Cryptocurrency Mining Company Coinhive Shocked To Learn Its Product Is Being Abused

from the who-knew? dept

So if you haven't noticed, the entire cryptocurrency mining thing has become a bit of an absurd stage play over the last few months. From gamers being unable to buy graphics cards thanks to miners hoping to cash in on soaring valuations, to hackers using malware to covertly infect websites with cryptocurrency miners that use visitors' CPU cycles without their knowledge or consent. As an additional layer of intrigue, some websites have also begun using such miners as an alternative to traditional advertising, though several have already done so without apparently deeming it necessary to inform visitors.

At the heart of a lot of this drama is crypotcurreny mining software company Coinhive, whose software is popping up in both malware-based and above board efforts to cash in on the cryptocurrency mining craze. Coinhive specifically focuses on using site visitor CPU cycles to help mine Monero. The company's website insists that their product can help websites craft "an ad-free experience, in-game currency or whatever incentives you can come up with." The company says its project has already resulted in the mining of several million dollars worth of Monero (depending on what Monero's worth any given day).

The folks behind the company told Motherboard this week they were blindsided by the way their software has quickly been adopted by both non-transparent websites, and malware authors looking to make some additional money:

"We were quite overwhelmed by the extremely fast adoption,” a member of the Coinhive team told Motherboard in an email. “In hindsight, we were also quite naive in our assumptions on how the miner would be used. We thought most sites would use it openly, letting their users decide to run it for some goodies, as we did with our test implementation on pr0gramm.com before the launch. Which is not at all what happened in the first few days with Coinhive."

You developed a technology with the capability of covertly hijacking a user's CPU cycles to make additional money, sold it to an industry with longstanding problems with both transparency and self defeating practices during an era where everything but the kitchen sink is hackable, and you're honestly surprised it's being abused? While it's obvious the malware itself isn't Coinhive's fault, this seems like either a notable lack of foresight, or a dash of disingenuous denial.

One team member attempted to downplay the scope of the problem, hoping nobody would notice the new reports this week indicating that over 4,000 UK and U.S. websites have been compromised by malware that embeds the Coinhive software:

"'Cryptojacking’ will probably be here to stay for a while. At least until the rising difficulty in the Monero network (and others) makes it impracticable or Browser vendors somehow block CPU heavy websites,” the Coinhive team member said. They caveated that reports of malicious Coinhive use “have slowed down tremendously, as ‘hackers’ realize there's not much to gain with our service."

Yes, not much to gain outside of, well, making money off of countless IT and server admins who don't realize this is even a threat yet in hundreds of countries around the world. It's worth noting that some in the security community have accused Coinhive of being complicit because they take a 30% cut of all of the cryptocurrency mining that occurs with their product, regardless of whether it's via malware implementations:

As such there's little motivation on their end to thwart the trend of poorly implemented or downright hostile applications of the outfit's product, and it's not quite the kind of company journalism funding revolutions should probably be built upon. One anonymous Coinhive developer half-jokingly told Motherboard the company was doing websites a service by forcing them to be more aware of sloppy code or outdated server configurations:

"Food for thought; and we only mean this half serious: embedded miners in compromised websites are usually detected way sooner than other malicious browser scripts. Website owners recognize the breach and are finally forced to update their shitty WordPress installations."

Again, poor, non-transparent implementation of Coinhive's product by legitimate websites isn't necessarily Coinhive's fault. Nor is malware authors embedding Coinhive into their own, more malicious work. But Coinhive's lack of foresight and casual response to some fairly major issues--as well as the fact it's taking a cut of malware implementations--would seemingly open the door to other, similar companies which may be eager to elbow in on Coinhive's success with a bit more foresight and a dash more professionalism.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    An Onymous Coward (profile), 15 Feb 2018 @ 11:18am

    I have to ask, Karl, how this differs from people posting offensive, libelous, or otherwise inappropriate content on YouTube given Google's complicity in that they also benefit from the additional content. It seems a double standard to expect Coinhive to police all the uses of its product but not expect Google to police theirs.

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 15 Feb 2018 @ 11:50am

      Re:

      If Google benefits from offensive of libelous content, it's not on the same level as Coinhive's 30% cut.

