In brief

  • A new report from cybersecurity firm Sophos details a new variant of the Tor2Mine malware.
  • The malware installs a Monero crypto-miner that is more aggressive than previous variants.

We know, we know: Your blockchain is unassailable. But you still need to update your antivirus software. Otherwise, this Monero miner could eat into your network.

In a new report released today by cybersecurity firm Sophos, which boasts over 500,000 businesses as customers, says a new variant of the Tor2Mine crypto-miner is infecting company networks to mine Monero (XMR), a popular privacy coin known for being hard to trace.

“All of the miners we’ve seen recently are Monero miners,” Sophos threat researcher Sean Gallagher, who authored the report, told Decrypt in a phone interview.

According to Gallagher, the malware looks for holes in a network’s security, generally in the form of systems that have not had their security features—including antivirus and anti-malware software—updated or patched. Once installed on a server or computer, the malware will look for other systems to install its crypto-miner for maximum profit.


Hacks remain a real concern for DAOs and DeFi projects, which are vulnerable to more than just smart contract exploits. Yesterday, Decrypt reported BadgerDAO was hacked for $120 million in a front-end exploit, according to the cybersecurity firm PeckShield.

“Once it has established a foothold on a network, it is difficult to root out without the assistance of endpoint protection software and other anti-malware measures,” Gallagher said in a press release. “Because it spreads laterally away from the initial point of compromise, it can’t be eliminated just by patching and cleaning one system. The miner will continually attempt to re-infect other systems on the network, even after the command-and-control server for the miner has been blocked or goes offline.”

In other words, Tor2Mine quickly spreads to every other system on a network, installing the crypto-miner where it can—and it's not easy to remove.


Because they generate less revenue than other attacks, like ransomware, mining malware applications need to infect as many systems as possible to make the attack worth the trouble.

Gallagher tells Decrypt, a sign that a system is infected is unusually heavy use of processing power, reduced performance, and higher-than-usual electricity bills. Kind of like you're mining crypto.

Monero, which means "coin" in Esperanto, has become a favorite of cybercriminals due to its many privacy features that make tracing much harder than Bitcoin and Ethereum. Monero wallet addresses and transactions are difficult to trace because of the use of ring signatures and stealth addresses, which hide the identities of both the sender and the receiver.

Sophos recommends patching vulnerabilities in internet-facing systems like web applications, VPN services, and email servers and installing anti-malware products to make them much less likely to fall victim.

While Sophos makes its own products, Gallagher just urged some type of protection. “Any anti-virus is better than no anti-virus,” he said.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.