Security expert exposed the creator of CoinHive and encountered a strange revenge

Security expert Brian Krebs decided to figure out who is behind the famous CoinHive miner (CH) and how it appeared. It’s a fascinating story with colorful characters. But first, a brief reminder about what CoinHive is.

What is CoinHive, or "they meant well..."

CH lets integrate a Monero cryptocurrency miner into other software, any that runs JavaScript. Web pages and apps, games, browser extensions, advertising banners, and what not. The miner works at the expense of users without asking for their permission.

The users whose computer power is being utilized do not get any benefit. The creators of CH take away 30% of the Monero that got mined. 70% goes to the one whose unique identifier is embedded in the program code of the miner on a particular site or app.

CH had been announced as an ad-alternative monetization tool for website owners but was soon adopted by hackers that installed it on websites and other software they do not own. Large web properties find themselves running Monero miners every now and then. Among them MSN Japan, YouTube, LA Times…

CH was injected into advertising banners placed through Google’s DoubleClick platform. It was found in BrowseAloud, a service that reads web pages out loud for the visually impaired and is used on many British, American and Canadian government websites. In December it was embedded in all web pages served by a WiFi hotspot at a Starbucks in Buenos Aires.

So who are the people that created CH and run it now? How could they decide to evolve it?

What Krebs discovered

The miner was first launched on, a German image board (a forum for collecting and discussing pictures).

This forum was founded by Dominic Szablewski, he also developed the miner that later became CoinHive.

Szablewski sold in 2015 because of “death threats for various moderation decisions on that board”. But he was friends with the new owners, and they allowed him to test the miner.

For making money is also a challenge. It has controversial content, adult pictures, it frightens some advertisers off. Users are mostly young and tech-savvy, they install ad blockers or just avoid clicking ads. Paid membership costs 9 euros for 3 months, but paying for it may disclose a user’s identity, so it is also not very popular.

The forum was acquired by Reinhard Fuerstberger, who calls himself a “politically incorrect, Bavarian separatist” and, as Krebs puts it, ”overrun by individuals with populist far-right political leanings”.

Fuerstberger claims that he knew nothing about the miner and is appalled by the decision of his business partner who had actually let it be tested.

According to the representatives of CH, now it is under control of Badges2Go, a startup incubator that experiments with blockchain and cryptocurrency ventures.

Krebs also found that’s domain name was registered to a certain Dr. Matthias Moench. At the age of 19, he hired a killer for his wealthy parents. That’s how deeply he had been hurt by their decision to give him a used car as a birthday present, instead of a Ferrari he’d hoped for. The parents were hacked with a machete along with the family poodle.

Moench was sentenced to nine years in prison, released after serving five years, claimed that he found faith and would become a priest, and turned into a spammer. He earned 21.5 million Euros by advertising erectile dysfunction medications. In 2015 he was sentenced to 6 years for fraud and drug-related offenses, is expected to be released this year.

However, Krebs thinks that Moench has nothing to do with CH. Many years ago Moench claimed that any cybercriminal was free to use his name and other credentials for hiding their own identities. Now there is a huge amount of domains registered to Moench.

All this information helps explain the controversial nature of CoinHive. But we may hope that Badges2Go will lead its development in a more affirmative direction.

Crime and punishment

Users of got offended by the investigation and accused Krebs of revealing personal information of people not connected to CoinHive. They punished him by donating money (over $126 000) to the German Cancer Aid center and using the hashtag #KrebsIsCancer in social media. Because Krebs is "cancer" in German.

Krebs does not seem to be upset by this philanthropy attack:

Normally, when KrebsOnSecurity publishes a piece that sheds light on a corner of the Internet that would rather remain in the shadows, the response is as predictable as it is swift: Distributed denial-of-service (DDoS) attacks on this site combined with threats of physical violence and harm from anonymous users on Twitter and other social networks.

While this site did receive several small DDoS attacks this week — and more than a few anonymous threats of physical violence and even death related to the CoinHive story — the response from pr0gramm members has been remarkably positive overall.

By downloading the comments you agree the terms and policies
AdGuard for Mac / AG Browser Extension double release

Today we want to try something different — combine two release announcements in one blog post. Main reason is, both new Mac and extension updates, while being important, are rather technical and do not provide a lot of topics to talk about without descending into using lots of developer lingo. Let's have a quick look at AdGuard for Mac v1.5.6 and AG Browser Extension v2.9.2.

Over 20,000,000 of Chrome Users are Victims of Fake Ad Blockers

According to the PageFair 2014 report, Google Chrome is a major driver of adblock growth. 20% of users discovered ad blocking by browsing “available browser extensions”. Given how popular ad blocking is, it is quite a lot. This also explains why "cloning" wide-spread ad blockers has become so popular among online crooks. Seven months ago big news broke: 37,000 users were tricked into installing a fake Adblock Plus extension.

What if I told you that thanks to poor Chrome's WebStore moderation the situation is much worse, and in reality over 20,000,000 users are affected and tricked into installing fake malicious ad blockers?

Downloading AdGuard To install AdGuard, click the file indicated by the arrow Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, drag the AdGuard icon to the "Applications" folder. Thank you for choosing AdGuard! Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, click "Install". Thank you for choosing AdGuard!
Install AdGuard on your mobile device