      No-one "expect(s) Coinhive to police all the uses of its product." This is merely about acknowledging that the problem exists, and not acting so surprised about it. Google can't be 100% effective in policing YouTube, but it does make a reasonable effort.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Feb 2018 @ 12:13pm

        Re: Re:

        In addition: YouTube wasn't explicitly designed from the first day to be a channel for libel. It was designed to be a place to post and watch videos. Some of those are libelous, some are abusive, some are (pick your term), but the overwhelming majority are none of these things.

        On the other hand, Coinhive was DESIGNED to facilitate abuse. That's it's purpose. It's baked in. The disingenuous denials from the lying filth at Coinhive, notwithstanding, it's obvious on inspection that they not only planned for this, they went out of their way to facilitate it. This is rather similar to many of the major spam operations which continue to insist that they had no idea their massive spamming engines would be used...to spam. That it's just an unforseen accident. That they never intended it. That it's just a few bad actors.

        All of this is of course complete bullshit. Coinhive knew exactly what they were doing. Coinhive is behind this and should be treated the same as other organized criminal gang. For once, let's see the CFAA thrown at some assholes who deserve it.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 15 Feb 2018 @ 1:51pm

          Re: Re: Re:

          "All of this is of course complete bullshit. Coinhive knew exactly what they were doing. Coinhive is behind this and should be treated the same as other organized criminal gang. For once, let's see the CFAA thrown at some assholes who deserve it."

          I would like to disagree with you. It is entirely possible that they are completely ignorant. You have the advantage of forsite. It is completely obvious that it was going to be abused now. What about the first time it was released? What is will come down to is the response. It shouldn't be difficult to require your website to be registered in order to mine. Assuming that coinhive has a pool to go along with their software. Still hackers will figure ways around it but that would be a good first step.

          reply to this | link to this | view in chronology ]

          • icon
            Roger Strong (profile), 15 Feb 2018 @ 2:14pm

            Re: Re: Re: Re:

            It is entirely possible that they are completely ignorant.

            While possible, it's about as credible as a revenge porn site claiming "We couldn't possibly have predicted that someone would abuse our service by posting images without the subject's permission! The $2000 per image fee to remove the images is necessary to cover the cost of doing so."

            These are people not just writing the software, but setting up a business and a revenue transfer system. They'll have thought about the implications.

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 16 Feb 2018 @ 12:38am

            Re: Re: Re: Re:

            "It is entirely possible that they are completely ignorant. "

            No. It is not possible. I realize that doing actual research and reading is against the creed of most people who post here, but if you actually LOOK AT THEIR DESIGN, it is obvious on inspection to the trained eye that it was designed for abuse.

            And even without out that, only a pathetically naive, hopeless ignorant fool would believe for even a moment that people with the technical sophistication required to design and build Coinhive are somehow, curiously, amazingly, magically unaware of how it works.

            Your pathetically feeble attempt to make excuses for the abusive filth at Coinhive marks you as either a moron or a shill. Which is it?

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 16 Feb 2018 @ 6:15am

              Re: Re: Re: Re: Re:

              "I realize that doing actual research and reading is against the creed of most people who post here"

              Do you have any data in support of your claim or is this just another of many childish rants?

              reply to this | link to this | view in chronology ]

              • icon
                PaulT (profile), 16 Feb 2018 @ 6:45am

                Re: Re: Re: Re: Re: Re:

                The fun part of what he's saying is that it's totally subjective. That is, a person can look at the details he looked at and come to a totally different, but equally valid, conclusion. I also somehow doubt that he actually has the "trained eye" he claims is required either.

                He's too busy name calling and trying to act superior to actually get into a discussion as to why his conclusion is the correct one, of course, but he'll demand that everyone believe it without question nonetheless.

                reply to this | link to this | view in chronology ]

            • identicon
              PRMan, 16 Feb 2018 @ 10:38am

              Re: Re: Re: Re: Re:

              I find the most brilliant developers are often the most socially naive.

              reply to this | link to this | view in chronology ]

      • icon
        An Onymous Coward (profile), 15 Feb 2018 @ 3:48pm

        Re: Re:

        I still don't see how they're so different. Yes, Coinhive stands to make potentially more from abuse of its platform than does Google (though with the cost of ads that's a subject for more investigation). And maybe Coinhive's platform is much more easily abused, something the developers should and possibly did recognize.

