hardhatted person on a ladder installing a splitter box

A proxyjacking campaign is looking for vulnerable SSH servers

A researcher at Akamai has posted a blog about a worrying new trend—proxyjacking—where criminals sell your bandwidth to a third-party proxy service.

To understand how proxyjacking works, we’ll need to explain a few things.

There are several legitimate services that pay users to share their surplus Internet bandwidth, such as Peer2Profit and HoneyGain. The participants install software that adds their systems to the proxy-network of the service. Customers of the proxy service have their traffic routed through the participants’ systems.

The foundation of the proxyjacking problem lies in the fact that these services don’t check where the shared bandwidth is coming from. Peer2Profit and Honeygain claim to only share their proxies with theoretically vetted partners, but according to Akamai’s research they don’t check if the one offering the bandwidth is the actual owner.

Proxies and stolen bandwidth have always been popular among cybercriminals since they allow them to anonymize their traffic. What’s new about this campaign is that these same criminals are now “renting out” the bandwidth of compromised systems to make money instead of simply using them.

The researcher became aware of the campaign when they noticed an attacker establishing multiple SSH (Secure Shell) connections to one of their Cowrie honeypots. Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. It can be used to emulate a UNIX system in Python, or to function as an SSH and telnet proxy to observe attacker behavior to another system.

For the criminals the beauty of the attack is that it is mostly fileless and the files that are actually used, curl and the public Docker images for the proxy monetization services Peer2Profit and Honeygain, are legitimate and will not be detected by anti-malware solutions.

And proxyjacking is a lot less likely to be detected than cryptojacking since it requires only minimal CPU cycles and uses surplus Internet bandwidth. Interesting to note, the researchers found out that the compromised distribution server also contained a cryptomining utility, as well as many other exploits and common hacking tools.


Since these seemingly legitimate services can be used by criminals on both ends, both to anonymize their activities and to sell others’ resources, we would rather see them disappear altogether, but they should at least improve the verification of their customers and their participants.

Home users can protect themselves from proxyjacking by:

Corporate users can add:

  • Monitor network traffic for anomalies
  • Keep track of running containerized applications.
  • Using key-based authentication for SSH instead of passwords

Akamai added:

“In this particular campaign, we saw the use of SSH to gain access to a server and install a Docker container, but past campaigns have exploited web vulnerabilities as well. If you check your local running Docker services and find any unwanted resource sharing on your system, you should investigate the intrusion, determine how the script was uploaded and run, and perform a thorough cleanup.”

If you lack the time and resources for constant monitoring, Malwarebytes can offer Managed Detection and Response (MDR). Want to learn more about how we can help protect your business? Get in touch.