Unauthorized Coin Mining in the Browser

L7 Applicator

The popularity of CryptoCurrency has rapidly increased over the last 2 years and has exploded in the last 6 months. Mining has become more difficult and now requires data centers of dedicated servers to turn a healthy profit. A new mining technique utilizes the combined computing power of thousands of endpoints that mine through a script run in the browser, which can also lead to abuse.


Mining services like Coinhive allow for easy integration of a JavaScript in any website that lets the connected browser mine coin while the user is browsing the site. Unit42 has tracked Coinhive mining script access through the PANDB unknown category for a week and saw anywhere between 6000 and 10,000 unique URLs being hit on any given day. This is a clear indication this type of browser resource hijacking is far more rampant than one would expect, but then again, there is money to be made and that is where morals tend to fade.


Unit 42 found a few interesting facts and trends:


  • There appear to be two types of websites that serve up the miner JavaScript;
  1. Websites out to monetize on their visitors while still providing their users with content. Several porn sites were seen to operate in this fashion.
  2. Websites that have been compromised and the JavaScript injected in the regular pages. These scripts are usually also toggled to maximize return and tax the client's resources as much as possible.
  • A large percentage of the scripts detected in the PAN-DB feed appear to be hosted on a URL on the .bid or .download TLD
  • Coinhive uses a unique string, or 'site key', to identify a payee for each JavaScript that makes computations and surprisingly out of 36,000 detected instances, 35,000 pointed to a single site key.
  • At the time Unit 42 ran their project, 5 sites shown to host mining JavaScript were in the Alexa top 2000 ranking. (Those sites have since removed the miners.)


In conclusion:

While the use of these mining scripts is not malicious in itself, no sites appered to notify the user their resources were being used in this manner, nor was an opt-out made available.

  • PANDB is able to block URLs hosting Coinhive JavaScript.
  • Enabling an adblock browser plugin like Adguard or Adblock plus will further assist in preventing these scripts from consuming resources.


Unit 42 has more statistics and a more thorough description of the scrips available through their article Unauthorized Coin Mining in the Browser and they also have a list of the top-ranking URLs hosting these scripts available here.


Ask Questions Get Answers Join the Live Community