January 6, 2022

Norton 360, one of the most popular antivirus products on the market today, has installed a cryptocurrency mining program on its customers’ computers. Norton’s parent firm says the cloud-based service that activates the program and allows customers to profit from the scheme — in which the company keeps 15 percent of any currencies mined — is “opt-in,” meaning users have to agree to enable it. But many Norton users complain the mining program is difficult to remove, and reactions from longtime customers have ranged from unease and disbelief to, “Dude, where’s my crypto?”

Norton 360 is owned by Tempe, Ariz.-based NortonLifeLock Inc. In 2017, the identity theft protection company LifeLock was acquired by Symantec Corp., which was renamed to NortonLifeLock in 2019 (LifeLock is now included in the Norton 360 service).

According to the FAQ posted on its site, “Norton Crypto” will mine Ethereum (ETH) cryptocurrency while the customer’s computer is idle. The FAQ also says Norton Crypto will only run on systems that meet certain hardware and software requirements (such as an NVIDIA graphics card with at least 6 GB of memory).

“Norton creates a secure digital Ethereum wallet for each user,” the FAQ reads. “The key to the wallet is encrypted and stored securely in the cloud. Only you have access to the wallet.”

NortonLifeLock began offering the mining service in July 2021, and early news coverage of the program did not immediately receive widespread attention. That changed on Jan. 4, when Boing Boing co-editor Cory Doctorow tweeted that NortonCrypto would run by default for Norton 360 users.

NortonLifeLock says Norton Crypto is an opt-in feature only and is not enabled without user permission.

“If users have turned on Norton Crypto but no longer wish to use the feature, it can be disabled by temporarily shutting off ‘tamper protection’ (which allows users to modify the Norton installation) and deleting NCrypt.exe from your computer,” NortonLifeLock said in a written statement. However, many users have reported difficulty removing the mining program.

From reading user posts on the Norton Crypto community forum, it seems some longtime Norton customers were horrified at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

“How on Earth could anyone at Norton think that adding crypto mining within a security product would be a good thing?,” reads a Dec. 28 thread titled “Absolutely furious.”

“Norton should be DETECTING and killing off crypto mining hijacking, not installing their own,” the post reads. “The product people need firing. What’s the next ‘bright idea’? Norton Botnet? ‘ And I was just about to re-install Norton 360 too, but this has literally has caused me to no longer trust Norton and their direction.”

It’s an open question whether Norton Crypto users can expect to see much profit from participating in this scheme, at least in the short run. Mining cryptocurrencies basically involves using your computer’s spare resources to help validate financial transactions of other crypto users. Crypto mining causes one’s computer to draw more power, which can increase one’s overall electricity costs.

“Norton is pretty much amplifying energy consumption worldwide, costing their customers more in electricity use than the customer makes on the mining, yet allowing Norton to make a ton of profit,” tweeted security researcher Chris Vickery. “It’s disgusting, gross, and brand-suicide.”

Then there’s the matter of getting paid. Norton Crypto lets users withdraw their earnings to an account at cryptocurrency platform CoinBase, but as Norton Crypto’s FAQ rightly points out, there are coin mining fees as well as transaction costs to transfer Ethereum.

“The coin mining fee is currently 15% of the crypto allocated to the miner,” the FAQ explains. “Transfers of cryptocurrencies may result in transaction fees (also known as “gas” fees) paid to the users of the cryptocurrency blockchain network who process the transaction. In addition, if you choose to exchange crypto for another currency, you may be required to pay fees to an exchange facilitating the transaction. Transaction fees fluctuate due to cryptocurrency market conditions and other factors. These fees are not set by Norton.”

Which might explain why so many Norton Crypto users have taken to the community’s online forum to complain they were having trouble withdrawing their earnings. Those gas fees are the same regardless of the amount of crypto being moved, so the system simply blocks withdrawals if the amount requested can’t cover the transfer fees.

Norton Crypto. Image: Bleeping Computer.

I guess what bothers me most about Norton Crypto is that it will be introducing millions of perhaps less savvy Internet users to the world of cryptocurrency, which comes with its own set of unique security and privacy challenges that require users to “level up” their personal security practices in fairly significant ways.

