Crypto miners are killing free CI

Originally published here: https://layerci.com/blog/crypto-miners-are-killing-free-ci/

CI providers like GitLab, TravisCI, and Shippable are all worsening or shutting down their free tiers due to cryptocurrency mining attacks.

On September 1st, 2020, GitLab announced that their free CI offering was being restricted in response to "usage." Two months later, TravisCI announced that a similar restriction in response to "significant abuse."

Concurrently with these pricing changes, the market capitalization of mineable cryptocurrencies has exploded.

These events are related: As the market capitalization of cryptocurrency surged from $190 billion in January of 2020 to $2 trillion in April of 2021, it's become profitable for bad actors to make a full time job of attacking the free tiers of platform-as-a-service providers.

717 GitHub commits in one month
"testronan" is an avid Flask user. Every hour they make a commit to their only GitHub repository: "testronan/MyFirstRepository-Flask"

The prolific programmer is certainly making sure that their contributions are well tested. Their repository contains configurations for five different CI providers: TravisCI, CircleCI, GitHub Actions, Wercker, and LayerCI.

Seemingly quite proficient at shell scripting, their CI tasks run "listen.sh": A shell script that combines a complicated NodeJS script with some seemingly random numbers:

MyFirstRepository-Flask has nothing to do with Flask or webservers. It hosts cryptocurrency mining scripts that send WebDollars to an anonymous address. The numbers correspond to installation options for the NodeJS implementation of WebDollar

The repository is not attacking GitHub directly, instead it abuses GitHub actions' "cron" feature to create a new commit every hour and mine WebDollars on four other CI providers.

At WebDollar's April peak price of $.0005, the repository was making $77USD per month - a considerable sum in many countries, especially given that the only tools required are a laptop and an internet connection.

The two wallet addresses that receive these coins are:

https://www.webdscan.io/address/WEBD%24gBJhmuwat3kvP2@%232E4K2zXX967grh9L43%24
https://www.webdscan.io/address/WEBD%24gCszFRxzuMDbyNXnCXszoB2aIMSuV9kgbb%24
Headless browser cryptocurrency mining
"vippro99" is less subtle about their intentions. Out of dozens of repositories, most are related to cryptocurrency or browser automation.

The nodejs-monney repository contains various scripts to start instances of chrome with the Google's popular puppeteer project.

The idea is simple: Mining cryptocurrency directly in CI is somewhat easily detectable (with executable content analysis, for example) but browser automation is a common workload within CI.

The referenced GitHub pages website contains a simple browser-based Monero miner, reminiscent of Coinhive.

As of writing, the account is currently attacking JFrog's Shippable CI, which (perhaps relatedly) announced the end of its free tier earlier this year.

"vippro99"'s comments indicate that they are in Vietnam. At the current price of Monero, each instance of their cryptocurrency miner on Shippable is giving $2.5USD per month, so maintaining a mere 60 concurrent instances would be equivalent to a full time job in that country.

A solution for crypto
Ethereum, the second most popular cryptocurrency, recently announced plans to fully disable computation-based mining as a way to earn new Ethereum, switching entirely to a proof-of-stake (POS) validation model.

Beyond the environmental impact of traditional "proof of work" mining, there are externalities in many other fields like worldwide GPU shortages and attacks on free tiers of compute platforms like CI.

Providers can do their best to enforce terms of service, but as long as it's profitable and untraceable to make such attacks, they will continue to become more sophisticated and circumvent measures. The only long-term way that we will continue to be able to enjoy free tiers on Heroku, Netlify, and GitHub are to switch away from proof-of-work.