A first look at browser-based cryptojacking

# A first look at browser-based cryptojacking

Shayan Eskandari1, Andreas Leoutsarakos1, Troy Mursch2, Jeremy Clark1 1Concordia University, 2Bad Packets Report
###### Abstract

In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar codebases. In this model, a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency—typically without her consent or knowledge—and pays out the seigniorage to the website. Websites may consciously employ this as an alternative or to supplement advertisement revenue, may offer premium content in exchange for mining, or may be unwittingly serving the code as a result of a breach (in which case the seigniorage is collected by the attacker). The cryptocurrency Monero is preferred seemingly for its unfriendliness to large-scale ASIC mining that would drive browser-based efforts out of the market, as well as for its purported privacy features. In this paper, we survey this landscape, conduct some measurements to establish its prevalence and profitability, outline an ethical framework for considering whether it should be classified as an attack or business opportunity, and make suggestions for the detection, mitigation and/or prevention of browser-based mining for non-consenting users.

Cryptocurrency; Monero; Coinhive; Mining; Bitcoin; Blockchain; Cryptojacking; Ethics
publicationid: pubid:

## 1 Introduction

### 3.3 Browser extensions

Cryptojacking was not limited to websites in 2017. The Chrome extension Archive Poster remained on the Chrome Web Store for days while silently cryptojacking an unknown portion of their 100,000+ users. After multiple user reports, followed by multiple news media outlets covering the issue, the extension was removed [11]. Similar cryptojacking extensions has been identified on less popular Mozilla Firefox add-ons as well.

### 3.4 Breaches

If an attacker is able to breach principle servers, websites, extensions, or the scripting services they use, they can inject cryptojacking scripts that will impact the site’s users without the site’s knowledge or consent. For example, a researcher found a malicious modification to webchat system LiveHelpNow’s SDK; it resulted in unsolicited mining across nearly 1500 websites using their chat support service [15] such as retail store chains Crucial and Everlast websites. In another example, Coinhive was found on the political fact-checking website PolitiFact151515PolitiFact: Fact-checking US politics https://politifact.com/ A compromised JavaScript library was found to be injecting the cryptojacking code. The malicious code remained on the site for at least four hours before it was removed [43]. PolitiFact executive director stated, “Hackers were able to install their script on the fact-checking website after discovering a misconfigured cloud-computing server” [42].

Another recent example of such incident is a breach in a website plugin called Browsealoud161616An accessibility tool to read the content aloud in multiple languages https://www.texthelp.com/en-gb/products/browsealoud/ led to injection of cryptojacking scripts in some United Kingdom governmental websites such as Information Commissioner‘s Office, UK NHS services, Manchester City Council and around 4200 other websites [38]. Within the same month, cryptojacking script was seen on Tesla and LA Times websites through poorly secured cloud configuration [22].

### 3.5 Man-in-the-middle

A user’s web traffic is often routed through intermediaries that may have plaintext access to content. For example, internet service providers or free public wireless routers can inject cryptojacking scripts into non-HTTPS traffic. Advertisement code injection has been seen in practice before [39] and there have been assertions of similar injections of browser mining scripts at certain Starbucks free Wi-Fi hotspots in Argentina.

## 4 Measurements

### 4.1 Prevalence of Coinhive and alternatives

Based on the fact that Coinhive is the dominant website offering in-browser mining (see Figure 4), we first focus on measuring the prevalence of Coinhive scripts deployed on internet sites. We use the censys.io BigQuery dataset [8] for the top million sites indexed by Zmap181818https://zmap.io. We simply look for the coinhive.min.js script within the body of the website page. The query we use is in Figure 3 and the results over a two month period are provided in Figure 2. These findings are corroborated by another search engine, PublicWWW191919Search Engine for Source Code https://publicwww.com/, which indexes the source code of publicly available websites. Using PublicWWW’s dataset, over 30,000 websites were found to have the coinhive.min.js library [20]. As seen from our data in Figure 2, the adoption of this script was substantial in the first days of its release. However, progress slowed down at the same time as ad-blockers and organizations started to block Coinhive’s website. The initial purpose of this service, as claimed by Coinhive, was to replace ads and cover server costs for webmasters. As the service did not require that websites receive user consent before running the miner code, it started to be used maliciously in users‘ browsers. This type of usage resulted in Coinhive being included in some company’s top-10 most wanted malware list [4].