Several of my elder family members and closest friends are longtime Norton users who renew their subscription year after year (despite my reminding them that it’s way cheaper just to purchase it again each year as a new user). None of them are particularly interested in or experts at securing their computers and digital lives, and the thought of them opening CoinBase accounts and navigating that space is terrifying.

Big Yellow is not the only brand that’s cashing in on investor fervor over cryptocurrencies and hoping to appeal to a broader (or maybe just older) audience: The venerable electronics retailer RadioShack, which relaunched in 2020 as an online-focused brand, now says it plans to chart a future as a cryptocurrency exchange.

“RadioShack’s argument is basically that as a very old brand, it’s primed to sell old CEOs on cryptocurrency,” writes Adi Robertson for The Verge.

“Too many [cryptocurrency companies] focused on speculation and not enough on making the ‘old-school’ customer feel comfortable,” the company’s website states, claiming that the average “decision-making” corporate CEO is 68 years old. “The older generation simply doesn’t trust the new-fangled ideas of the Bitcoin youth.”


108 thoughts on “Norton 360 Now Comes With a Cryptominer

  1. wiphala

    So, the norton antivirus spread malware of theirs packets, like others bad reputation companay antivirus software?

    Reply
  2. Jean Camp

    If you consider Norton as moving the production frontier, can they take over ETH mining? There is a strong theoretical argument that this is quite possible.

    If there are millions of members of what is effectively a botnet at what point will that change the production frontier so that people who pay for their own electricity can’t mine?

    An economic model shows that such an equilibrium is possible, that Norton could completely dominate the market. https://ljean.com/files/Monero_Smuggling.pdf

    Reply
    1. Nerdelbaum Frink

      I’d wager a very good majority of Norton users don’t have meaningful GPUs to mine on, so I don’t think the potential compute is there.

      Reply
      1. Tyler

        Actually, I’d bet it’s the opposite. Norton probably collects basic system info as telemetry. They probably looked it over and went “X% of our customer base has capable hardware for mining”. Next thing they’re pushing a miner. Wouldn’t make sense for them to risk all of this for something that wouldn’t net a profit.

        Reply
        1. Jean Camp

          They will certainly make money. The question is how much will their flow-cost use of millions of machines running part-time change the market?

          If they prove to be more effective than a traditional botnet, we can at least know that deterrence cost were >15%

          I find this quite nearly surreal.

          Reply
        2. Kevin Walsh

          Collecting configuration info from customers’ computers is not a good look for a supposed cybersecurity company, but if Norton is underhanded enough to exploit their customer base as a cryptomining resource, I guess nothing is off the table.

          Reply
          1. JamminJ

            Collecting installed software and hardware inventory is the FIRST thing a good cybersecurity company must do. AV/EDR/AM solutions must know the inventory of what is being protected.
            Vulnerabilities usually apply to specific versions of software/drivers/firmware… so yeah, duh, Norton must know the exact specifications.

            Reply
  3. Bob A

    I”m astounded that Symantec/Norton is now bit mining. So astounded, that I went to cancel auto-renew and had to endure their fake chat bot that pretended to be a person and had to ask about 4-5 times to cancel. Yes, repetitive confirmations were needed. The company has gone a long way downhill from the days of Peter Norton. Yeah, I knew it was more expensive to auto-renew, but I was lazy since I will have to re-configure the other computers in the office. The only question now is whether I really need an anti-virus external program at all. Many thanks to Krebs for the article!

    Reply
    1. Angry Jim

      Windows includes one that you cannot disable. I do not run any antivirus whatsoever. I am also a power user and C programmer. Check on VirusTotal things you download from places (unless they contain your license keys or something secret hopefully obviously). Most virus scanners false positive all the fuckin’ time.

      Coming soon to a theater near you: Windows 11, where you can’t install any antivirus except Microsoft’s, can’t install Chrome over Edge (even though they’re both Chromium based), and it’s dying to get sued by Apple (again) for stealing UI design (again).

      Come join me on Fedora Linux, where they just broke fucking audio. Fuck you pipewire, pulse worked fine. I hate this world so goddamn much sometimes…

      Reply
        1. Matt Harmon

          is Symantec not aware of the difficulty time bomb and PoS changes coming to Eth? What a waste.

          Reply
        2. Aaron

          I’m running Windows 11 Pro, have Non-Microsoft Endpoint protection running, also have Chrome running, along with Firefox.

