A new report published by Group-IB suggests that malicious cryptocurrency miners have so far raked in $19.5 million from 51% attacks directed against smaller cryptocurrency projects using a proof-of-work (PoW) consensus algorithm.

The report, first spotted by The Next Web, makes it clear that so far this year we’ve seen five 51% attacks, up from zero last year. These occurred between April and June, and have significantly affected users’ confidence in the affected cryptocurrencies.

These attacks, as the name implies, involve a miner taking control of 51% of a network’s hashrate, which effectively allows it to freeze the system, stop transactions from being verified, or become the only miner verifying transactions. One of the most lucrative options is double spending.

When an attacker double spends coins from a network he controls, he’s essentially a new blockchain to verify the fake transactions. Group-IB notes, however, that controlling most of a network’s hashrate isn’t an attack per se, although it’s an advantage that can be used.

[51% attacks] can either carried out by one miner with a large number of computers or a group of miners forming a mining pool. Control over 51-percent of the network power itself is not necessarily an attack — unless there has been intentional use of this advantage.

Researchers from the organization added that it’s currently possible to double spend without taking control of a cryptocurrency’s hashrate, although having it “is an absolute guarantee that the fraudster’s block is recognized as correct.”

Expensive Attacks

Pulling a 51% attack is notably not easy nor cheap. According to a website that tracks the costs of pulling a 51% attack on proof-of-work based blockchains, it would cost $390,000 to attack bitcoin’s blockchain for only one hour. Adding to this, only about 1% of the needed hashrate could be rented on popular website NiceHash.

Similarly, an attack on Ethereum would cost $148,000 per hour, and only 3% of the needed hashrate could be rented out. To succeed, attackers have chosen smaller cryptocurrencies they know they can lucratively exploit.

As CryptoGlobe covered Verge (XVG) was hit with 51% attacks twice. Once in April when a bug saw hackers steal $1 million worth of the cryptocurrency, and once in May when unusual mining data suggested it was occurring again.

ZenCash, a cryptocurrency that later on rebranded to Horizen, was also hit with one of these attacks this year. It saw hackers take $550,000 worth of ZEN after controlling its blockchain for four hours. Another little-known crypto, litecoin cash, was also hit.

The most notable attack we saw was that of bitcoin gold (BTG). After it was hit hackers managed to rake in $18 million, and to protect investors cryptocurrency exchange Bittrex delisted BTG. The crypto’s team later on hard forked to prevent further attacks, and claimed Bittrex delisted it because it “declined to pay 12,372 BTG to remain listed.”

For these projects to minimize the risk of being attacked, Group-IB suggested they should use encryption algorithms different from those used by BTC or ETH, as this would “avoid the scenario where a mining pool is compromised.”