Joshua Armbrust mined $5,895 in Ethereum using his former employer’s AWS account, but escaped jail time with three-year probation.
A former Digital River employee has been ordered to pay more than $45,000 back to his previous employer after unlawfully using company computing systems to mine cryptocurrency.
Joshua Paul Armbrust, 45, was sentenced Tuesday to three years’ probation by US District Judge Jerry Blackwell, following his April guilty plea to a felony computer fraud charge.
Armbrust’s Covert Mining Scheme Exposed
According to court filings, Armbrust continued exploiting Digital River’s resources for over a year after leaving the Minnetonka-based e-commerce and payment processing firm in February 2020. He mined Ethereum using the company Amazon Web Services (AWS) credentials, which fetched him an earnings of $5,895 while incurring $45,270 in costs to Digital River.
The activity was uncovered during an internal investigation by Digital River, which shut down operations in January. Reviewers noticed unusual AWS fees and traced the activity to Armbrust’s IP address. This revealed that he had consistently run mining scripts on company servers between 6 p.m. and 7 a.m., long after his departure.
Assistant US Attorney Jordan Endicott said that it was “not a momentary lapse in judgment” but a “calculated and covert misuse of enterprise-level computing resources for private enrichment.”
“The defendant’s conduct strikes at the core of digital trust and security in the modern economy. Companies rely on former employees to act ethically, even after separation, and to respect corporate systems and data. Unauthorized access to corporate cloud infrastructure not only creates financial harm, as in this case, but also exposes sensitive systems to potential compromise and opens the door to more severe cyber threats.”
Desperate or Calculated?
Defense attorney William Mauzy described Armbrust’s conduct as driven by desperation rather than greed. Mauzy said Armbrust faced severe financial pressure while caring for his terminally ill mother, who has since passed. He added that Armbrust did not attempt to damage systems, hide his actions, and accepted responsibility for losses.
At the time of his indictment in November 2024, Armbrust was living in Orr, Minnesota. He has since moved to St. Paul, where he now works in the insurance sector. Both the prosecution and defense recommended a probation sentence under the plea deal, citing his clean record and cooperation with authorities.
You may also like:
Judge Blackwell remarked that Armbrust’s technical talents could have been applied lawfully, pointing to the wasted potential. The outcome underscores the need for companies to secure access to computing resources and prevent long-term misuse by former employees.
Cryptojacking, also called malicious cryptomining, still remains a critical threat vector. It’s a cyber threat where hackers secretly use a computer or mobile device to mine cryptocurrency. Before its shutdown in March 2019, Coinhive was a widely used cryptojacking tool and was estimated to be involved in more than two-thirds of all such attacks.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
