[unnouinceput]

Title is somehow misleading. This is not about uncovering Monero users in the wild and exposing them which are criminals, as I first believed when reading the title. This is about detecting unwanted Monero miner on your system. But if you're already pwned that an unwanted process is already running on your system, a Monero miner is the least of your worries.

[jakelazaroff]

That's not necessarily true. You could be a cloud provider offering compute resources within a container, for example.

[bigiain]

It's a bit buried, but the article says:

"We want to detect traces of RandomX (the CPU-intensive mining function for Monero) running on a cluster. "

This isn't for "Has someone rooted my laptop and started mining Monero on it", this is for "Have any of the nodes in my cluster (of potentially thousands of machines) been rooted and had Monero miners dropped on them." Your comment about being pwned totally applies to your container orchestration or hypervisor though...