It's very sad that freedesktop.org have had to restrict access due to such hostile attacks, but I think their GitLab administrators deserve commendation for their excellently clear communication in the matter.

This is already pretty common across a lot of open source projects due to parasitic hijacking of compute time and space, in Kubernetes non-members can't run CI without having an ok-to-test label on their PR

Perhaps I'm underestimating it here, or they are mining a currency I'm not aware of, but how does this actually end up being worth the effort involved for the people running cryptominers in the build actions? My understanding is that they'd be making cents or fractions of cents from this..

They don't need to be profitable since someone else is paying for power, maintenance and hardware.

That makes it pure profit (for the scammers)

Along with that, the cost to "develop" the miner is pretty much a fixed one time cost and they just have to hit a few deploy buttons to do it. The software to do the mining, and send the tokens off to where they need to be already exists and can be sent to tons of different places to do the mining (CI infra, hacked AWS accounts/EC2 servers, etc.). There's very little overhead for them to actually get the things running.

uf they ran into a ton of bugs