Case study banner: Hong Kong Tech Firm's Servers Quietly Hijacked to Mine Crypto for Two Months. Type: Blackpanda IR-1 Activation.
Case StudY

Attackers Quietly Mined Crypto for Two Months Using Hong Kong Tech Firm's Servers

LAST EDITED:
PUBLISHED:
March 24, 2026

Firewall alerts had been firing for weeks. By the time Blackpanda arrived, the attacker had already spread across the network — and covered their tracks.

Key facts

Organisation
Hong Kong Tech Service Provider
Threat
Cryptomining malware; credential compromise; anti-forensic activity
Initial access
Suspected external exploitation; root cause obscured by attacker log deletion
Impact
Server performance degradation across multiple hosts; credential theft; lateral movement across the internal network; potential data destruction capability
Core issue
No endpoint detection tooling and unescalated firewall alerts allowed the attacker to operate undetected for nearly two months

What this case shows

  • Firewall alerts without escalation procedures are not a defence. This organisation's firewall flagged malicious connections from the first day of intrusion — but those alerts were never acted upon, giving the attacker months of uncontested access.
  • Attackers who cover their tracks limit what investigators can prove. Deliberate log deletion and artefact wiping created gaps that prevented full reconstruction of the intrusion timeline — a known anti-forensic capability built into the malware itself.
  • Cryptomining is not a minor nuisance. Beyond the immediate performance hit, the same access that enabled cryptomining could have been used for data theft or destruction — and there is evidence the attacker had that capability.
  • Credential compromise extends the blast radius far beyond the original entry point. Once valid credentials were obtained through brute-force tooling, the attacker moved laterally across the internal network using legitimate remote access protocols, making malicious activity harder to distinguish from normal operations.

Concerned about whether your environment has been quietly compromised? Explore Compromise Assessment or learn about IR-1 incident response assurance.

Summary The alerts were there. They had been there since December. A firewall flagged the first connection to known malicious infrastructure and blocked it — then logged it, as firewalls do, and waited for someone to act. No one did.

Over the weeks that followed, the attacker expanded through the network methodically: staging tools across multiple internal servers, scanning for open ports, brute-forcing credentials, and ultimately deploying software that hijacked those servers to mine cryptocurrency. They also established persistence mechanisms designed to survive reboots, deleted the logs that would have exposed them, and disguised their tools with names indistinguishable from legitimate system processes.

Blackpanda was activated in early February 2026 under an IR-1 engagement, nearly two months after the intrusion began. By then, the attacker had compromised credentials, moved laterally across the network, and taken steps to remove most of the evidence trail. Investigators worked from what remained — firewall telemetry, partially recovered artefacts, and application logs — to reconstruct the attack and identify the scope of the damage. No confirmed data exfiltration was identified, though the attacker's anti-forensic activity limits what can be conclusively determined.

CHALLENGE

The Hong Kong technology service provider operated a sizeable internal server environment, running multiple hosts across its network on a common Linux distribution. Its IT function managed the environment with the tools available to it: a firewall, standard system logs, and internal visibility into its own infrastructure. What it lacked — and what ultimately cost it nearly two months of undetected exposure — was any endpoint detection and response capability, and any process for escalating the alerts its existing tools were already generating.

The intrusion began in December 2025. A host on the organisation’s internal network attempted to download a file from infrastructure that the firewall immediately recognised as malicious. The firewall blocked the request and logged it. That log sat unexamined. The same host tried again. Over the following weeks, the pattern repeated and spread: additional internal servers reaching out to the same external addresses, downloading tools, and beginning to execute them.

The attacker’s objective, as analysis would later confirm, was cryptomining — using the organisation’s server resources to generate cryptocurrency at its expense. But the access required to achieve that goal gave the attacker something considerably more dangerous: root-level control across multiple systems, valid credentials obtained through brute-force tooling, and the ability to move laterally through the network using legitimate remote access protocols. The servers were being drained of processing capacity, but the organisation had no visibility into why, and no alert threshold configured to flag the degradation. This pattern — a financially motivated intrusion that quietly accumulates access well beyond its initial objective — mirrors what Blackpanda investigators found in a ransomware engagement at a Singapore investment firm, where attackers moved laterally through the environment for weeks before detonating their payload.