This type of measurement will become less accurate moving forward. Cryptojacking services are evolving to use obfuscated JavaScript and randomized URLs to evade detection. An example of these methods can be found in the cryptojacking service provider called Minr. In this case, the script is automatically obfuscated for users implementing the code. In addition, the domain names used by Minr frequently change to circumvent blocklists and anti-malware software.

Coinhive has begun to be blocked by enterprises. One example is shown in Figure 7. This blocking seems to have sent Coinhive operators to lesser known alternatives with the same or similar functionality. We used the same methodology on PublicWWW dataset to find the usage of Coinhive and its alternatives on the internet. Table II shows the keywords used to identify these services. The result can be found on Figure 4 and Figure 5.

Coinhive has also reacted by focusing on adding methods to enforce asking for user consent and legitimizing the use of cryptojacking. It introduced another domain and service called Authedmine, which requires user’s consent to start mining in the browser. This service did not get the same attention as the original service, but it did inspire discussions regarding the ethics of such services, which is discussed in Section 6. Using the same methodology, censys.io was used to measure the prevalence of AuthedMine and show the results in Figure 8.

### 4.2 Client impact

Most cryptojacking scripts discovered were configured to use around 25% of user’s CPU, which can be justified as it will be under the threshold of attracting the user’s attention, and it could be argued as fair-usage of their hardware. During the first few days, however, there were some reports of 100% CPU usage while visiting websites containing these scripts [34], which can be characterized as malicious. By default, the Coinhive JavaScript library will use all available CPU resources. The user implementing the script must include a throttle value to reduce the client-side CPU usage during mining operations. We show an example in Figure 9.

### 4.3 Profitability

Coinhive developers estimate a monthly revenue of about 0.3 XMR (about $101 USD) for a website with 10-20 active miners [5]. We sought to validate this estimation with a real world data set provided to us212121In collaboration and with thanks to Faraz Fallahi https://github.com/fffaraz. One of the biggest Coinhive campaign operators is a domain parking service. It runs Coinhive on over 11 000 parked websites. While visits to parked domains are considerably shorter than an average website, the data spans a period of three months and gives some insight into the profitability of cryptojacking. During the experimental period of about 3 months, they accumulated 105 580 user sessions for an average of 24 seconds per session. For the period examined, the revenue was 0.02417 XMR (Monero’s currency) which at the time of writing is valued at$7.69 USD. Further detail is provide in Figures 10 and 11. While an A/B test was not setup to determine how much traditional web advertising would have brought in, freely available web calculator tools suggest we might expect an order or two of magnitude greater for comparable traffic.

## 5 Mitigations

We discuss the ethics of cryptojacking in the next section, but in the case of cryptojacking without user consent, it is seems natural to us to presuppose users want to be protected. Protection might take a few forms, which we outline here.

### 5.1 Obtaining consent

Cryptojacking tools might attempt to legitimize the practice by first obtaining user consent on a service provider level. An example of this is the Authedmine service from Coinhive discussed previously. Malicious sites might also opt for a service like Authedmine if it is whitelisted on its users‘ networks and then attempt to circumvent the consent process. For example, consent that requires a click from the user has been shown in some circumstances to be vulnerable to clickjacking attacks [28].

While cryptojacking is nowhere near the prevalence of tracking cookies, eventually it might grow into a regulatory issue where governmental bodies could use legislative approaches to obtain consent, similar to the provisions many countries now use for cookies (including honouring the ‘do not track’ HTTP header and obtaining click-based consent).

### 5.2 Browser-level mitigation

Browser developers have begun discussion of intervening in cryptojacking222222‘Please consider intervention for high cpu usage js’ https://bugs.chromium.org/p/chromium/issues/detail?id=766068. Potential mitigations include: throttling clientside scripting, warning users when clientside scripting consumes excessive resources, and blocking the sources of known cryptojacking scripts. Determining appropriate for thresholds for client-side processing that are high enough to allow legitimate applications and low enough to deter cryptojacking is an open research problem, as would be the wording of any notifications to the user that would lead the user to make an informed decision about allowing or not allowing resource consumption (cf. SSL/TLS warnings [31, 30, 1]). Browsers such as Opera, have taken a stance against cryptojacking scripts and blocked them via their “NoCoin” blacklist [25]. It is too early to determine the effectiveness of using a blacklist to block such activities.