        But scale isn't really part of the equation here. They're both platforms that can be abused and through which both providers profit from abuse and non-abuse alike. If you condemn one you condemn both.

        I'm no fan of Coinhive and how it can be abused but I'd urge caution before lighting up the torches and taking the pitchforks out for a stroll. Where is the line drawn clearly enough that some legislator out to make a name for him/herself can't abuse /that/?

        reply to this | link to this | view in chronology ]

        • icon
          amoshias (profile), 15 Feb 2018 @ 4:35pm

          Re: Re: Re:

          You really, truly don't see the difference between someone creating a platform which people can use to say mean or even illegal things, and someone creating a platform where people can reach into my computer without my consent and use it to make money?

          reply to this | link to this | view in chronology ]

    • identicon
      Christenson, 15 Feb 2018 @ 11:55am

      Re: Please read more carefully....

      The criticism is for Coinhive not recognizing the impending inherent moral hazard...which is a little different than youtube, where moderation is the general approach to the problem.

      Not that they haven't supplied a proof of concept as to how to abuse unlimited in-browser computation....

      Now, about what might be done about that moral hazard....if Coinhive is getting a cut, maybe....
      maybe they should refuse coins from untrusted sources....
      maybe they could (and I realize this is difficult) make a point of contacting those doing the mining in a web browser....

      but both of these glib solutions have rabbit holes to go down, so
      maybe somebody has a better idea.... like me actually controlling my computer and knowing what it does, and someone making that convenient while still allowing me to read techdirt....

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Feb 2018 @ 1:03pm

        Re: Re: Please read more carefully....

        As for controlling what computation is happening on your computer, Techdirt is fine! I'm writing this comment with JavaScript disabled. Hence the only computation Techdirt is doing on my computer is to give it some data formats to parse and text to be laid out. Sure that's being done by a massively bloated program no one fully understands, but we can at least understand which aspects of it are being used.

        It's the other sites you have to worry about.

        reply to this | link to this | view in chronology ]

        • icon
          Roger Strong (profile), 15 Feb 2018 @ 2:36pm

          Re: Re: Re: Please read more carefully....

          A decade ago I was often debunking "North American Union by 2007, er 2008, er 2010!!!" claims. Along with the "Amero" and "NAFTA Superhighway", FEMA death camps" and other claims that were supposed to come true by then.

          The wingnuts would often point me back to sites like WorldNetDaily for "proof." Sites that monetize the wingnuts by selling them books, bumper stickers and whatnot for all their conspiracy theories. And displaying ads for gold scams and whatnot. Wingnuts are a lucrative demographic.

          It seems reasonable to expect that such sites are now monetizing the wingnuts with Coinhive and other more modern methods.

          Which would answer the question of why certain wingnuts keep posting here despite their hatred of the site and its users. It's safer than sites that would cater to their, er, point of view.

          reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 16 Feb 2018 @ 1:29am

      Re:

      You don't see the difference between saying that a piece of software should be better designed to prevent abuse and stating that YouTube need to police hundreds of hours of content uploaded by users every minute to see if there's anything in them that some other people might find offensive?

      I'm not sure where to start listing the massive fundamental differences, but there's a lot of them...

      reply to this | link to this | view in chronology ]

  • icon
    Mononymous Tim (profile), 15 Feb 2018 @ 1:14pm

    Playing dumb trumps admitting greed

    Sadly, too many outfits these days are actually proud of both because money is involved.

    reply to this | link to this | view in chronology ]

    • icon
      Ishtiaq (profile), 15 Feb 2018 @ 10:03pm

      Re: Playing dumb trumps admitting greed

      You know, this sort of thing cracks me up. How many commentators would quite happily download a pirate copy of something, but get angry when someone does pretty much the same thing to them?

