Unauthorized Coin Mining in the Browser [source: paloaltonetworks]

Cryptocurrencies have taken the world by storm. From the biggest player Bitcoin to newcomers such as Monero and Ethereum, cryptocurrency mining has become a hot industry due in part to powerful, dedicated mining hardware or by utilizing graphics cards’ parallel computing power. Recently, browser coin mining has taken off, for a lot of different reasons. Although the computing power per instance is much less than dedicated hardware provides, being able to utilize many users on various sites more than make up for it. There is  already some media coverage on this, such as BBC, and malwarebytes. While we do not consider crypto-currency mining inside browsers malicious by itself, often such mining is going on without the end user’s consent or even knowledge that makes this practice shady and despicable.

Coinhive, one of the more popular browser-mining services out there offers site owners a piece of JavaScript for easy integration. Site owners use site visitors’ CPU time to mine XMRs (Moneros) for Coinhive, and Coinhive pays out 70% of mined value to site owners. A new player, crypto-loot  emerged recently which offers similar services but pays out 88% of revenue.

Coinhive Integration

On the official Coinhive homepage, we found detailed documentation on how to integrate the mining scripts onto any given website. Owners can use the easy version:

var miner = new CoinHive.Anonymous(‘YOUR_SITE_KEY’);

or more complicated version that gives control over how the end user’s CPU time should be used, e.g. how many threads, should the mining throttle.

var miner = new CoinHive.User(‘YOUR_SITE_KEY’, ‘john-doe’, {
threads: 4,
autoThreads: false,
throttle: 0.8,
forceASMJS: false

Higher thread number and/or lower throttle number will result in more CPU usage in client’s browser. With higher CPU occupation percentage, end users will likely experience sluggish behavior and poor experience on the websites.

Tracking Coinhive Integrations

We have been tracking the inclusion of Coinhive mining script (coinhive.min.js) for a week in our PANDB unknown feed. The number of URLs leading to the download of such similar scripts is astounding. Since we started tracking, we have seen anywhere from 6K unique URLs to over 10K in one single day.

Overall, we have seen over 35,119 unique URLs associated with coinhive.min.js. Across these URLs, there are a total of 144 IPs and 1,025 hostnames. Based on our observation, the appearance of these scripts can be clearly divided into three categories – standalone, voluntary, and compromised.

For more, click here.