Home / Archive / Google Chrome Extension Caught Mining Monero via User’s CPU

Google Chrome Extension Caught Mining Monero via User’s CPU

Last Updated May 5, 2023 9:25 AM
Francisco Memoria
Last Updated May 5, 2023 9:25 AM

Earlier this month, CCN.com reported on The Pirate Bay’s efforts to use visitor CPU to mine Monero in order to monetize the website’s traffic. The torrent index was using Coinhive, a JavaScript code that allows website admins to mine the anonymity-centric cryptocurrency using visitor resources.

Ever since The Pirate Bay used the code, various bad actors decided to seize the opportunity and start preying on people’s CPUs to mine the cryptocurrency, without asking them for consent. Recently, a Google Chrome extension dubbed “Short URL (goo.gl)” was caught  using the JavaScript code by Node.js software engineer Alessandro Polidori.

Polidori was alerted by his network’s security tools, and decided to dig a little deeper into the extension. He found it was downloading and running a file named cryptonight.wasm from Coinhive to secretly mine the cryptocurrency.

The plugin’s developers didn’t mention the presence of the cryptocurrency miner in the URL shortener and, as such, Polidori decided to make sure nothing was tampered with and installed it to a new Chrome instance. He found out that, once again, his CPU usage was at 95 percent whenever Chrome was opened. He stated:

“To remove any doubts that my installation could be tampered, I tried to install the extension to a new Chrome instance. Unfortunately I got the same result, so we can conclude that it was intentionally designed.”

The extension had nearly 15,000 downloads when Polidori found the miner in it, and quickly informed Google so it was pulled from its marketplace. Using visitor CPU power to mine Monero isn’t, by itself, malicious, but using it without user consent is. On various forums, users have stated that they would gladly donate some of their CPU power – presumably not 95 percent – to get rid of ads on websites they visit.

Website Mining Popularity Is Exploding

Last month, another Google Chrome extension called “SafeBrowse” was also pulled  from the marketplace, as it was using another cryptocurrency miner. Hackers have already managed to infiltrate websites – including the popular CBS-owned Showtime websites  – to include Coinhive’s code in them and reap the profits.

Responding to criticism, Coinhive – which is often used for legitimate purposes- started developing a new Monero miner, AuthedMine, which first asks for user permission before mining, instead of secretly doing it. The organization’s mining code got so popular, that a competitor, Crypto-Loot , emerged and actively advertises that users won’t notice its running, and that it can be used without user consent. It adds that “we aren’t going to tell you how to run your business.”

Last month, Kaspersky Labs revealed that 1.65 million computers had been infected with mining malware and placed in massive botnets this year. Security software vendors have already caught up with the practice, and Malwarebytes, ad blockers, and anti-virus software have already started blocking Monero mining code.

Featured image from Shutterstock.