Cryptocurrency mining without consent: Drive-by Mining

In mid-September, Coinhive created a service which will probably be known as a huge milestone for cryprocurrencies. It allowed websites to insert a small amount of code onto their site which would use idle cycles on the user’s computer to mine for a cryptocurrency called Monero directly within the web browser. The code is written in Javascript and is completely platform agnostic so it can run on all operating systems and all browsers.

In an ideal world, small amounts of in-browser mining would allow the site owner to replace advertising banners in exchange for a small amount of processing power to gain a cryptocurrency. As we know, this is not an ideal world. Coinhive’s API was an immediate success and most sites followed the API guidelines to run in throttled mode, so the miner would not run the user’s CPU above a certain threshold. Then there were the sites that saw an opportunity to gain more than others and ran the script in non-throttled mode to mine as much coin as they could while the user was still on the site. These often resulted in 100% CPU utilization for mining, affecting system performance with no consent from the user. This has become known as drive-by mining since the code is delivered to the user in a very similar fashion to drive-by downloading.

To most end users, the harm is minimal. There is no malware infection at the end of the sequence, only a hit to system performance and user experience. The problem is that sometimes even the site’s owners are unaware that they are hosting a drive-by miner on their site. It is an easy way for attackers who have already compromised a site to monetize their work. Attackers can scan the web for hundreds of sites with similar vulnerabilities and load their non-throttled Coinhive script to all of them, having potentially thousands of people generating them cryptocurrency.

One of the most famous drive-by mining incidents was when torrent indexer hosted the Coinhive script to generate extra money. TorrentFreak determined that an average mid-range computer could mine for coins with a hashrate of 30h/s, making The Pirate Bay roughly $12,000 per month with the Monero trading price at the time of publication.

In the days since, Coinhive has updated their API to disable non-throttled mode completely and show a window asking for permission to mine for cryptocurrencies while the user browses the site. The problem here is that the old API is still active, and may continue to be used until it is completely deprecated.

There is still opportunity for the API to be abused, after all, web advertisements started as a smart way to spread the word about your company or product, but now are notorious for hosting malware and stealing information. It may only be a matter of time before we see in-browser cryptocurrency mining blockers similar to adblockers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.