Covert Cryptocurrency Miners Quickly Become A Major Problem

from the lessons-unlearned dept

As websites increasingly struggle to keep the lights on in the age of ad blockers, a growing number of sites have increasingly turned to bitcoin miners like Coinhive. Such miners covertly use visitor CPU cycles to mind cryptocurrency while a user is visiting a website, and actively market themselves as a creative alternative to the traditional advertising model. And while this is certainly a creative revenue generator, these miners are increasingly being foisted upon consumers without informing them or providing an opt out. Given the miners consume user CPU cycles and a modest amount of power — that’s a problem.

The Pirate Bay was forced to disable its bitcoin miner back in September, after users complained it was eating up to 90% of their available CPU cycles. Showtime was similarly caught using a bitcoin miner on two of its domains, and has yet to provide any detail on why it launched the miners or refused to inform visitors they were running. More recently, Trend Micro unveiled that at least two Android apps — downloaded up to 50,000 times from the Google Play store — were covertly putting crypto miners inside a hidden browser window:

Recently, we found that apps with malicious cryptocurrency mining capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER


This JavaScript code runs within the app?s webview, but this is not visible to the user because the webview is set to run in invisible mode by default. When the malicious JavaScript code is running, the CPU usage will be exceptionally high.

The explosion in bitcoin miners is both above and below board. There’s indication that the bitcoin miners running on Showtime’s domains were the result of a website hack. More recently, researchers from security firm Sucuri discovered that at least 500 websites running WordPress had been hacked, and that other publishing platforms including Magento, Joomla, and Drupal were also being consistently abused. Reddit users this week documented how Choice Hotels (owner of Comfort Inn) websites have also been compromised with cryptocurrency miners the company itself seems oblivious to.

Political fact-checking website PolitiFact also recently acknowledged it was hacked by intruders who installed bitcoin miners that quickly gobbled up visitors’ CPU cycles without permission:

Not too surprisingly, security firms like Malwarebytes have started blocking the miners:

The reason we block Coinhive is because there are site owners who do not ask for their users’ permission to start running CPU-gorging applications on their systems. A regular Bitcoin miner could be incredibly simple or a powerhouse, depending on how much computing the user running the miner wants to use. The JavaScript version of a miner allows customization of how much mining to do, per user system, but leaves that up to the site owner, who may want to slow down your computer experience to a crawl.

And while these tools help some with malicious installs and hacks, plenty of websites still appear to think it’s a good idea to run the miners without notifying users or providing a functioning opt out. Which means there are plenty of folks busy trying to combat the rise of ad blockers — by engaging in the exact same behavior that caused the rise of ad blockers in the first place.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Covert Cryptocurrency Miners Quickly Become A Major Problem”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

Are there estimates of how much money can be made here? To simplify, we could assume the scripts will run as fast as a native CPU implementation… which I thought had been considered dead for a long time now, at least for Bitcoin, because there’s little money to be made that way (even with unmetered electricity).

Anonymous Coward says:

Re: Re: Re:2 Re:

You’d be paying with your own computer components’ lifespan, at the very least, though. If these miners take up to 90% of your processing power, you become limited in what else you can do with your machine and wears down your (likely expensive) CPU.

As well, who’s to say Netflix will turn the mining off once you’re done watching?

Anonymous Coward says:

Re: Re: Re:3 Re:

I can buy a cheap CPU just to watch shows, but if they try to keep mining while I am not watching or mining in a way that disrupts my enjoyment then deal is off.

I don’t think mining coin on peeps CPU is a problem, as long as the users KNOW and have explicitly agreed too and as long as there is a fair exchange of value.

heck, I might let my machine sit and crunch for them if I get fair compensation in return.

In short, as long as all parties know & agree, then its not a problem. What I feel is fair compensation may not be what another feels is fair compensation, but that needs to be their decision.

Anonymous Coward says:

Re: Re: Re:3 Re:

wears down your (likely expensive) CPU

CPUs are not generally considered to "wear down" with usage, as long as they’re properly cooled. There should be no real effect on lifespan. Even servers used at 100% for years, as in scientific clusters, are retired because more efficient computers come along, not because they’ve worn out.

