Security Experts Track Sites Compromised with Coinhive

While the JavaScript implementation of Coinhive was developed for legitimate purposes, it seems that an increasing number of web security experts are reporting that developers have embedded it into site code. This kind of attack, if one wishes to refer to it as such, uses the visitor’s CPU to mine Monero cryptocurrency coins while the user is visiting the page.

Technically, this doesn’t do real damage to the visitor’s installation besides drawing processing power away from useful tasks, though it might cause severe performance issues on underpowered devices.

A few sites have used this method with informed consent as an alternative to in-line advertising, since the technique can influence all browsers that can parse JavaScript code regardless of what platform they’re running on.

Nevertheless, several implementations that have done so without the consent of users. A report from the National Crime Agency in the UK released in April stated popular sites are being compromised with malicious code designed to aid in cryptomining.

As early as June 15, the Asahi Shimbun news service in Tokyo was reporting that police from ten of Japan’s prefectures had made 16 individual arrests against people under suspicion of transmitting arbitrary code to users of sites they visited.

One of the programs sent in the code was identified as Coinhive while one of the other suspects designed code that resembled that of Coinhive and sent it to users of specific sites.

Investigators announced that they were monitoring Coinhive operations since the release of the software in September 2017.

The arrests were made because site users weren’t asked for their consent. Nevertheless, Coinhive itself remains a legitimate program when used with appropriate consent.

Since these sorts of deployments usually seem to influence the onboard JavaScript engines in browsers instead of the underlying operating or file system, it might be difficult for security experts to come up with a mitigation for them.

Usual online security advice, such as regular cleaning of browser caches, might help to reduce the risk of embedded scripts continuing to mine for cryptocurrency coins. In most cases, the scripts can only run while users are visiting a compromised site or with their permission.

John Rendace
John is a GNU/Linux expert with a hobbyist's background in C/C++, Web development, storage and file system technologies. In his free time, he maintains custom and vintage PC hardware. He's been compiling his own software from source since the DOS days and still prefers using the command line all these years later.