Stealing computing resources for cryptocurrency mining can be profitable—to the tune of tens of thousands of dollars a month. Security software vendor ESET found that a hacker has infected hundreds of Windows servers with a secret cryptocurrency mining program, generating $63,000 over three months.

ESET is a Slovakian firm that sells anti-virus software and runs a research unit that regularly publishes its findings, as is common practice among security vendors. Update: ESET says the infected machines were in Thailand, Taiwan, Germany, and Morocco, among other countries. However, only machines running Windows Server 2003 are vulnerable, so the hackers are exploiting neglected, old, systems. The attacks are relatively unsophisticated, using widely available techniques and simply modifications to open-source software, ESET found.

The malware mines Monero, a cryptocurrency that currently has a total market value of about $1.4 billion. It’s just one of the thousands of crypto coins in the marketplace. What sets Monero apart is its focus on privacy. Unlike bitcoin, which is pseudonymous—and for which many identification techniques exist—Monero pitches itself as an untraceable and totally anonymous cryptocurrency.

Coinmarketcap Monero’s total market value.

Besides anonymity, hackers favor Monero for another reason. The algorithm used in Monero mining is particularly suited for ordinary CPUs, unlike bitcoin, which requires specialized hardware. Hackers who can assemble a botnet of secret Monero miners therefore have a good chance of profiting.

The ESET researchers say they first observed the Monero botnet on May 26, with the hacker conducting several waves of attacks until Sept 1. The botnet currently appears to be performing very little mining activity, although ESET points out that this is typical behavior before another wave of attacks is launched. The hackers are exploiting a vulnerability in Microsoft IIS 6.0, a kind of web server software, that was discovered in March. Machines that haven’t updated their software to close that loophole remain vulnerable.