It’s been long believed that Monero is the cryptocurrency of choice among cybercriminals who want to make a quick buck by exploiting other people’s computers to use their CPUs to mine for them. One researcher from Palo Alto Networks looked into Monero and found that an alarming amount of it was mined by malware.

“One interesting note [...] is that the total Monero represented roughly 5% of all Monero in circulation at the time of writing,” wrote researcher Josh Grunzweig.

He collected over 400,000 individual samples of malware and compiled a list of all the wallets to which they pointed their mining efforts, then looked through mining pools to work out their total balance.

What this misses—and Grunzweig admits this—is the fact that the wallets could have even higher balances because we’re not looking at the Monero blockchain itself. This is because there is no way for an outsider to determine a wallet address’ balance by simply looking through a blockchain explorer.

Even more alarming is the fact that the five-percent figure is likely a fraction of the real amount of Monero mined by hackers.

“This of course doesn’t take into account web-based Monero miners [like Coinhive], or Monero miners that we do not have visibility into. As such, we can assume that the actual percentage of Monero in circulation that was mined via malicious activity is actually higher,” Grunzweig added.

North Korea also famously joined this game, as the country’s hackers managed to hijack servers in Seoul to get 70 XMR, thus circumventing sanctions.

By far, the richest wallet we know of (496ePyKvPBRWEoQiqFEaL8frWuR9XuxNj98p69ZQRxmdZZHd5KVSS24bkYY93ASAxKPXn9XmnmeCxHz9NUdvvs8eE5BP24A) got historical payouts of 88,448.53 XMR.

Assuming that this particular hacker’s wallet never sold any of its coins, it now has $11,102,942.71 worth of Monero in its coffers.