Technically, this doesn’t do real damage to the visitor’s installation besides drawing processing power away from useful tasks, though it might cause severe performance issues on underpowered devices.
Nevertheless, several implementations that have done so without the consent of users. A report from the National Crime Agency in the UK released in April stated popular sites are being compromised with malicious code designed to aid in cryptomining.
As early as June 15, the Asahi Shimbun news service in Tokyo was reporting that police from ten of Japan’s prefectures had made 16 individual arrests against people under suspicion of transmitting arbitrary code to users of sites they visited.
One of the programs sent in the code was identified as Coinhive while one of the other suspects designed code that resembled that of Coinhive and sent it to users of specific sites.
Investigators announced that they were monitoring Coinhive operations since the release of the software in September 2017.
The arrests were made because site users weren’t asked for their consent. Nevertheless, Coinhive itself remains a legitimate program when used with appropriate consent.
Usual online security advice, such as regular cleaning of browser caches, might help to reduce the risk of embedded scripts continuing to mine for cryptocurrency coins. In most cases, the scripts can only run while users are visiting a compromised site or with their permission.