More than a month has passed since our last research on this topic. We decided to check what has changed; understand the current state of in-browser crypto-mining, and its growth rate and trends.
We have collected new statistics about cryptocurrency mining on websites. This time we did not limit our search to the most popular 100K websites and tried to cover more.
We found cryptojacking scripts on over 33,000 sites with a total traffic of 1 Billion monthly visits. The number of sites from Alexa's top 100K list which run in-browser mining grew by 31% over the past month. The overwhelming majority of sites don't bother to warn users or get their consent to mining.
Almost 95% of the websites we found run the CoinHive script, the most popular cryptojacking solution. Half a dozen other mining networks emerged in October and November, some of them simple clones of CoinHive. We estimate the joint profit at over US $150,000 per month. In case of CoinHive, 70% of this sum goes to the website owner, and 30% to the mining network.
The detailed findings of the research have been published on the special website: Crypto.Adguard.com.
In-browser mining is still far from becoming a legal and ethical alternative to advertising as a revenue source for websites. CoinHive now offers a tool named AuthedMine. It starts mining only if a user gives his or her explicit consent. However, we found only 413 sites using it in our sample: a mere 1.25% of the entire mining pool.
CoinHive’s competitors offered no solutions for “legal” mining on the condition of a user’s consent. Technically, this might not be that important — JSECoin’s script, for example, abuses a CPU only as bad as a single animated banner does. But from the ethical and reputational points of view, stealth and opt-out in-browser mining is considered a malicious behavior.
Moreover, the unambiguously malicious approaches are on the rise. Mobile apps, websites and browser extensions get hacked and repurposed as mining malware, or they are produced as such from the beginning. People’s computers get attacked and infected by stealth miners. Mobile devices have much more limited resources than PCs or laptops (besides weaker CPUs, users are concerned about their battery life and paid web traffic), so illegal mining is a real problem here.
So the future of in-browser mining looks dismal for us at the moment. Cryptojacking done right could have made a good alternative for ads as a website monetization tool. What prevents it from being done correctly?
When it is done unethically, it promises higher profit.
You can install a mining script on your own site, or you can hack several dozens of sites. Or you can make use of an app with hundreds and thousands of downloads. You can inform, warn and persuade your users to help you earn, or you can just use their devices silently. What promises more revenue with lower expenses?
Malicious usage of a tool spoils its reputation. Website owners get biased against in-browser mining, and users get prejudiced and start avoiding websites that utilize it.
We think that CoinHive, as a leader, should make a serious effort to exonerate in-browser crypto mining as a legal and ethical monetization tool. In our opinion, two things need to be done:
Don't forget to explore the research data on Crypto.Adguard.com. You can check what exact websites are affected, see statistics by countries, categories, mining networks and miners (their API keys to be precise). We will keep an eye on the situation and periodically update the data there.