Coinhive – New Cash Cow for Malware Creators

Coinhive is a technology that is just several weeks old, it was formally introduced on September 14. Coinhive is rapidly turning into the cash cow of the world wide web, progressing from a revolutionary crypto-currency mining instrument to a technology heavily exploited by myriads of cyber-criminals.

New Advertising Alternative or Just Plain Malware?

Coinhive is a JavaScript library that webmasters can use on their websites. Whenever people visit the website, the Coinhive JavaScript code runs and mines Monero for the webmaster making use of the visitor’s CPU.

It is a unique and creative idea. Bravo! Coinhive creators promote it as a substitute to traditional advertisements. Coinhive states that website owners may get rid of all ads on their site, load the Coinhive and mine Monero using a tiny portion the user’s CPU during the time he/she is visiting the website. Website owners will earn money without annoying their audience with irritating advertisements.

Just a couple days after it was introduced, The Pirate Bay tested it for short time. The Pirate Bay abandoned it after numerous unfavorable user comments. But the concept got its momentum.

Later a pair of Showtime websites ( and started to play with Coinhive too. It is possible that hackers breached the Showtime websites and integrated the mining code without the company’s awareness. Another theory says that Showtime is adding the script intentionally, as a test. This explanation looks more probable, as the setThrottle value is 0.97, indicating the mining script will stay inactive for 97% of the time. A cyber intruder understanding that he may be noticed at any time, would certainly set a smaller throttle value and try to mine the maximum amount of Monero before being detected.

A newly released report has determined that a website such as The Pirate Bay is likely to make about 12,000 USD per month. Considering the fact that The Pirate Bay is positioned 87 in the Alexa traffic ranking, and Showtime is only 9,500, Showtime’s earnings would be much smaller.

Sadly, and in spite of the good use of a cryptocurrency miner, Coinhive is in the position of many other helpful instruments that have been misused by criminals. In the couple of days that have passed since its release, Coinhive has stretched to most corners of the hacker community.

Coinhive is Spreading

Coinhive is Spreading

Initially, we spotted it inserted inside a well-known Chrome extension called SafeBrowse, in which the Coinhive script was placed to mine Monero in Chrome’s background every time the browser was opened and working.

After that, we noticed Coinhive inserted in typo-squatted domain names. Somebody launched the site and was installing the Coinhive JS library on that web page. Individuals who mistyped the Twitter domain URL found themselves on the page mining Monero for the crook. Of course, it would last only for several seconds until the person understood he was on the wrong website, but that is enough for web-entrepreneur to make a profit. Eventually and having plenty of such domains in place, their operator can make a big sum of money.

Later, malware experts found several hacked websites where criminals changed the source code and quietly uploaded the Coinhive miner. Infosec experts discovered numerous hacked Magento and WordPress websites tweaked in this manner.

Security specialists also noticed that one prominent and big malvertising group made use of Coinhive too. Hazardous advertisements redirected users to fake tech support sites where in addition to traditional false virus notifications, criminals put Coinhive and mined for Monero.

The latest instance of Coinhive getting integrated together with malware has been revealed this week when a researcher discovered a website peddling a phony Java update which was simultaneously mining for Monero.

It becomes obvious from the above cases that virus creators have found their next cash cow in Coinhive.

Another place we anticipate to see Coinhive implemented is adware and especially browser hijackers. Statistics say there are millions of users who don’t care about intrusive ads and live with adware for many months. There may be no reason for adware writers not to load the Coinhive in the background and mine a few extra Monero before the victim tries to remove their adware or notice high CPU usage caused by mining.

Although the Coinhive crew has clearly stated that accountability for how their library is used falls completely on the individual running the miner, malware creators do not care and never abide any rules.

Protecting Yourself from the Coinhive JS Miner

Protecting Yourself from the Coinhive JS Miner

At the moment, the Coinhive phenomenon has been called crypto-jacking for the fact of hijacking browsers for crypto-currency mining.

Many experts predict a massive wave of crypto-jacking disasters. Already now two ad-blockers,  AdGuard and AdBlock Plus, have started to block Coinhive’s JS library.

Furthermore, web-developers have launched new Chrome extensions like AntiMiner and minerBlock that are able to scan Chrome and terminate all mining scripts.

Even though this year could be remembered for the WannaCry and other ransomware breakouts, the Equifax and CCleaner breaches, quietly, crypto-currency miners might also become the prevalent threat especially if combined with existing adware.

Kaspersky lab claimed to observe about 1.65 million PC’s affected with mining malware this year. IBM also reported an increase in cryptocurrency malicious software placed on enterprise networks.

Based on the Coinhive group messages, the library’s release has shown to have exceeded all expectations. Regardless if created with good motives, Coinhive’s reputation will surely be smeared in the dust in the event that malware writers keep on using it the way they do it now.

What do you think of background miners like Coinhive as an alternative to traditional banner and pop-up advertising? Let us know in the comments below.

Images courtesy of Shutterstock, Pixabay

The post Coinhive – New Cash Cow for Malware Creators appeared first on