          Reply
      1. Tad Sherrill

        Oh for a perfect world with no challenges… oh wait… that would be boring.

        Reply
      2. Craig

        You need to check your facts. I am running Win 11, reading and replying in Firefox 95.0.2 right now, use Malwarebytes Premium alongside Defender and use Chrome for the Google tools like gmail and youtube. You are very confused; vulgarity does not help, either.

        Reply
        1. G-Man

          Don’t mind him, some people are just here to say just anything for their 15 seconds of fame.

          Reply
      3. B

        Switch to a distribution that allows you to choose your audio backend. Arch gives you the choice in its installer (it has an installer now)

        That said pipewire has been strictly better in my experience.

        Reply
      4. catmaster

        Blame Lennart Poettering and anyone to has to do Red Hat, avoid Red Hat, they are the biggest malware of the Linux world.

        Come Devuan or antix.

        Reply
    2. John Stevinson

      Peter Norton hasn’t had anything to do with it since 1990.

      Reply
    3. Stephen H

      Perhaps you could refrain from calling Norton LL “Symantec”. Symantec hasn’t part of NLOK since 2019 and safe to say that many of those who once were are relieved to have dodged this bullet!

      Thanks for the update, Mr Krebs!

      Reply
  4. CyberCPA

    Opting-in Norton customers could be in the taxable activity of crypto-mining, which could get complicated.

    Reply
    1. BlockchainBully

      lol good luck taxing the DeFi world thats kind of the point of it… i would love to be a fly on the wall at the IRS headquarters as they scratch their heads trying to figure who owns what and how many wallets and whats all in my Ledger cold wallet that i have in my safe bahaha screw them and the IMF central banking and zog banking cartels that now will colapse due to DECENTRALIZED FINACE!!! lemme get that crypto mint nfts stake in liquidity pools yeild farm while i rake in alt and micro coin gains that 1000x daily…mwahahah

      Reply
      1. catmaster

        Yeah, descentralization is the answer, but crypto is not, is not enviromentally friendly and a less regulated scam.

        Reply
      2. Sergi Tolstoy

        ” to figure who owns what and how many wallets and whats all in my Ledger cold wallet that i have in my safe ”

        We live in a twilight world: given the tools available, I CAN find 1: who owns what and 2: how many wallets and 3:whats in your ledger cold wallet.

        ANYTHING connected to the matrix system is possible, time is ALL WE NEED, also a conection, jacked in! (AI is wonderful thing/tool in the .edu workspace)

        Reply
  5. Phil

    I haven’t used any form of anti-virus or anti-malware for at least 3 years now. I’m running Win10 with a few changes here & there. I use common sense in my web browsing, killing bad features like adobe flash & all manner of opt-out helpfulness coded into the OS via MS, a decent VPN, a sandbox and TOR. Not all of those at the same time. Been a long time since I last had any weird issues on my computer. Personally, the first thing I ever do is give Norton the boot, should I happen to see their software anywhere near me!

    Reply
  6. Joel Moss

    This sounds just as greasy as the original Lifelock ads where the main big honcho, aka bonehead, challenged the world to hack him. The end result of that move should help people make the right decision on this one. It’s asinine, and the current bonehead board can’t see it. Oh yes, I want YOU to protect my computers.

    Reply
  7. olumide onafowope

    How on earth an antivirus company will suddenly turn into a mining software amazes me. I have been using norton antivirus since 1994. It might goes to show that antivirus software production is no longer a viable business venture so why not mining crypto with it. My opinion though!

    Reply
  8. perq

    Paid antivirus is a scam to begin with, for people who have no clue about such things.
    For instance, Microsoft already provides free antivirus on Windows computers which is more than sufficient for consumers. The A-V companies are really robing ignorant people by scaring that they need it. That these companies now are becoming bots with schemes like crypto minig should not be surprising to further maximize their profits. Furthermore, should anyone trust LifeLock to “protect” their personal data by turning it all over to them? Really…

    Reply
    1. Tyler

      Assuming we’re talking about residential, I’m still on the fence. If they didn’t come with so much bloat, I’d always recommend it. However, I recently ran across a device that had a lot of garbage. Defender didn’t catch anything, but MBAM did.

      Reply
    2. Joonez

      “For instance, Microsoft already provides free antivirus on Windows computers which is more than sufficient for consumers.”

      That’s right. And it also has been proved in several tests.

