Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions

Sysdig's Threat Research Team (TRT) has uncovered a sophisticated cryptomining operation, named PURPLEURCHIN, which exploits free-tier accounts on popular CI/CD platforms like GitHub, Heroku, and Buddy.works to mine cryptocurrencies. This operation, described as "freejacking," involves the use of over 130 Docker Hub images and numerous GitHub, Heroku, and Buddy accounts, leveraging automation to bypass defenses such as CAPTCHAs and credit card requirements. The illicit activity shifts operational costs to service providers, potentially leading to increased prices for legitimate customers, and could degrade service quality due to resource strain. PURPLEURCHIN's cryptomining, albeit currently targeting low-profit-margin coins, suggests a potential strategy to transition to more lucrative cryptocurrencies or even manipulate blockchains via a 51% attack. The operation might also camouflage other malicious activities, drawing parallels to past cyberespionage campaigns that used cryptomining as a diversion. The analysis highlights the persistent evolution of the threat actor's techniques, which include complex automation for account creation and operation management, indicating a highly organized and scalable fraud scheme.