On December 18, hackers attacked up to 190,000 WordPress websites per hour to get them to produce monero, according to security company Wordfence.
For ransomware attacks, monero is now "one of the favourites, if not the favourite", said Matt Suiche, the founder of Dubai-based security firm Comae Technologies.
Monero quadrupled in value to US$349 in the final two months of 2017, according to coinmarketcap.com, placing it among a number of upstart coins that rose faster than bitcoin, the world's most valuable digital currency.
Bitcoin roughly doubled in the same period, according to data compiled by Bloomberg.
In monero's case, criminals are snapping it up because blockchain, the underlying technology in bitcoin, can work against them.
As a digital ledger technology, blockchain meticulously records which addresses send and receive transactions, including the exact time and amount – great data to use as evidence.
Match an address to a crime and then watch the bitcoin universe carefully, and you can see the funds disappear and reappear in other locations.
Sleuths have developed databases and techniques for digesting such information to eventually capture wrongdoers.
Started in 2014, monero is very different. It encrypts the recipient's address on its blockchain and generates fake addresses to obscure the real sender. It also obscures the amount of the transaction.
The techniques are so potent that software used to flag coins suspected of being obtained through crime now tags just about anything converted into or out of monero as high risk, according to Pawel Kuskowski, the chief executive at Coinfirm, which helps exchanges and other companies avoid tainted money.
Kuskowski said that compares with only about 10 per cent of bitcoin.
"What we treat 'high risk' is something that's anonymising funds. How are you going to prove that these funds are not coming from illegal sources?" he said.
Monero is one of many privacy-focused coins, each offering different security features.
Its main competitor, Zcash – which is not known to have a significant criminal following – can offer even better privacy protection.
Instead of creating fake addresses to hide senders, Zcash encrypts their true address. That makes it impossible to identify senders by looking for correlations in addresses used in multiple transactions to pinpoint the real one – a vulnerability for monero.
Still, Princeton University researchers recently developed a tool that helps them analyse Zcash transactions at least to some extent – but they have not been able to crack monero.
Zcash high-security features, however, cannot be used on disposable "burner" mobile phones, which is a favourite gadget used by criminals to stay anonymous.
Developers behind monero said they simply created a coin that protects privacy. Most people use it legitimately – they just do not want others to know whether they are buying a coffee or a car, said Riccardo Spagni, a core developer at monero.
"As a community, we certainly don't advocate for monero's use by criminals," Spagni said.
"At the same time if you have a decentralised currency, it's not like you can prevent someone from using it. I imagine that monero provides massive advantages for criminals over bitcoin, so they would use monero."
Yet criminals are probably only a fraction of monero's users, according to Lucas Nuzzi, a senior analyst at Digital Asset Research, which provides research to institutional investors.
"As with any disruptive technology, many of the initial use cases revolve around illicit activities," Nuzzi said.
But as everyday people grow concerned about privacy and surveillance, "there is utility in these currencies that go beyond just a means of exchange for illicit goods", he said.