      Reply
  9. Jan Doggen

    “Norton 360, one of the most popular antivirus products on the market today, …” Not much longer

    Reply
  10. Basil Brush

    “When’s an antivirus not an antivirus?”

    “When it’s a Trojan!”

    Boom-boom!!

    Reply
  11. Bruce

    Pretty much supports the old theory from the 1990s that the biggest virus writers were the Anti Virus software companies themselves.

    Reply
  12. Holden Gatsby

    Who would have thought that a product combining anti-virus protection and crypto mining would be a natural fit? This news reminds me of the Saturday Night Live TV commercial parody – “It’s a floor wax and a dessert topping!”

    Reply
  13. Wayne Kurtz

    I think it’s a great idea to merge cryptocurrency mining with other more consumer friendly software applications. It just makes sense. Its slightly incongruous to merge crypto-mining with computer security software, but the main idea is the same. Some circumstances come to mind. First it is a way to get your software application to “pay for itself”. In theory, you could use any money (crypto or conventional) that you make to offset the cost of the software package/platform. The more successful you become at mining, the closer to zero the net cost of the extended package will become. It could even produce a positive income stream in your favor so that your software package becomes a profit (instead of cost) center for you. Secondly it is an avenue to make crypto currency mining more democratized and within reach of less and less sophisticated users, which after all has been the trajectory of personal computing for the past 50 years anyway. And, thirdly it is a strategy for third party software companies to stay in the game and not be relegated to the backwaters of the computing world by making themselves more relevant to modern computing trends.

    Reply
    1. Michael K

      Security software needs to be as minimal as possible to reduce its attack surface. Integrating something as complex as this may (likely will?) introduce a greater surface for malware attacks. When your A/V software becomes infected, it becomes a big issue.

      Reply
      1. JamminJ

        Very true.
        The kernel level hooks into the OS, needs to be really minimalized in its function. Bloat is bad for performance, but the attack surface is a nightmare.

        Reply
    2. BlockchainBully

      lol at least someone gets it…but seriously shhhh we dont want everyone to be in on this for like another 2yrs while we become BTCbillionaires 😉

      Reply
  14. Bert Barferson

    Incredibly SLEAZY. Oh, but you can opt-out! Great. Maybe next we can crunch nuclear fission calcs for N Korea. “Just opt out” if you don’t want to contribute….

    Reply
  15. Tyler

    I have absolutely no love for Norton, but I don’t understand the outrage. It feels a bit like a bunch of larping sysadmins on a hate bandwagon.

    * Crypto-miners are OK, unless installed without your knowledge and you don’t profit. Norton did make a blog post mid 2021 about this.
    * This is an opt-in service, unlike Amazon Sidewalk for example. So far, I’ve read that the service is doing something malicious (like it being opt-out) but I’ve seen no evidence. Having to delete the EXE to be a true “opt-out” is plain silly. They could just as easily bury a crypto miner in a file that doesn’t say “crypto” on it. I can see if it was disabled or went from enabled to disabled but was still running.
    * AV is one of the most commonly deployed applications. Makes sense as a business decision to try this out. It’s very likely they send back your system info as telemetry, so they knew before they rolled this out how much they’d make.

    Again, I don’t have Norton so I assume they didn’t trigger a pop-up on the update that installed a crypto-miner. I’m sure they could’ve done better on transparency (but as I said I don’t know what they need to be transparent about). If Norton is that untrustworthy, why does anyone still have it?

    Reply
  16. Antoine BAJOLET

    Happy New year Brian !
    It was so enormous that i thought it was the 1st of april (antic new year by the way 😉 )

    You make my day !

    Reply
  17. What about Climate Change? Patty

    I’m disgusted!! So now Norton, as an security/AV company, has made themselves an even bigger target. I think it is an extremely arrogant move, and I completely agree with the sentiment of how they have abused the rights I gave them to my home computers to be a rootkit/Trojan.

    What about the effects this will have in the face of Climate Change?? https://news.climate.columbia.edu/2021/09/20/bitcoins-impacts-on-climate-and-the-environment/

    It is downright irresponsible for any software company to do this, and in my eyes it should be illegal. Opt-in or not, I can’t have this software on my PC any longer. I will be cancelling my subscription, and recommending to everyone I know to do the same.

    Brian Krebs – thank you once again for your valuable insights.