Roger Strong (profile) says:

Re: Re: Re:

We automatically remove encrypted PDF files from incoming and outgoing email, except for a VERY small whitelist of sources. This because Adobe added JavaScript support to PDF files, making them God’s gift to ransomware criminals.

I expect someone is already looking at embedding JavaScript bitcoin miners in PDF files. Device and app manuals, pirated eBooks, electronic invoices, etc.

Or non-pirated eBooks. Add it to fanfic, put a cheap price on it and upload it to the eBook stores. A reader might have it open for hours, rather than a quick website visit.

I wonder if you could bypass the malware detection in the Apple or Android stores by uploading a perfectly clean app, with the bitcoin miner in the PDF manual.

Rekrul says:

Re: Re:

Mostly because all the major browsers finally support WebAssembly. JavaScript (and C++ and other languages) can now be sent to your browser in compiled form, making it much harder to figure out what they’re doing.

What a great idea! Let’s make it even easier for web sites to covertly run code on users’ systems! I’m sure this will never be abused…

Anonymous Coward says:


And while these tools help some with malicious installs and hacks, plenty of websites still appear to think it’s a good idea to run the miners without notifying users or providing a functioning opt out.

Uh, they’re not doing that out of malice (i.e. a desire to harm their users), they’re doing it out of greed. An infinite loop would be easier and work just as well for malice. This is nonmalicious sociopathy, par for the course on the web (and an opt-out option wouldn’t change this).

Anonymous Coward says:

Re: "Malicious"

The Latin root word mal means “bad” or “evil.” This root is the word origin of many English vocabulary words, including malformed, maltreat, and malice. You can recall that mal means “bad” through malfunction, or a “badly” working part, and that it means “evil” through malice, or intentional “evil” done to another.

It’s just bad, m’kay?

GMacGuffin (profile) says:

... probably not bitcoin

Bitcoin’s difficulty has long been too high to mine on a CPU or GPU. You essentially need specialized ASIC machines to mine bitcoin; racks of them unless you join a pool

CoinHive’s javascript miner mines monero, which is a wonderful, privacy-centric cryptocurrency — but it is not bitcoin (the original cryptocurrency).

Just a point of clarity. “Bitcoin” is not generic for cryptocurrency; bitcoin is a specific cryptocurrency.

John85851 (profile) says:

Re: Re:


In all seriousness, way too many companies are designing their websites to be unusable unless Javascript is enabled.
Want to read the article? Enable Javascript so the formatting isn’t screwed up.
Want to see the images in the article? Enable Javascript to see them.
Want to leave a comment on the article? Enable Javascript so the page will display the Facebook commenting system.

ShadowNinja (profile) says:

NEVER consent to crypo-currency mining on your computer by a website

I can’t believe how many people I’ve seen at sites like reddit saying that these miners might be a good alternate to web ads, it’s like they can’t think ahead a few steps.

For the non-computer literate, here’s why bitcoin mining in place of ads is a bad idea, even with user permission.

  • We’re not talking about just one site using it. We’re talking about the potential for many of the websites you visit to start using it in place of ads. Even people with top of the line computers will find their computers brought to it’s knees if they have enough websites open running crypto-currency miners.

  • What’s to stop people from just running crypo-currency miners? This loophole to covertly mine crypo-currency is a GREAT way for a would be hacker to potentially do other malicious things to your computer to. I GUARANTEE you we’ll hear about some nasty virus in the future disguising itself as a mining app.

  • Do some googling on why crypto-currency mining isn’t financially worth it. A big reason why is because of the added cost to your electric bill when running your computer full force on crypo-currency mining. So yes, these crypo-currency miners COST you money. They’re in effect stealing your electricity (and probably bandwidth to, which is relevant if you don’t have unlimited data with no throttling).

This is why I immediately added Crypo-currency mining to my block list in uBlock Origin the second I heard of the first story of these miner leeches.

Anonymous Coward says:

Re: NEVER consent to crypo-currency mining on your computer by a website

Well. Just HOW are you going to prevent the obvious disaster? The sites have powerful incentive to spread this, no legal limitations, billions of knuckleheads going along, and on your side is… what?

“it’s like they can’t think ahead a few steps.” — Wrong! It’s not “like”, it’s THAT, AND WON’T. —

Now, do you rail at Google using javascript to gain money? Why not? Same principle, and why I rail here at Google. But it’s like you can’t think ahead a few steps…

Anonymous Coward says:

Re: NEVER consent to crypo-currency mining on your computer by a website

I can’t believe how many people I’ve seen at sites like reddit saying that these miners might be a good alternate to web ads, it’s like they can’t think ahead a few steps.

And what ever makes them think that mining would only be "instead of" and not wind up "in addition to" ads? Idiots.

Anonymous Coward says:

Re: NEVER consent to crypo-currency mining on your computer by a website

Still, miners have an advantage over ads: they lack a whole row of middle-men that take their share of the goods (ad brokers, ad creators, etc.)

Both ads and miners have the risk that they will behave like parasites to the host — gobbling up bandwidth, power, and attention. But with miners, I can imagine a future where miners will play nice, use limited resources, and become a kind of micropayment for using the website.

Anonymous Coward says:

But you don't mind Google mining info bits to track you?

Never allow javascript, maliciously engineered from start, unless absolutely required. Get Noscript — and remove whitelist it comes with, especially Google.

However, since can’t turn off javascript in many browsers now, just admire the infernal ingenuity of your high-tech prison…

Anonymous Coward says:

Re: Re: Re:2 But you don't mind Google mining info bits to track you?

really? tor?

Apparently you’re living in 2016….

You can get entirely de-centralized websites now, where the entire HTML codebase is held on multiple machines.

Tor not required, as to prevent Dcent sites you’d basically need to block 99% of all IP addresses to be sure..

Anonymous Coward says:

Re: But you don't mind Google mining info bits to track you?

Although the ability to disable Javascript was taken out of the settings/options control panel in web browsers a few years ago, that just means you have to manually edit it (ex., “about:config” in Firefox)

But then disabling Javascript means that you can’t see any of those hidden (“flagged”) comments in Techdirt, the non-pc opinions which are often the most truthful and informative comments, as well as the most discussed and debated.

Anonymous Coward says:

Re: Re: But you don't mind Google mining info bits to track you?

But then disabling Javascript means that you can’t see any of those hidden ("flagged") comments in Techdirt

Does disabling stylesheets not work any longer? (Of course it would be better for Techdirt to fix that problem so it’s not necessary.)

The Tor Browser security slider is another way to disable Javascript. At "high" it’s blocked.

tom (profile) says:

A site I frequent had this installed somehow. They removed it as soon as folks notified them. Used the web developer tools in Firefox to view the site code. Saw the call to the coinhive domain. Between Malwarebytes and Noscript, the coinhive thing never had a chance to fire off on my PC.

Added to the always block rule on my stand alone firewall appliance as another layer of defense.

It is crap like this that totally destroy the “But we have to have auto load via javascript ads in order to survive” arguments many websites make. If you can’t secure your main page, how are you going to secure the automated sell to highest bidder auto load script ad?

Anonymous Coward says:

It is a less intrusive model than advertising

I can understand that there are some teething problems. But crypto mining is certainly less of malicious than the psychological battery being perpetrated on the public by ad-tracking.

If the client side allocates a core specifically for this, then they should be fine. The problem people are experiencing with latency is likely mostly due to shitty thread handling in browser implementations, and shitty cracking code in the early versions of this tech.

That hopefully will get solved as the tech standardizes. The problem is that sites will use both, instead of using one or the other.

It would be nice to see a webring that moves entirely over to this tech, and abandons web based advertising completely. I would totally prefer sites do this, instead of web based ads.

The only way that advertising survives AI based filtering, is if the computers themselves are only rented. And I’m sure there are some lobbyists and congressmen actively working on that persuing just such a crime against the Constitution.

So we’ll see. My guess is it will be a crime to release software in the near future, unless it has fist gone through some kind of “federal modification” process. When I was a kid I had a T-shirt that said “skateboarding is not a crime”. Now I expect I will soon have one that says “programming is not a crime”. Funny how things stay the same.

takitus (profile) says:

Re: It is a less intrusive model than advertising

This raises an interesting question—if a web service is going to waste cycles, would you rather have those cycles go toward mining currency or your browsing habits? Resource usage being equal, the former might be preferable.

That said, I’d hardly call it “nice” to be asked to “allocate a core” for currency mining to view a bit of HTML.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...