October 26, 2017 10:58 AM UTC

Web Browser Mining Spawns New Scam Instead of Killing Ads

The author, David Balaban, is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. 

Coinhive the first browser-based cryptocurrency mining project is becoming a source of income for the Internet malefactors. Its evolution promptly shifts from monetizing website traffic to a workflow of which the army of crypto-crooks benefit.

Coinhive constitutes a Java solution that anyone can upload and integrate into a website. A page hosting such JavaScript library would launch a hidden process that exploits the resources of the user’s device to mine Monero coins. Everything happens through the web-browser.

The design is unique and smart. Well done! Coinhive developers claim it is the best replacement for boring ads. All it needs is an access to the CPU of the device. Websites raise funds while their visitors are enjoying ads-free browsing.

Shortly after the release of the app, the Pirate Bay hosted it for a while. As the visitors’ feedback was unwelcome the Pirate Bay got rid of the novelty.

However, this was the recognition that subsequently lured a couple of other websites, namely and, to try Coinhive. Rumors have it that the attackers hacked those websites and dropped the Monero mining JavaScript without any approvals.

Alternate explanation suggests the approval was in place, but only for the trial mode. This theory sounds more likely. SetThrottle estimates the Coinhive was running only 3% of the time. In the case of a hack, this ratio would definitely be higher. The alleged intruder would realize the risk of being detected, hence try to get as much as possible as soon as possible.

Latest estimate reveals that top-100 websites like the Pirate Bay may earn 27.5 XMR per month, which is roughly $12,000. Since the Pirate Bay is among top-100 most visited websites, while the Showtime is only at the end of the top 10,000, the latter would earn much less than the former.

Good intentions pave the way to hell. The design of Coinhive is no crime, but the miner follows the sad path of a number of other useful solutions harnessed by crooks. In less than a week after the developers introduced their Monero-making product, the cyber-criminals integrated it widely and deeply into their scams.

The first attack hit a popular add-on for Google browser, SafeBrowse. A compromised extension had Coinhive JavaScript integrated so that any time the Chrome was running, unauthorized mining took place.

Besides, the miners also practice URL hijacking. For instance, the hackers registered a typo-squatted Twitter website, (not active anymore). Should you enter the Twitter that way, your browser is to launch the Monero-mining page instead of the true Twitter. Needless to say, you are not going to keep the page open, but even a short visit contributes to the miners’ business. Finally, a number of such misleading websites may generate decent revenue for their holder.

Further observations revealed numerous webpages with their scripts hacked and Coinhive Java running without their webmaster authorization. This was the way a number of Magento and WordPress websites got the Monero-mining JavaScript into their source code.

Larger ad-scam would not stay aside, for sure. At least one notorious cyber gang was found to exploit Coinhive for unauthorized mining. Toxic ads steered web-traffic to the pages pretending to provide tech support. Apart from the fake security alerts, the crooks integrated the mining JavaScript into those pages without, of course, any notification.

Experts predict the integration of Monero into adware is but a matter of time. Most likely, the crooks are to integrate it into browser hijackers. There is hardly any obstacle that would prevent the adware developers from modifying the original payload of their infections to include the background mining with the Coinhive script.

The Coinhive release is available to anyone willing to mine. Its developers claim they assume no liability whatsoever for the way the app is to be used. The hackers do not care either misusing the miner in every possible way.

Already now, the public has labeled Coinhive mining a crypto-jacking due to its hijacking browsers for the unauthorized mining purposes.

IT security is preparing to withstand wide-scale crypto-jacking campaigns. Major anti-adware vendors blacklisted the Coinhive almost immediately upon its release.

Other web developers came up with a pair of dedicated solutions. AntiMiner and minerBlock examine Chrome process and detect and kill any mining activities.

Big news like WannaCry and other ransomware cases, CCleaner and Equifax hacks have already marked this year for IT security, but mining for Monero and other coins is very likely to top the ongoing hacking. Adware is readily available to support the mining scam.

Malware research labs report observing over 1.5 million devices hit by mining apps. The report covers only first half of this year and only 100% confirmed cases. The cryptocurrency miners are also increasingly landing on corporate networks.

The Coinhive developers are proud to admit their tool is way more popular than they could ever dream but their dreams come true in an awkward, if not ugly, way. Hackers heavily misuse the solution and combine it with malware.

Last modified: May 21, 2020 9:10 AM UTC