    Reply
  18. Brian

    What happens in Sweden? They’re trying to outlaw ALL cryptomining. “Hey! Buy our software and unwittingly become a lawbreaker.” Great sales pitch, Norton.

    Reply
    1. JamminJ

      I don’t think it’s possible to “outlaw all cryptomining”. They could, try to block and take down servers, but decentralized make this impossible.

      “They’re trying… ” doesn’t mean anything, and sounds like it’ll never happen.
      Norton won’t worry about Sweden until after they actually enact a law. And nobody should worry about political bluster.

      Reply
  19. Chris

    I’m just astonished and a little shocked. I’m not a big fan of Norton branded products anyway but this is a new low.

    It seems to me…. The #1 job of a security product is to earn the trust of the consumer…. You’re literally in the trust and security industry so earning your customer’s trust with integrity and transparency are king.

    I can’t understand how this would fit into that at all. Who would *knowingly* want this?

    Reply
  20. PattiM

    Retired USAF/SMC physicist here – Oooo – that’s a terrible idea!! Cryptomining is ALREADY sucking up a tremendous amount of energy (mostly coal and natural gas, hence CO2 emissions). And that’s with super-efficient machines. Regular computers are much less efficient. But I guess business is about selling product, to hell with the atmosphere. Sheesh.
    https://doi.org/10.1002/essoar.10509139.5

    Reply
  21. BlockchainBully

    haters gonna hate while smart crypto enthusiests make millions that the government cant get their greedy hands on lol ahh the beauty of DeFi…

    Reply
  22. vb

    This a certainly a cautionary tale for naming a company after yourself if that company later drags your name through the mud. I’d be pretty unhappy if I was Peter Norton.

    Reply
  23. Liz

    Thank you for the heads up Brian. That Norton did this wasn’t even a blip on my radar!
    I’ve used Norton for well over a decade but it’s time to part company with them. I was disturbed by their practice of processing my annual subscription and charging my credit card a full 45 days before license expiration. But installing a program that has nothing whatsoever to do with the product they sold without even a “by your leave” is inexcusable. I’m filing a consumer complaint with the Federal Trade Commission. I doubt that’ll go anywhere but I can’t sit idly by and do nothing. I hope others do too.
    If this is an example of Norton’s best business practices, maybe users should be concerned about trusting the password manager, VPN and cloud backup that comes with Norton 360. And anyone who uses LifeLock might begin questioning if that’s their best option for credit monitoring.

    Reply
  24. MattyJ

    Checks calendar. Not April 1. WTF.

    Can I automatically redirect my earnings to carbon offsets?

    Reply
    1. Jamison

      Just send it to Al Gore, or HRC. They’ll make sure the stooge money gets utilized properly for their private jets.

      Reply
  25. James Davidson

    Not a surprise from a company that was already selling a scummy and unnecessary product (lifelock).

    Reply
  26. TheShamefulHunter

    The best solution I’ve tried – and I can say it worked for me – is to unpack the Norton 360 installation kit and then to repack everything in a new kit, without the miner.
    Install Norton 360 from the newly created kit and the miner won’t be installed.

    Reply
  27. Matthew

    Thanks Brian for bringing this to our/my attention. I can’t believe that Norton has done this. It’s absurd that a security oriented company would bundle a crypto miner with a security product. Sure, it may claim that it’s a more secure/trustworthy/whatever way to mine crypto currencies. Norton is keen to point out that it’s off by default and that we must opt-in. But, those are both beside the point. The point is that they should not bundle a non-security product, especially a crypto-miner, with a security product. If they want to offer it separately then great! However, to sneak it in is unconscionable. While they mentioned it last Summer, and I recall seeing something about it then, I was never given an opportunity to allow or deny its installation, it simply appeared on my computer one day (presumable recently during a patch/update). After seeing your post yesterday (1/8) I checked. Sure enough there it was, NCrypt.exe was on my C-drive in the Norton folder. Damn if that didn’t piss me off and shake my trust in that company. I quickly deleted it and will have to be on-guard for future updates when it will surely reappear.

    Reply
  28. Kevin Walsh

    Collecting configuration info from customers’ computers is not a good look for a supposed cybersecurity company, but if Norton is underhanded enough to exploit their customer base as a cryptomining resource, I guess nothing is off the table.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *