University of Toronto interdisciplinary laboratory – The Citizen Lab – has revealed evidence that the Egyptian government is mining cryptocurrencies by using internet services of its citizens. Crypto jacking – a way to hijack other computers to mine cryptocurrencies – has gained popularity over the past few months. However, this is the first time a government entity has crypto jacked  its citizens.

Over 6,000 individual units were touched by the crypto jacking software. Although, it unclear how many networks were examined by the researchers.

According to the researchers of Citizen Lab, Sandvine/Procera Network Deep Packet Inspection (DPI), were used to secretly mine cryptocurrency on computers of Egyptian citizens. The researchers discovered the DPI devices known as middleboxes on the Telecom Egypt network.

Telecom Egypt is the primary telecom company that is 80% owned by Ministry of Communications and Technology. However, they were not the only internet service provider involved with the scandal, middleboxes were also found on Turkish Telecommunications company -Türk Telekom’s network.

The report stated:

“our investigation into the apparent use of Sandvine/Procera Networks Deep Packet Inspection (DPI) devices to deliver nation-state malware in Turkey and indirectly into Syria, and to covertly raise money through affiliate ads and cryptocurrency mining in Egypt.”

The Citizen Lab Report

Sandvine networks supply website-filtering programs known as Packetlogic. According to the Citizen Lab findings, the Egyptian government used the same software to inject spyware and redirect its citizens to mine digital currencies.

The tactic used to mine cryptocurrencies is known as “AdHose” which Citizen Lab researchers find very difficult to detect. With the AdHose tactic, users are redirected to websites that contain CoinHive malware – a cryptocurrency mining malware that mines Monero.


The report stated:

“On several occasions, the middleboxes were apparently being used to hijack Egyptian Internet users’ unencrypted web connections en masse, and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts.”

The Citizen Lab Report

Sandvine Refutes The Report

The Citizen Lab informed the Ontario-based networking equipment company – Sandvine about its findings in February. In response, Sandvine declared the report “false, misleading, and wrong”. Despite Sandvine’s negligence, Citizen Lab highlighted “We emphasized that we were confident in our research findings, which two independent peer reviews confirmed”

The AdHose has two modes – “Spray Mode” and “Trickle Mode”, of redirection which is imposed on the Egyptian citizens.  In the Spray Mode, Middlebox will redirect victims to ads that contain Coinhive scripts. In the Trickle Mode, victims are only redirected to mining malware scripts if they visit these websites – and The first-mentioned is a religious website and the other is a porn site.

It is not the first time a Coinhive script is been used to mine cryptocurrencies from public resources. In the past, U.S. government websites were also victim to such cryptojacking practices. Browsers such as Chrome and Opera have released add-ons to restrict these illicit mining scripts from covertly mining cryptocurrencies that use resources of others.