It is worth noting that some browsers might actually take the exact opposite approach and promote (consensual) in-browser mining, as it enables a form of monetizing websites independent of both (1) ad networks and the user tracking that accompanies the current ad model, and (2) users maintaining some form of credits or currencies for making micropayment to websites they use(e.g., Brave Browser 23). Browser mining has been shown to not be as efficient as native mining applications today. Therefore, optimizations on how browsers pass system calls to the operating system can be made, or there can even be browsers designed specifically to support efficient browser mining.

## 6 Discussion

While cryptojacking might be relatively new, it fits the pattern of various other technologies deployed on the web that raise ethical questions. In thinking about it, we distinguish a few cases: (1) the use of cryptojacking on a breached website, (2) the use of cryptojacking by the website owner with an attempt at obtaining user consent, and (3) the use of cryptojacking by the website owner without obtaining user consent. We would argue that (1) is clearly unethical; invariant to one’s views on the ethics of hacking, we cannot see a justification for a breach that profits the adversary without any external benefits to anyone else.

The potential harm to users of cryptojacking is higher energy bills, along with accelerated device degradation, slower system performance, and a poor web experience [29, 33]. While consent may be obtained from the user, it is unclear if the user’s mental model of how they are paying can be made clear to them. On the other hand, the privacy disclosures users make in the traditional advertising model are also intangible; it is doubtful users understand what they are consenting to when they, for example, consent through a banner [9] to the use of tracking cookies; and many websites waste computational resources without consequence through buggy scripting and unnecessary libraries. In short, the ethics are not clear-cut and should be debated.

One webservice prone to cryptojacking is video streaming—the longer a user is engaged on a website, the more income can be earned through browser mining. Showtime.com [35] and UFC.com [37] are two popular streaming sites that were asserted by researchers to have deployed Coinhive. Showtime has declined to comment on how or why Coinhive was implemented on their website. Speculation has been raised that it was injected via a third-party analytic tool, New Relic, due to Coinhive being found inside the New Relic code block within showtime’s website source code. However a New Relic representative denied these claims in a statement to The Register, “It appears [Coinhive scripts] were added to the website by [Showtime’s] developers.” [35]. In a statement released by the UFC, they denied the presence of the code stating, “[they] did not find any reference to the mentioned Coinhive JavaScript [code]”.

The third case is the use of cryptojacking without user consent. Moor, in ”What is Computer Ethics?” [19] introduces the concept of an invisible factor for invisible computer operations in society. Based on his definitions, we would classify cryptojacking that does not gain user consent as invisible abuse: the intentional use of the invisible operations of a computer to engage in unethical conduct. Here the cryptojacker is earning money from unaware users that are being charged on their electricity bill. As discussed before, we already have court cases against such activities [24] and regulations for activities such as online user tracking [9], which indicates the need to start discussions and regulation on in-browser mining to fill in this policy vacuum as well.

