20 suspects have been arrested in China in a major cryptojacking case allegedly affecting over one million computers and generating 15 million yuan (about $2.2 million) in illicit profits, local news source Legal Daily reports today, July 9.

Cryptojacking is the practice of using a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

According to local sources, investigation of the case began in January 2018, after the security team at Tencent –– the tech giant that developed WeChat –– alerted the Weifang City Public Security Bureau about a mining script hidden in freely-downloadable plugins.

The so-called “trojan horse” style mining script was reportedly programmed to run whenever it detected that the CPU utilization of the computer was at less than 50 percent.

After the script’s developers were traced to the city of Qingzhou, the Qingzhou Public Security Bureau established a dedicated task force to handle the investigation, local media reports.

Based on information revealed in the trial of one allegedly involved individual –– arrested in March –– the task force subsequently uncovered the implication of a company called Dalian Shengping Network Technology, leading to 16 more arrests. The company is alleged to have advertised free downloads to 2.89 million computers, selecting over 1 million of them for cryptojacking.

On April 18, two men operating for yet another company were then charged with bundling the malware together with network management software used by internet cafes in Heilongjiang Province. A further individual was arrested in connection with the task force’s seizure of the mining program the following day.

Eleven of the suspects have now been released on bail.

Over the two years that the cryptojacking scheme ran, 15 million yuan ($2.2 million) in crypto was allegedly mined.

Just last month, a new report published by cyber security firm McAfee Labs revealed that certain forms of cryptojacking rose a staggering 629 percent in the first quarter of 2018, compared the previous quarter.

Also in June, a cybersecurity team discovered that 40,000 devices across various industries had been infected by a Monero (XMR) miner as part of a hybrid malicious traffic manipulation and crypto mining campaign.