      Cheers… Ishy

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Feb 2018 @ 5:28am

        Re: Re: Playing dumb trumps admitting greed

        There you go projecting again.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Feb 2018 @ 6:18am

        Re: Re: Playing dumb trumps admitting greed

        You know, this sort of thing cracks me up. How many copyright holders would quite happily download an unauthorized copy of something, but get angry when someone does pretty much the same thing to them?

        reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 15 Feb 2018 @ 4:11pm

    Maybe I'm just thick, but I've never understood the whole cryptocurrency system. Most articles claiming to explain it usually boil down to;

    1. Install the software.

    2. Mine for currency.

    3. Profit!

    Step three is the one that loses me. You have this currency that's online only and I've never understood how to turn that into actual money. Or how to take actual money and buy online currency with it. You know, for when you might want to use something like BitCoin to make a payment without having to run a mining program and hope it comes up with the required amount in a reasonable amount of time.

    Different sites and services say they accept things like BitCoin, so how do I get BitCoin? "Well, uh, you have to install a wallet, a miner, run the miner..."

    So I just get free cryptocurrency out of thin air? Cool, sign me up.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Feb 2018 @ 5:12pm

      Re:

      It's free, except for the electricity costs, the wear + tear on the mining device, etc.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Feb 2018 @ 3:27am

      Re:

      >I've never understood how to turn that into actual money.

      There are coin exchanges which let you buy and sell the various cryptocurrency. They will also keep your coin wallets for you, but that can be risky as several have been hacked and drained of their holdings.

      reply to this | link to this | view in chronology ]

    • icon
      Toom1275 (profile), 16 Feb 2018 @ 7:09am

      Re:

      I read somewhere that hoarding cryptocurrency is akin to hoarding gold. The hoarded item has monetary value purely because people believe it does.

      reply to this | link to this | view in chronology ]

      • identicon
        Thad, 16 Feb 2018 @ 9:17am

        Re: Re:

        The same is true of any currency. The paper and plastic rectangles in your pocket carry value because of laws, contracts, social consensus, and economic forces, not because there's an inherent value to paper and plastic rectangles.

        (While people who talk about the gold standard tend to be nuts, at least gold is a physical object. Our economic system has gone several layers of abstraction beyond "exchange shiny things".)

        Cryptocurrency is like a perfect satire of how currency works.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Feb 2018 @ 7:28am

      Re:

      You have this currency that's online only and I've never understood how to turn that into actual money.

      If you look at the history of money, "actual" is a flexible concept. Gold exists, though its currency value is much higher than its utility value. Rai stones were used with an IOU system. Most modern currencies are little more than numbers in a computer; if Bitcoin had any "official" recognition, we might say it's more real than the US dollar (there's a proof-of-work, whereas the Fed can just make up US dollars).

      In other words, "actual money" is anything that's generally treated as money.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Feb 2018 @ 4:34pm

    Hackable kitchen sinks

    You mean that there isn't a hackable kitchen sink yet?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Feb 2018 @ 6:28pm

    So what if we supply automatic weapons to five year olds?

    You can't expect us to know what will happen!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Feb 2018 @ 6:00am

    Your winnings, sir.

    reply to this | link to this | view in chronology ]

  • icon
    PaulT (profile), 19 Feb 2018 @ 9:02am

    Re: I started hating cryptocurrencies

    Yeah, that's not really about cryptocurrencies. It's an investor jumping on the bandwagon without understanding what he's investing in, then panicking and jumping out before the next upturn. Doesn't really matter which currency or commodity you invested in, anyone who just follows a bandwagon without research or a long term plan will risk this every time.

    But, I do love the way that your anti-cryptocurrency post is linked to what appears to be a honeypot site to "earn" them for "free". Still not sure where you really stand, huh?

    reply to this | link to this | view in chronology ]

    • icon
      The Wanderer (profile), 20 Feb 2018 @ 4:22am

      Re: Re: I started hating cryptocurrencies

      I believe that "claim to be against the thing you're spamming for" technique is a known method for making spam posts look plausible; it's not exactly common, but it's not at all unheard-of.

      Or, to be charitable, possibly the linked-to site could maybe be (the? a?) place where he(?) got into the cryptocurrency thing, and he(?) just didn't explain it properly. Seems less likely to me, but I suppose it's not impossible.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.