What compounded the problem was what happened after Blackpanda arrived. Investigators found that the attacker had taken deliberate steps to erase their footprint: authentication logs deleted, key artefacts removed, and system files cleared. The malware itself contained functionality designed to wipe evidence of access. This is not unusual tradecraft for sophisticated actors, but it meant that the full scope of the intrusion could not be conclusively determined — including whether the attacker had accessed or staged sensitive data before the investigation began.

→ PROTECT MY ORGANISATION TODAY

SOLUTION

1. Activation and initial scoping

Blackpanda was engaged in early February 2026 under an IR-1 incident response activation. The engagement began with a triage call to establish the scope of the suspected activity, identify which systems were involved, and determine what forensic evidence remained available. Given the attacker’s anti-forensic activity, scoping relied heavily on firewall telemetry alongside whatever artefacts had survived deletion.

Investigators identified nine servers for forensic examination, across which the organisation provided application logs and firewall console access. No memory or full disk images were available for most hosts, which constrained the depth of analysis but did not prevent reconstruction of the core attack chain.

2. Mapping the attack chain using surviving evidence

With endpoint detection tooling absent from the environment, Blackpanda’s analysis drew on firewall logs, application logs, and partially recovered artefacts to reconstruct the attacker’s activity. This work traced the intrusion from its earliest observable moment in December 2025 through to early February 2026, mapping the sequence of tool downloads, credential attacks, persistence mechanisms, and lateral movement.

The analysis followed the recognised MITRE ATT&CK framework structure, working through each stage of the intrusion: initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, and impact. Where evidence was absent due to log wiping, investigators noted the gap explicitly rather than inferring activity that could not be substantiated.

3. Identifying the malware and its capabilities

The tools downloaded from external attacker-controlled infrastructure included a port scanning utility, a credential brute-force binary, a password generation tool, and a persistence binary that established itself as a system service configured to run as root and restart automatically after reboots. The binary was given a filename identical to a legitimate system process, a deliberate obfuscation technique. The same malware package included built-in log-wiping functionality, which accounts in part for the evidence gaps the investigation encountered.

Investigators confirmed that cryptomining software was deployed and actively running across affected hosts, consuming sustained CPU resources and degrading system performance across the organisation’s server environment.

4. Assessing the full scope of compromise

Beyond the cryptomining payload, Blackpanda’s analysis identified credential compromise as a significant secondary impact. The attacker used brute-force tooling against a target list derived from its own internal network reconnaissance, successfully obtaining valid credentials that it then used to move between systems over SSH. The breadth of lateral movement — spanning multiple subnets and a range of internal hosts — indicated the attacker had established a substantial foothold well beyond the systems initially involved.

Investigators also identified commands in partially recovered artefacts consistent with the capability to delete large volumes of data, though the exact impact of any such activity could not be fully assessed.

5. Recommendations and containment guidance

Following the investigation, Blackpanda issued a set of prioritised remediation recommendations covering immediate containment and longer-term hardening. These addressed credential rotation across all affected and potentially exposed systems, the deployment of endpoint detection and response tooling, the implementation of centralised log management, hardening of SSH access controls, and the establishment of alert escalation processes to ensure that firewall detections reach the people positioned to act on them.

→ PROTECT MY ORGANISATION TODAY

RESULTS

1. The attacker’s presence was confirmed and the scope of compromise was mapped

Working from firewall telemetry, partially recovered artefacts, and application logs across nine servers, Blackpanda reconstructed the intrusion timeline from its earliest observable activity in December 2025 through to the engagement activation in early February 2026. The full attack chain was documented: initial tool staging from external infrastructure, internal reconnaissance, credential brute-forcing, persistence via a disguised system service, and lateral movement across the network using compromised credentials.

2. Cryptomining malware was identified and its mechanism confirmed

Analysis confirmed the deployment of cryptomining software across affected hosts, with sustained CPU consumption that had been degrading server performance without a clear explanation. The malware’s persistence mechanism — a system service configured to run as root and restart automatically — ensured that the software continued operating even across reboots, compounding the resource drain over the duration of the intrusion.

3. The attacker’s anti-forensic activity was documented

Investigators identified and documented deliberate log deletion and artefact wiping, including the specific files targeted and the commands used. This finding served two purposes: it explained the evidentiary gaps in the investigation, and it established that the attacker had a level of operational sophistication consistent with the use of commercially available intrusion toolkits rather than improvised attack methods.

