The Biggest Cryptocurrency Mining Hack Yet Made a Grand Total of $24
Hackers loaded in-browser cryptocurrency miner Coinhive into UK, US, and Canadian government websites on Sunday.
Images: Shutterstock, Flickr/Krista, Flickr/Mike Mozart. Composition: Author
Criminals: At the very least, you should learn to do a crime properly. I’m not saying I want you to do crimes, I am just saying that you should have some self-respect. Because, folks, listen—this cryptocurrency mining stuff is just not working out.
Sunday, hackers orchestrated what’s likely the largest cryptocurrency mining hack to date by compromising an accessibility plugin used by thousands of websites. This made any visitor to the many affected UK, US, and Canadian government sites (among others) mine cryptocurrency with their computer before the attack was shut off after four hours. According to spokespeople for the mining service used by the hackers, Coinhive, the result of this effort was $24 USD worth of Monero.
Twenty-four dollars, people. We’ve seen cryptocurrency-related scams go bust before, but this is embarrassing. At the very least, I think we can all agree that the cost of one Olive Garden entree is not worth the stress of all the urgent headlines proliferating around the world this week. Coinhive told Motherboard reporter Joseph Cox in an interview that it hasn’t even paid the hackers their $24.
Experts say these hackers could have done much, much more with their access. Scott Helme, the security researcher who first noticed the hack on Sunday, told Motherboard that it was a narrowly-avoided “catastrophe” because instead of stealing information—or anything else the hackers could have done while delivering code to unsuspecting people’s computers—they chose to mine cryptocurrency and come away with a week’s worth of subway fare.
It’s unlikely that this annoying trend will simply go away, despite the rather sad result of Sunday’s mining campaign. Hijacking a plugin is just the latest novel approach taken by criminals who want to get other people to do their mining for them, and security researchers from Symantec warned last year that an “arms race” between hackers and the law is looming. And then there’s the value of cryptocurrencies, which despite recent tumult in the markets are still holding most of their recent price gains.
This also isn’t to say that in-browser cryptocurrency can’t be done legitimately. Salon, for example, just launched a new initiative to monetize pages with opt-in cryptocurrency mining if a visitor is using an ad blocker. This is probably a more sound business model than mining cryptocurrency for four hours before getting caught, like the hackers on Sunday—even running cryptocurrency miners on garbage sites that hardly anybody visits might be more profitable if it goes unnoticed for long enough.
I’m just saying: If you are reading this, and you are a criminal, please enact some self-care and invest your energy in something more worthwhile.
Get six of our favorite Motherboard stories every day by signing up for our newsletter .
CORRECTION: An earlier version of this story identified security researcher Scott Helme as Jesse Helme. Motherboard regrets the error.