## 7 Acknowledgements

J. Clark thanks NSERC and FRQNT for partial funding of this research.

## References

• [1] M. E. Acer, E. Stark, A. P. Felt, S. Fahl, R. Bhargava, B. Dev, M. Braithwaite, R. Sleevi, and P. Tabriz. Where the wild warnings are: Root causes of chrome https certificate errors. In CCS, CCS ’17, pages 1407–1420, New York, NY, USA, 2017. ACM.
• [2] BBC. Websites hacked to mint crypto-cash.
• [3] BleepingComputer. The internet is ride with in-browser miners and it is getting worse each day. Accessed: 2017-12-08.
• [4] CheckPointResearchTeam. October’s most wanted malware: Cryptocurrency mining presents new threat.
• [6] Cryptonote. Cryptonote technology. Accessed: 2017-11-20.
• [7] DeepDotWeb. Coinhive hacked and launches new opt-in service.
• [8] Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman. A search engine backed by Internet-wide scanning. In ACM CCS, Oct. 2015.
• [9] European-Commission. Cookies. Accessed: 2017-12-08.
• [10] ExtremeTech. Browser-based mining malware found on pirate bay, others. Accessed: 2017-11-20.
• [11] Fortune. Popular google chrome extension caught mining cryptocurrency on thousands of computers. Accessed: 2018-01-20.
• [12] D. Y. Huang, H. Dharmdasani, S. Meiklejohn, V. Dave, C. Grier, D. McCoy, S. Savage, N. Weaver, A. C. Snoeren, and K. Levchenko. Botcoin: Monetizing stolen cycles. In NDSS, 2014.
• [13] M. King, J. Atkins, and M. Schwarz. Internet advertising and the generalized second-price auction: Selling billions of dollars worth of keywords. The American economic review, 97(1):242–259, 2007.
• [14] A. Kumar, C. Fischer, S. Tople, and P. Saxena. A traceability analysis of moneroâs blockchain. In European Symposium on Research in Computer Security, pages 153–173. Springer, 2017.
• [15] LiveHelpNow. Security incident nov 23rd, 2017. Accessed: 2017-12-14.
• [16] T. Micro. Malvertising campaign abuses googleâs doubleclick to deliver cryptocurrency miners. Accessed: 2018-01-31.
• [17] A. Miller, M. Moeser, K. Lee, and A. Narayanan. An Empirical Analysis of Linkability in the Monero Blockchain. Technical report, arXiv, 2017.
• [18] Monero. MONERO private digital currency. https://getmonero.org/, 2014. Accessed: 2017-11-20.
• [19] J. H. Moor. What is computer ethics? Metaphilosophy, 16(4):266–275, 1985.
• [20] T. Mursch. Cryptojacking malware coinhive found on 30,000+ websites. Accessed: 2018-01-20.
• [21] S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2008.
• [22] NakedSecurity. Unsecured aws led to cryptojacking attack on la times. Accessed: 2018-02-28.
• [23] A. Narayanan, J. Bonneau, E. Felten, A. Miller, and S. Goldfeder. Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction. Princeton University Press, 2016.
• [24] N. J. D. of Consumer Affairs. New jersey division of consumer affairs obtains settlement with developer of bitcoin-mining software found to have accessed new jersey computers without users knowledge or consent. Accessed: 2018-01-20.
• [25] Opera. New year, new browser. opera 50 introduces anti-bitcoin mining tool. Accessed: 2018-01-20.
• [26] M. Rosenfeld. Analysis of bitcoin pooled mining reward systems. arXiv preprint arXiv:1112.4980, 2011.
• [27] S. Ruwhof. Massive child porn site is hiding in plain sight, and the owners behind it. Accessed: 2018-01-20.
• [28] G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In IEEE SSP, volume 2, 2010.
• [29] D. Sillars. The performance impact of cryptocurrency mining on the web. Accessed: 2017-12-20.
• [30] A. Sotirakopoulos, K. Hawkey, and K. Beznosov. On the challenges in usable security lab studies: Lessons learned from replicating a study on SSL warnings. In SOUPS, 2011.
• [31] J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying wolf: An empirical study of SSL warning effectiveness. In USENIX Security, 2009.
• [32] R. Tahir, M. Huzaifa, A. Das, M. Ahmad, C. Gunter, F. Zaffar, M. Caesar, and N. Borisov. Mining on someone else’s dime: Mitigating covert mining operations in clouds and enterprises. In RAID, 2017.
• [33] TheGuardian. Ads dont work so websites are using your electricity to pay the bills. Accessed: 2017-11-20.
• [34] ThePirateBay. The galaxys most resilient bittorrent site. Accessed: 2017-11-20.
• [35] TheRegister. Cbs’s showtime caught mining crypto-coins in viewers’ web browsers. Accessed: 2018-01-20.
• [36] TheRegister. Crypto-jackers enlist google tag manager to smuggle alt-coin miners. Accessed: 2018-01-20.
• [37] TheRegister. Lets get ready to grumble! ufc secretly choke slams browsers with monero miners.
• [38] TheRegister. Uk ico, uscourts.gov… thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned. Accessed: 2018-02-28.
• [39] TheVerge. Hotel caught injecting advertising into webpages on complimentary wi-fi network. Accessed: 2017-12-08.
• [40] TheVerge. Showtime websites secretly mined user cpu for cryptocurrency. Accessed: 2017-11-20.
• [41] N. van Saberhagen. Cryptonote v 2. 0.
• [42] WallStreetJournal. Your computer may be making bitcoinâ for hackers. Accessed: 2018-01-20.
• [43] Washingtonpost. Hackers have turned politifact’s website into a trap for your pc. Accessed: 2018-01-20.
• [44] V. Wikipedia. Important milestones of the bitcoin project. Accessed: 2018-01-18.
• [45] J. Wyke. The zeroaccess botnet: Mining and fraud for massive financial gain. Sophos Technical Paper, 2012.
You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters