Hackers are planting code on websites designed to use visitors’ computers to mine cryptocurrency. The creators of Coinhive, one of the most popular variants, say they didn’t see it coming.
Hijacking websites to mine cryptocurrency is all the rage. Over the weekend, hackers compromised a popular plugin used by thousands of websites, and tweaked it to inject code that caused visitors’ browsers to generate digital coins on the hackers’ behalf. That campaign took advantage of Coinhive, likely the most popular browser-based cryptocurrency miner at the moment, and which splits any mined cryptocurrency—in this case, Monero—with the Coinhive team.
But in an interview with Motherboard, the anonymous Coinhive developers said they didn’t quite anticipate that hackers would take advantage of their code, and acknowledged that “cryptojacking”, as the practice is sometimes called, is here to stay, at least for a while.
“We were quite overwhelmed by the extremely fast adoption,” a member of the Coinhive team told Motherboard in an email. “In hindsight, we were also quite naive in our assumptions on how the miner would be used. We thought most sites would use it openly, letting their users decide to run it for some goodies, as we did with our test implementation on pr0gramm.com before the launch. Which is not at all what happened in the first few days with Coinhive.”
The project has mined “the equivalent of a few million USD in total,” the team member said. Typically, 70 percent of that will go to the users. But Coinhive added that the recent plugin-related campaign, which also impacted US and UK government websites, only mined only 0.1 Monero, or $24—money which Coinhive says it hasn’t paid out to the attackers. Researchers have also found Coinhive embedded within a number of Android apps.
“Our strongest users have all embedded Coinhive in a meaningful way. They incentivise their users to run the miner and grant rewards for it,” the team member said.
Coinhive launched in September, and is marketed as a legitimate way for website owners to mine revenue, perhaps by replacing adverts with cryptocurrency code, or as a way to generate in-game currency for online games. Typically, in these cases, a website would be expected to clearly inform a user about the mining code. “We believe that in-browser mining could become a viable alternative to micro payments. Users pay with their CPU time and electricity in exchange for contents or services,” the team member said.
Porn sites, gambling sites, forums, and WordPress blogs all use Coinhive, they added. The team don’t specifically track domains, so if a user’s email address is not, for example, “firstname.lastname@example.org,” Coinhive often don’t know where or how the service is being used, though.
“‘Cryptojacking’ will probably be here to stay for a while. At least until the rising difficulty in the Monero network (and others) makes it impracticable or Browser vendors somehow block CPU heavy websites,” the Coinhive team member said. They caveated that reports of malicious Coinhive use “have slowed down tremendously, as ‘hackers’ realize there's not much to gain with our service."
The wave of hackers adopting Coinhive has arguably already made the project somewhat synonymous with cybercrime.
“Food for thought; and we only mean this half serious: embedded miners in compromised websites are usually detected way sooner than other malicious browser scripts. Website owners recognize the breach and are finally forced to update their shitty WordPress installations,” the Coinhive team member added.