Telecom Egypt is ‘Secretly Using Egyptian Internet Users’ to Mine Cryptocurrency

Telecom Egypt, a government-owned entity, has been redirecting Egyptian internet users to malware used to mine cryptocurrency or display certain advertisements, according to a report published by security researchers at the University of Toronto.

In the report released on 9 March, researchers discovered the use of “deep packet inspection (DPI) middleboxes” used to “hijack Egyptian Internet users’ unencrypted web connections en masse, and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts.”

The researchers called the Egyptian scheme ‘AdHose’ and revealed that it has two modes: a ‘spray mode’ and a ‘trickle mode’.

“In spray mode, AdHose redirects Egyptian users en masse to ads for short periods of time. In trickle mode, AdHose targets some JavaScript resources and defunct websites for ad injection,” said the researchers in the report, revealing that in “spray mode”, hijacked devices are also being redirected to cryptocurrency mining ,malware ‘Coinhive’ to mine Monero cryptocurrency.

Examples of use of “trickle” mode included redirecting web traffic for advertisement injection when users visit certain sites. Examples of sites provided by the researchers included CopticPope.org, formerly used by the Coptic Orthodox Church in Egypt, and Babylon-X.com, a former pornography website.

“AdHose is likely an effort to covertly raise money,” said the researchers.

Just one scan by the researchers in January revealed that more than 5,700 were affected by a form of AdHose.

In their tests, the researchers also discovered that AdHose is responsible for internet censorship in Egypt. In recent months, hundreds of websites have been blocked in Egypt, including local media organisations such as Daily News Egypt and Mada Masr, and international media organisations such as Al-Jazeera.

Read the full report by clicking here.

Subscribe to our newsletter