article featured image


A large-scale freejacking campaign is abusing GitHub, Heroku, and Buddy services to mine cryptocurrency at the expense of the provider. The threat actors target multiple free-tier cloud accounts to generate significant profits.

The threat actor behind the campaign, known as “Purpleurchin,” was seen using CI/CD service providers like GitHub (300 accounts), Heroku (2,000 accounts), and Buddy.works to make over a million function calls every day (900 accounts). Rotating and channeling the use of those accounts through 130 Docker Hub images with mining containers has kept Purpleurchin undetectable up until this point.

Campaign Details

According to security researchers, the operation has at its core a linuxapp container that acts as a C2 (command and control) server and Stratum server. The automated creation of GitHub accounts, the construction of a repository, and the replication of the workflow using GitHub operations are done using the shell script “userlinux8888”. All GitHub actions are disguised by utilizing names that are generated at random.

Purpleurchin uses two VPNs to register the accounts with different IP addresses, OpenVPN and Namecheap VPN, thus evading GitHub’s detection. Over 30 instances of Docker images are launched on each run, using pre-set arguments for the script to execute, proxy IP and port to connect to, Stratum ID name and max memory, as well as CPU amounts to use.

A variety of digital currencies including Tidecoin, Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe, and Bitweb are mined by using a little portion of the server’s CPU power. The mining process uses a unique Stratum mining protocol relay that makes it difficult for network scanners to find the connections leading out to mining pools.

Is the Campaign Profitable?

As per BleepingComputer, the campaign is presumably profitable, as the chosen cryptocurrencies are marginally profitable. However, it is assumed that the campaign is either in an experimental phase or is trying to take control of blockchains by creating a network control majority of 51%.

The damage caused by Purpleurchin is significant and measurable. For each GitHub account, the damage is estimated to be $15, while for Heroku and Buddy, the cost is between $7 and $10 per account. An estimated $100,000 would be necessary for the threat actor to mine one Monero (XMR) via freejacking, almost ten times higher than normal cryptojacking operations.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.