Hackers Hijacked an Internet Provider to Mine Cryptocurrency with Laptops In Starbucks

When Noah Dinkin, CEO of Stensul, a platform that helps marketers craft emails, visited a Starbucks in Buenos Aires last week, he discovered that the store’s Wi-Fi provider was hijacking his laptop to mine a digital currency.

At the time, a Starbucks spokesperson stated that the issue was resolved quickly and wasn’t widespread, but Dinkin disagreed on the latter point. “This was observed by a friend and I in three separate Starbucks stores in Buenos Aires over multiple days following my original tweet, that week,” he wrote on Twitter on Wednesday. “It wasn't just one store.”

When Motherboard reached out to the Argentine internet provider responsible for Starbucks’ Wi-Fi in Buenos Aires—Fibertel—the company blamed hackers for planting the miner code on their network.

“Fibertel detected a security intrusion on one of the equipment that forms part of the Wi-Fi access solution that [we] provide to our client Starbucks Argentina,” Fibertel spokesperson Florencia Marcote told Motherboard in an email. “The incident was identified and solved immediately by the specialized support.” “It is not about any Fibertel practice, but an intrusion of security,” Marcote continued.

Read More: Starbucks Wi-Fi Hijacked People's Laptops to Mine Cryptocurrency

Cryptocurrency miners hijack your computer’s resources—usually your CPU—to crunch some math problems in order to generate digital coins. These scripts can impact your computer’s performance.

Hackers have distributed cryptocurrency miner code in some pretty creative ways recently, like in video game cheat codes and in open-source software projects. But targeting an ISP to deliver the code during the process of connecting to the internet in the first place is an evolution in how these schemes operate.

Dinkin noticed a 10-second delay when connecting to the Starbucks location’s Wi-Fi, so he checked the source code of the landing page and found a script for CoinHive, a popular embeddable cryptocurrency miner. Over the next few days, he and a friend checked at two more Starbucks locations in Buenos Aires and found the same code in both.

“Our stores are where a lot of our customers go to do personal things and conduct business, so we want to make sure that they’re safe and secure,” Reggie Borges, a Starbucks spokesperson, told Motherboard over the phone. “Any time we see something that could happen in other places, we have to check it to make sure there’s no vulnerabilities and take next steps.”

According to Fibertel, the issue was isolated to Buenos Aires and has been resolved. “This happened only [locally] in Buenos Aires and is completely solved since last week,” spokesperson Marcote wrote in an email.

With the value of cryptocurrencies skyrocketing, the incident in Argentina may be a pale horse as criminals continue to find ways to get other people to generate digital coins for them.

Get six of our favorite Motherboard stories every day by signing up for our newsletter .

CORRECTION: An earlier version of this article described Stensul as a "mailing list startup," when in fact Stensul is a startup email creation platform for marketers. Motherboard regrets the error.