4. No confirmed data exfiltration was identified

Within the reviewed evidence, no firewall, host, or application log artefacts showed outbound transfer of internal data. This finding was stated with appropriate qualification: the attacker’s log-wiping activity and the absence of endpoint detection tooling mean the full scope of their actions cannot be conclusively determined. The absence of confirmed exfiltration is not the same as confirmed absence of exfiltration.

5. A prioritised remediation roadmap was delivered

Blackpanda provided the organisation with a structured set of remediation recommendations, covering immediate credential rotation across all confirmed and suspected systems, deployment of endpoint detection and response capabilities, centralised logging via a SIEM platform, SSH hardening, performance monitoring to detect future resource abuse, and renewal of IR-1 to maintain response readiness.

The case illustrates a pattern that investigators encounter with regularity: the controls that could have contained this intrusion existed. The firewall flagged the first malicious connection on the first day. What was absent was not technology but process — the escalation path that would have turned a logged alert into an investigated incident. Most intrusions of this kind do not exploit gaps in security tools; they exploit gaps in the human systems built around those tools.

→ PROTECT MY ORGANISATION TODAY

Frequently Asked Questions

What is cryptomining malware, and why would an attacker deploy it?

Cryptomining malware — sometimes called a cryptojacker — hijacks a compromised system’s processing power to generate cryptocurrency on behalf of the attacker. Unlike ransomware, which announces itself immediately, cryptomining malware is designed to remain as invisible as possible: it benefits the attacker only for as long as it continues running undetected. In this case, the malware ran for nearly two months across multiple servers before the organisation noticed degraded performance and initiated an investigation. For the attacker, the appeal is straightforward: sustained passive income at the victim’s expense, with relatively low risk of attribution.

How did the attacker get into the network in the first place?

The precise initial access method could not be conclusively determined, because the attacker deleted the authentication logs and other artefacts that would normally allow investigators to identify the entry point. What is clear from the evidence is that the attacker established contact with internal hosts from the first day — and that those hosts then reached out to external infrastructure to download additional tooling. The absence of a confirmed root cause is itself a finding: it reflects the risk created when organisations lack endpoint detection tooling and centralised log management. When logs can be deleted locally, the historical record disappears with them.

The firewall blocked some of the initial connections. Why wasn’t that enough?

The firewall did what it was configured to do: it identified connections to known malicious infrastructure and blocked them, then logged those events. The problem was not the firewall — it was the absence of any process to act on what the firewall reported. Alert fatigue, understaffed IT functions, and the absence of defined escalation thresholds are common conditions in mid-size organisations, and attackers are aware of them. When an attacker’s first attempt is blocked but generates no human response, the second attempt follows shortly after. In this case, the attacker persisted across multiple hosts and multiple weeks before gaining the foothold it needed.

If no data was confirmed stolen, is this still a serious incident?

The absence of confirmed data exfiltration is worth noting, but it does not limit the severity of what occurred. The attacker held root-level access across multiple servers for nearly two months. Valid credentials were compromised and used for lateral movement. Commands capable of deleting large volumes of data were executed. The full extent of the attacker’s actions cannot be conclusively determined precisely because they deleted the evidence. Organisations that treat the absence of a confirmed breach as a clean bill of health are misreading what the evidence can and cannot establish.

What made this intrusion difficult to investigate?

Three factors, in combination, constrained the investigation. First, the attacker deliberately deleted authentication logs and other system artefacts — removing evidence that would normally allow investigators to reconstruct timelines and attribute specific actions. Second, the organisation had no endpoint detection and response tooling deployed, which meant there was no independent record of process execution or command-line activity to fall back on. Third, the absence of a centralised logging platform meant that when local logs were deleted, they were gone permanently. Together, these conditions are precisely what sophisticated attackers count on: not just the opportunity to act, but the opportunity to act without leaving a recoverable record. For a case where anti-forensic capability was similarly central to the attacker’s tradecraft, see Blackpanda’s investigation into the UNC5174 intrusion at a Hong Kong securities firm.

What should organisations take away from this in terms of their own setup?

