An automated and large-scale ‘freejacking’ campaign abuses free GitHub, Heroku, and Buddy services to mine cryptocurrency at the provider’s expense.
The operation relies on abusing the limited resources offered to free-tier cloud accounts to generate a tiny profit from each free account, which, when combined, becomes something more significant.
The threat actor behind the campaign, called ‘Purpleurchin,’ was observed performing over a million function calls daily, using CI/CD service providers such as GitHub (300 accounts), Heroku (2,000 accounts), and Buddy.works (900 accounts).
The use of those accounts is rotated and channeled through 130 Docker Hub images with mining containers, while obfuscation on all operational levels has kept Purpleurchin undetected until now.
