60
Monero's privacy features have made it popular for illicit purposes.
Darknet markets
Monero is a common medium of exchange on darknet markets. In August 2016, dark market AlphaBay permitted its vendors to start accepting monero as an alternative to bitcoin. The site was taken offline by law enforcement in 2017, but it was relaunched in 2021 with monero as the sole permitted currency. Reuters reported in 2019 that three of the five largest darknet markets accepted monero, though bitcoin was still the most widely used form of payment in those markets.
Mining malware
Hackers have embedded malware into websites and applications that hijack victim CPUs to mine monero (sometimes called cryptojacking). In late 2017, malware and antivirus service providers blocked Coinhive, a JavaScript implementation of a monero miner that was embedded in websites and apps, in some cases by hackers. Coinhive generated the script as an alternative to advertisements; a website or app could embed it, and use website visitor's CPU to mine the cryptocurrency while the visitor is consuming the content of the webpage, with the site or app owner getting a percentage of the mined coins. Some websites and apps did this without informing visitors, and some hackers implemented it in way that drained visitors' CPUs. As a result, the script was blocked by companies offering ad blocking subscription lists, antivirus services, and antimalware services. Coinhive had been previously found hidden in Showtime-owned streaming platforms, as well as Starbucks Wi-Fi hotspots in Argentina. In 2018, researchers found similar malware that mines monero and sends it to Kim Il-sung University in North Korea.
Ransomware
Monero is sometimes used by ransomware groups. According to CNBC, in the first half of 2018, monero was used in 44% of cryptocurrency ransomware attacks.One group behind the 2017 WannaCry ransomware attack, the Shadow Brokers, attempted to exchange the ransom they collected in bitcoin to monero. Ars Technica and Fast Company reported that the exchange was successful, but BBC News reported that the service the criminal attempted to use, ShapeShift, denied any such transfer. The Shadow Brokers began accepting monero as payment later in 2017.In 2021, CNBC, the Financial Times, and Newsweek reported that demand for monero was increasing following the recovery of a bitcoin ransom paid in the Colonial Pipeline cyber attack. The May 2021 hack forced the pipeline to pay a $4.4M ransom in bitcoin, though a large portion was recovered by the United States federal government the following month. The group behind the attack, DarkSide, normally requests payment in either bitcoin or monero, but charge a 10-20% premium for payments made in bitcoin due to its increased traceability risk. Ransomware group REvil removed the option of paying ransom in bitcoin in 2021, demanding only monero. Ransomware negotiators, groups that help victims pay ransoms, have contacted monero developers to understand the technology. Despite this, CNBC reported that bitcoin was still the currency of choice demanded in most ransomware attacks, as insurers refuse to pay monero ransom payments because of traceability concerns.
Regulatory responses
The attribution of monero to illlicit markets has influenced some exchanges to forgo listing it. This has made it more difficult for users to exchange monero for fiat currencies or other cryptocurrencies. Exchanges in South Korea and Australia have delisted monero and other privacy coins due to regulatory pressure.In 2018, Europol and its director Rob Wainwright wrote that the year would see criminals shift from using bitcoin to using Monero, as well as Ethereum, dash, and zcash. Bloomberg and CNN reported that this demand for monero was because authorities were becoming better at monitoring the bitcoin blockchain.