Three things stand out. First, alerts without escalation paths are not a defence: if your team is not reviewing and acting on firewall detections, those alerts provide no protection. Second, endpoint detection and response tooling is the single most important control missing from environments like this one — it provides visibility that survives attacker attempts to clear local artefacts. Third, centralised log management ensures that when a local system is compromised, the historical record remains intact and available to investigators. None of these are exotic or expensive controls. They are, increasingly, the baseline that separates organisations that can investigate an intrusion from those that cannot.

What This Means for Your Organisation

Intrusions of this kind share a common architecture, and it is not primarily technical. The attacker in this case used widely available tooling: a port scanner, a brute-force credential utility, a persistence script, a cryptomining payload. None of it required exceptional skill. What it required was time — and time was available because the organisation’s existing controls were generating alerts that no one was positioned to act on.

That gap, between detection and response, is where most preventable damage occurs. The firewall did not fail. The organisation’s processes failed to translate what the firewall knew into action. This is a structural problem, and it is common. Mid-size organisations frequently have more security tooling than they have the operational capacity to operate effectively. Logs accumulate. Alert queues grow. The signal gets buried in the noise. Blackpanda’s investigation into the ransomware attack on a Singapore investment firm found the same dynamic: the organisation had defences in place, but the attacker moved through them because no one was watching the gaps between tools.

The practical implication for any organisation running server infrastructure is worth stating plainly: if you cannot guarantee that a firewall alert for a connection to known malicious infrastructure will reach a human being within hours rather than weeks, your detection capability is not functioning as a control. It is functioning as a record. IR-1 from Blackpanda exists partly to address exactly this: a guaranteed four-hour response SLA means that when something surfaces, the gap between detection and expert-led investigation is measured in hours, not months.

→ PROTECT MY ORGANISATION TODAY

About Blackpanda

Blackpanda is a Lloyd’s of London–accredited insurance coverholder and Asia’s leading local cyber incident response firm, delivering end-to-end digital emergency support across the region. We are pioneering the A2I (Assurance-to-Insurance) model in cybersecurity — uniting preparation, response, and insurance into a seamless pathway that minimises financial and operational impact from cyber attack. Through expert consulting services, response assurance subscriptions, and innovative cyber insurance, we help organisations get ready, respond, and recover from cyber attacks — all delivered by local specialists working in concert.

Our mission is clear: to bring complete cyber peace of mind to every organisation in Asia, from the first moment of breach through full recovery and beyond.

Other case studies

Case Studies

With One Stolen Password, Attackers Take Off with Two Million Files from Singapore Investment Firm

Before encrypting nearly two million files, the attackers spent a month inside with full administrative access — staging data, installing back doors, and leaving no obvious trace.

View case study
Case Studies

Fake CEO Phishing Message Unravels Hong Kong Charity's Hidden Cyber Risks

A convincing CEO impersonation led to gift card fraud at a Hong Kong charity. Blackpanda's investigation confirmed the scam — and uncovered malware on an abandoned website, a subdomain vulnerable to hijacking, leaked staff credentials on criminal marketplaces, and a suspicious foreign login that no one at the organisation knew about.

View case study
View all

Related articles

React & Respond

What Is Incident Response?

And why every business needs a cyber fire department.

News banner with the headline “Blackpanda Japan Partners with SoftBank to Strengthen Cyber Incident Response in Japan” on a light background with grainy blue gradients.
News

Blackpanda Japan Announces Strategic Partnership with SoftBank to Strengthen Cyber Incident Response in Japan

SoftBank will provide incident response services, including Blackpanda IR-1, against cyber attacks.

News

Blackpanda Adds ISO 27001 Certification to the Group’s List of Accreditations

Blackpanda achieves ISO 27001 certification, reinforcing its commitment to information security, operational resilience, and trust across Asia.

View all
React & Respond

How to build an effective incident response team

Learn more about the necessary structure, skills, roles and responsibilities to best coordinate effective incident responseHow to build an effective incident response team

React & Respond

What Is Incident Response?

And why every business needs a cyber fire department.

News

Blackpanda Wins Second Consecutive Frost & Sullivan 2025 Company of the Year for Incident Response Excellence in Asia-Pacific

Blackpanda’s IR-1 subscription achieves triple-digit growth, securing Frost & Sullivan’s 2025 Company of the Year Award for cyber incident response leadership.

View all