Threat actors hijacking Bitbucket and Docker Hub for Monero mining

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

According to researchers, these developer resources were also targeted last year for Monero mining but now “the campaign has resurfaced with vengeance.”


In September 2020, Aqua Security’s Team Nautilus discovered a campaign that targeted GitHub and Docker Hub automated build processes for cryptocurrency mining. At the time, the company notified the services, and the attack was blocked.

SEE: Hackers Hide Monero Cryptominer in Scarlett Johansson’s Picture

According to Aqua’s latest report, the same campaign has resurfaced, and this time it is a lot more intense. Within just four days, the attackers have set up around 92 malicious Bitbucket repositories and 92 malicious Docker Hub registries using Aqua Dynamic Threat Analysis (DTA). Their purpose is to perform cryptocurrency mining using these resources.

Unique Integration Process 

According to Aqua Security’s lead data analyst Assaf Morag, the threat actors have created a continuous integration process. This is a unique process as it initiates multiple auto-build processes every hour. On each build, they execute a Monero crypto miner.

Straightforward Kill Chain

In this crypto mining campaign, threat actors have used a straightforward kill chain. Firstly, the attackers register multiple fake email IDs via a Russian provider and then set up a Bitbucket account with numerous repositories using official documents to make them appear legit.


A similar method is used with Docker Hub as threat actors are creating accounts with various linked registries. They build images on Bitbucket/Docker Hub environments and hijack their resources to