
Ukrainian cyber police have apprehended a 35-year-old man who, over several years, exploited compromised servers belonging to an international hosting provider to mine cryptocurrency. Preliminary estimates place the financial damage from his actions at over $4.5 million.
According to law enforcement, the suspect gained unauthorized access to more than 5,000 client accounts of a major global server rental company. Once control over the accounts was secured, the perpetrator began launching large-scale virtual machines—software-based replicas of computers—which he used to construct an infrastructure for covert mining operations.
To execute his attacks, he relied on publicly available information, identifying vulnerable configurations within the infrastructures of various international organizations. Investigators determined that the most active phase of his operations began as early as 2018. To evade capture, the suspect frequently changed residences and moved between regions across Ukraine, including Poltava, Odesa, Zaporizhzhia, and Dnipropetrovsk.
During the search, authorities seized computers, smartphones, bank cards, and other data storage devices. Among the evidence were mining operation management scripts, remote access tools, and programs used for data theft. Also discovered were cryptocurrency wallets containing illicitly obtained funds, databases of stolen email accounts, and forum profiles associated with discussions of hacking techniques.
The suspect has been charged under Part 5 of Article 361 of the Criminal Code of Ukraine, which carries a sentence of up to 15 years in prison along with a ban on certain professional activities for up to three years. Cyber police noted that the investigation is ongoing and that additional charges may yet be filed.
A lingering question remains: who will bear the burden of the multimillion-dollar bills for the exploited server resources—the hosting provider itself, or the clients whose accounts were breached? Security experts have reiterated the importance of safeguarding cloud infrastructure through the use of strong, unique passwords, two-factor authentication, and regular audits of activity logs.