Cryptojacking

Security expert exposed the creator of CoinHive and encountered a strange revenge

Security expert Brian Krebs decided to figure out who is behind the famous CoinHive miner (CH) and how it appeared. It’s a fascinating story with colorful characters. But first, a brief reminder about what CoinHive is.

Top Cryptojackers are video streaming websites, and they do not use CoinHive

Back in December 2017, we added a mechanism that allowed users to optionally report websites whenever a cryptojacking script is detected by AdGuard. It proved useful right away and allowed us to discover the largest known cryptojacking campaign, which was being run by some popular video streaming websites. Since then we have received more than a million user reports, and now it's time to analyze them.

Over the last two months, we received over 1.3 Million reports on more than 120 thousand websites. It's important to notice that sometimes cryptojacking was detected on some legitimate websites (Google, Youtube, Instagram, etc) and this is most likely caused by malicious browser extensions or malvertising.

However, 40% (over half a million) of the reports came from just 50 domains. Let's take a deeper look into what the top cryptojackers do.

Nowhere to run, nowhere to hide: cryptojacking now on Youtube

A video streaming service is a perfect place to launch a cryptojacking script. Users watch videos, and their computers are busy mining cryptocurrencies for the script’s owner. Youtube is a video platform with a huge audience, but unfortunately its owner Google is too selfish to let anyone run a mining script there.

But it lets people run ads inside Youtube videos!

A malicious combo: cryptojacking ads

We have warned you about cryptojacking scripts on websites and in apps: they use your device to mine cryptocurrencies. We have warned you about malicious ads that are linked to all kinds of cyber threats.

And now guess what? correct: ads have been caught for stealth mining.

Crypto-Streaming Strikes Back

Brief summary: while hardening AdGuard’s crypto-jacking protection, we discovered four involved popular websites (mostly streaming) with an aggregated audience of almost a billion people.

We have already told you in our blog (part 1, part 2, part 3) about the problem of stealth mining (the so-called "cryptojacking"), but this story is not going to end. Just two(!) months after its first launch, this technology has been used on thousands of websites with a total estimated traffic of a billion(!) monthly visits. Now, after an additional three weeks have passed, we must regretfully report that cryptomining has soared to even greater heights.

Ad blockers were first to respond to this new menace and implement protection against mining on websites. Thanks to the popularity of ad blockers, a significant portion of Internet users received the necessary protection in a very timely manner. Naturally, "crypto-jackers" are not pleased with this counteraction.

Cryptojacking surges in popularity growing by 31% over the past month

More than a month has passed since our last research on this topic. We decided to check what has changed; understand the current state of in-browser crypto-mining, and its growth rate and trends.

We have collected new statistics about cryptocurrency mining on websites. This time we did not limit our search to the most popular 100K websites and tried to cover more.

Cryptocurrency mining affects over 500 million people. And they have no idea it is happening.

This autumn the news spread that some websites had been making money by mining cryptocurrencies in their users’ browsers. We have been among the first to add protection from this hidden activity. AdGuard users now receive warnings if a website has been trying to mine, and the users are given the option to let it continue or to block the mining script from running.

We decided to research the issue more so that we could understand its scale and impact. On the Alexa list of the top one hundred thousand websites, we looked for the codes for CoinHive and JSEcoin, the most popular solutions for browser mining in use now.

AdGuard fights stealth cryptocurrency mining on websites

The news broke recently that more and more websites make money by mining cryptocurrencies on their visitors’ computers. A person browses a site, unaware that their CPU is loaded more than normally, working on a task they didn’t put. The device slows down, making its owner less happy and productive.

Il scaricamento di AdGuard è iniziato. Per installarlo, clicca il bottone indicato dalla freccia, poi apri il file di installazione e segui le istruzioni. Seleziona "Apri" e clicca su "OK" — può darsi che tu debba aspettare un po' di tempo mentre il file viene scaricato. Nella finestra che si apre, trascina l'icona di AdGuard dentro la cartella "Applicazioni". Grazie per aver scelto AdGuard! Seleziona "Apri" e clicca su "OK" — può darsi che tu debba aspettare un po' di tempo mentre il file viene scaricato. Nella finestra che si apre clicca su "Installa". Grazie per aver scelto AdGuard!