for the coin, Morin suggested, though it is worth noting that the cryptocurrencies the gang currently mines – Tidecoin Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe and Bitweb – have low profit margins.

“We can say with a medium amount of confidence that the actor has been experimenting with different coins,” Morin added. So it’s possible that the criminals see this as a “low-risk, low-reward test” before they move on to Monero or Bitcoin, which are higher value but also more closely monitored by law enforcement.

It’s also possible that Purpleurchin is using its mining operations to prepare for a larger heist, in which they attack the underlying blockchain and steal millions of dollars worth of cryptocurrency.

“This large-scale operation could be a decoy for other nefarious activities,” Morin said, noting APT32‘s earlier cryptomining operations that allowed the cyberspies persistent network access for their espionage campaign.

How Purpleurchin evades detection

First, the crime gang uses more than 130 Docker Hub images – but only between two and six images receive updates at a time, which may prevent Docker Hub from blocking or scanning their activity.

Additionally, each GitHub repository is created and used within one or two days. “We also witnessed some of the repositories that were spawning Actions disappear,” Morin said. “This could be either GitHub taking down the nefarious accounts, or the actor deleting accounts as they hit the free-tier account limits.”

Plus, the linuxapp container – which acts as the command-and-control container and the stratum relay server, receiving connections from the mining agents – runs No Dev-Fee Stratum Proxy, an open-source stratum proxy software to avoid proxy fees.

To automate the workflow, Purpleurchin creates a GitHub account and repository and then executes a shell script, which executes GitHub Actions to run mining operations and tries to disguise these operations by naming them with random strings.

In Sysdig’s technical analysis, the script calls a nodejs file index.js to launch a Tidecoin miner that uses a CPU-based mining algorithm called yespower. This is notable, we’re told, because miners usually use XMRig downloaded straight from GitHub. Also, these are low-profit coins being mined.

“Our theory here is that the threat actor is choosing these coins based on the yespower algorithm because the mining process can be spawned from said nodejs parent, aiding in evading detection,” Morin wrote.

Purpleurchin has also found ways to bypass bot protections that service providers use to prevent the fraudulent creation of automatic accounts. These include using OpenVPN to ensure a different IP address for each account, a Brave web browser for registration, and a Python package called Wit for speech recognition of .wav audio files to let the miscreants take advantage of the CAPTCHA system’s audio option to pass the yes-I-am-a-human test.

While the robots do all the work, the people behind Purpleurchin cash in on the coin – albeit very slowly, at least for the time being. And the rest of us are left with the bill. ®