Over the weekend, a little piece of malware was hard at work mining cryptocurrency on government computers. Security researcher Scott Helme first noticed the malware, which he believes was running on more than 4,000 sites, including the U.K.’s Information Commissioner’s Office (ico.org.uk) and the website for the American court system (uscourts.gov).

The malware leveraged the victims’ devices to generate the cryptocurrency Monero by performing complex, CPU-intensive calculations, a mathematical process known as “mining” that’s used to create some cryptocurrencies.

In order to get the crypto-mining software onto unsuspecting computers, the hack targeted an accessibility plugin called Browsealoud that makes the web easier to use for people with dyslexia or low English comprehension. After compromising Browsealoud, the hackers altered the plugin’s code, injecting malicious JavaScript in order to secretly run the mining software known as Coinhive on unsuspecting machines.

On Sunday, the U.K.’s National Cyber Security Centre issued a statement that it was “examining data involving incidents of malware being used to illegally mine cryptocurrency.”

In a report last month, cybersecurity firm CrowdStrike highlighted the rise of cryptocurrency mining, a relatively new flavor of attack.

“In recent months, CrowdStrike has noticed an uptick in cyberattacks focused on cryptocurrency-mining malware that takes advantage of available CPU cycles, without authorization, to make money,” the firm wrote, noting that it “expects to see much more” of this activity moving through 2018.

Still, as Helme points out, things could have been a lot worse. A similar hack could have compromised government credentials or stolen identities instead of mining Monero.

Featured Image: Bryce Durbin