The hacker also enlisted servers to join a digital currency mining pool, taking advantage of other people's computing power to tap into the crypto-craze. Tracing the results of one server alone, investigators found the hacker had used between 13 and 38 machines to mine the Monero currency, collecting almost $4000 over a seven-month period with the computer owners none the wiser.

Criminal operator

Investigators won't say how they detected the attack but the hacker probed websites for security weak points. Once breached, they could then access other websites and computers connected to the server.

Investigators concluded the Manic Menagerie hacker was a criminal operator rather than state-sponsored. While the ACSC lacks definitive proof, evidence suggests, based on the language and digital artifacts used, that the perpetrator is likely to be Chinese.

Mr MacGibbon said the Manic Menagerie hacker was a lot more subtle than ransomware attacks – where hackers demanded payment to release data – but the level of access they had gained to systems was significant and could have destroyed businesses.

"Here we are looking at a criminal group that could harm hundreds of thousands of businesses nationally and globally," Mr MacGibbon said.

"That's a wake-up call to web-hosting companies providing contracted services for small businesses to improve their security posture.


"I would call this a near miss. If a criminal has done this [and obtained this kind of access], they had an opportunity to do a whole range of badness. We are lucky it was not worse."

Mr MacGibbon said the hack targeting web-hosting providers was comparable in approach to how the Chinese government attempted to steal commercial secrets from big companies by targeting managed services providers, which Australia and other countries condemned last month.

Mr MacGibbon said it was believed the Manic Menagerie hacker did not steal personal private information but the cyber-security centre had worked with affected providers to regain control of their systems, as well as inform other nations about the vulnerability.

"This is the first we've known of this kind of compromise of web-hosting companies," he said.

The ASCS will release a report on Tuesday with advice for web hosting providers and customers on strengthening their cyber defences.