Monero (XMR) is by far the most popular cryptocurrency among criminals deploying mining malware, according to a new study.

Two researchers, Sergio Pastrana and Guillermo Suarez-Tangil, from Universidad Carlos III de Madrid and King’s College London, respectively, published their report last week, estimating that hackers have mined at least 4.32 percent of the total monero in circulation.

Pastrana and Suarez-Tangil write:

“Overall, we estimate there are at least 2,218 active campaigns that have accumulated about 720K XMR (57M USD). Interestingly just a single campaign (C#623) has mined more than 163K XMR (18M USD), which accounts for about 23% of the total estimated. This campaign is still active at the time of writing.”

The researchers, however, are not sure whether, or what portion, of malware owners have cashed out their crypto, due to lack of information and the fluctuating prices of cryptos. At press time, the value of the XMR total cited is almost $40 million.

Around 4.4 million malware samples were analyzed over a 12-year period from 2007 to 2018, and and 1 million malicious miners were identified, the paper says.

Tactics adopted to distribute malware varies, but the pair say that a “common yet effective approach is to use legitimate infrastructure such as Dropbox or GitHub to host the droppers, and stock mining tools such as claymore and xmrig to do the actual mining.”

After monero, which the pair said is “most prevalent,” bitcoin came in at second favorite crypto for illicit mining, though its popularity has decreased over the years. Bad actors also experimented with other altcoins such as dogecoin or litecoin during 2013 and 2014 and then shifted back to bitcoin and monero, probably because these are more profitable, the researchers suggest.

Of the malware-associated wallets identified by the team, monero was 56 percent more represented than bitcoin, while zcash came in third place.

More generally, instances of crypto-mining malware increased by well over 4,000 percent last year, according to research from McAfee published in December – growth that saw it rapidly overtake the previous favorite, ransomware, over the period.

Back in November, research from Israel-based cybersecurity firm Check Point Software Technologies showed that a monero mining malware, dubbed KingMiner, is evolving through time to avoid detection.

Monero image via Shutterstock; tables via the report