Security expert exposed the creator of CoinHive and encountered a strange revenge

Security expert Brian Krebs decided to figure out who is behind the famous CoinHive miner (CH) and how it appeared. It’s a fascinating story with colorful characters. But first, a brief reminder about what CoinHive is.

What is CoinHive, or "they meant well..."

CH lets integrate a Monero cryptocurrency miner into other software, any that runs JavaScript. Web pages and apps, games, browser extensions, advertising banners, and what not. The miner works at the expense of users without asking for their permission.

The users whose computer power is being utilized do not get any benefit. The creators of CH take away 30% of the Monero that got mined. 70% goes to the one whose unique identifier is embedded in the program code of the miner on a particular site or app.

CH had been announced as an ad-alternative monetization tool for website owners but was soon adopted by hackers that installed it on websites and other software they do not own. Large web properties find themselves running Monero miners every now and then. Among them MSN Japan, YouTube, LA Times…

CH was injected into advertising banners placed through Google’s DoubleClick platform. It was found in BrowseAloud, a service that reads web pages out loud for the visually impaired and is used on many British, American and Canadian government websites. In December it was embedded in all web pages served by a WiFi hotspot at a Starbucks in Buenos Aires.

So who are the people that created CH and run it now? How could they decide to evolve it?

What Krebs discovered

The miner was first launched on pr0gramm.com, a German image board (a forum for collecting and discussing pictures).

This forum was founded by Dominic Szablewski, he also developed the miner that later became CoinHive.

Szablewski sold pr0gramm.com in 2015 because of “death threats for various moderation decisions on that board”. But he was friends with the new owners, and they allowed him to test the miner.

For pr0gramm.com making money is also a challenge. It has controversial content, adult pictures, it frightens some advertisers off. Users are mostly young and tech-savvy, they install ad blockers or just avoid clicking ads. Paid membership costs 9 euros for 3 months, but paying for it may disclose a user’s identity, so it is also not very popular.

The forum was acquired by Reinhard Fuerstberger, who calls himself a “politically incorrect, Bavarian separatist” and, as Krebs puts it, ”overrun by individuals with populist far-right political leanings”.

Fuerstberger claims that he knew nothing about the miner and is appalled by the decision of his business partner who had actually let it be tested.

According to the representatives of CH, now it is under control of Badges2Go, a startup incubator that experiments with blockchain and cryptocurrency ventures.

Krebs also found that pr0gramm.com’s domain name was registered to a certain Dr. Matthias Moench. At the age of 19, he hired a killer for his wealthy parents. That’s how deeply he had been hurt by their decision to give him a used car as a birthday present, instead of a Ferrari he’d hoped for. The parents were hacked with a machete along with the family poodle.

Moench was sentenced to nine years in prison, released after serving five years, claimed that he found faith and would become a priest, and turned into a spammer. He earned 21.5 million Euros by advertising erectile dysfunction medications. In 2015 he was sentenced to 6 years for fraud and drug-related offenses, is expected to be released this year.

However, Krebs thinks that Moench has nothing to do with CH. Many years ago Moench claimed that any cybercriminal was free to use his name and other credentials for hiding their own identities. Now there is a huge amount of domains registered to Moench.

All this information helps explain the controversial nature of CoinHive. But we may hope that Badges2Go will lead its development in a more affirmative direction.

Crime and punishment

Users of pr0gramm.com got offended by the investigation and accused Krebs of revealing personal information of people not connected to CoinHive. They punished him by donating money (over $126 000) to the German Cancer Aid center and using the hashtag #KrebsIsCancer in social media. Because Krebs is "cancer" in German.

Krebs does not seem to be upset by this philanthropy attack:

Normally, when KrebsOnSecurity publishes a piece that sheds light on a corner of the Internet that would rather remain in the shadows, the response is as predictable as it is swift: Distributed denial-of-service (DDoS) attacks on this site combined with threats of physical violence and harm from anonymous users on Twitter and other social networks.

While this site did receive several small DDoS attacks this week — and more than a few anonymous threats of physical violence and even death related to the CoinHive story — the response from pr0gramm members has been remarkably positive overall.