Coinhive Throws In the Towel

What started it out with the intention of being an innovative way to replace banner ads on websites turned into an incredibly popular piece of malware. When Coinhive began its life it was innocent. Rather than web developers using space for ad banners they could add a JavaScript file to the browser which would use the visitors CPU to mine Monero, now infamously known as a favored cryptocurrency used by hackers around the globe. This mining was intended to occur only while visitors were on the web page and with their express consent. What started out innocently was quickly weaponized.

The Pirate Bay, provided a proof of concept test of Coinhive by asking users if they would prefer ad banners or the application to mine cryptocurrency while using the service. The torrent site known for its flagrant abuse of copyright law received a fair amount of criticism for the move, but it could be seen as a successful proof of concept. The Pirate Bay was eventually to receive ban orders due to copyright infringement and like with other similar torrent sites is involved in a perpetual cat and mouse game with authorities. Despite this many saw Coinhive as a potential technology to disrupt big corporations stranglehold on ad revenue.

Alas, this was not to be with the company stating in a blog post that the company would shut down all operations by March 8, 2019. While operations would cease on March 8, registered users had until April 30 to withdraw funds. In the blog post multiple reasons were given for the shutdown including,

“The drop in hash rate (over 50%) after the last Monero hard fork hit us hard,” and “So did the 'crash' of the cryptocurrency market with the value of XMR depreciating over 85% within a year.”

Another reason which has contributed to the decision to cease operations may lie in the fact that Coinhive became to go to solution for cyber-criminal gangs who proceeded to hack sites all over the internet and leave the Coinhive file configured to mine Monero for their accounts.

coinhive throws in the towel

The practice which has been called cryptojacking by some and in-browser mining by others became a problem in late 2017 and the first half of 2018. Its surge in popularity led some to believe that ransomware attacks would become a thing of the past. This was not to be the case despite Coinhive scripts landing up on government sites, live chat widgets, gaming mods, famous sites, fundraising campaigns, YouTube ads, ad networks, browser extensions, routers, mobile apps, and desktop applications. Such widespread abuse got Coinhive's domain banned by both antivirus products and ad blocker browser extensions alike. With such a rise in popularity came the inevitable clones and other people wishing to emulate Coinhive’s apparent success. Despite this Coinhive still managed to retain market domination.

An End to Cryptojacking?

Security researcher Troy Mursch calculated that Coinhive had 62% of the market share while academics calculated that the German company was making an estimated 250,000 USD per month up until the middle of 2018. Abuse of the platform may have contributed to the decision to shut down operations, ultimately it was the market that would seal the deal. As the price of Monero dropped so did both legal and illegal use of Coinhive. Is this end of the trend that so dominated cybersecurity headlines?

Speaking to ZDNet in December 2018 regarding cybersecurity trends to watch in 2019, security researcher Jerome Segura stated,

“The concept of in-browser mining was almost shattered overnight by ill-intended threat actors taking advantage of Coinhive and other similar services… While 'cryptojacking' or 'drive-by mining' dominated the threat landscape in late 2017 and early 2018, it took a backseat for the rest of the year, with the notable exception of some campaigns powered by a large number of compromised IoT devices… As it stands, the profits generated from in-browser mining are not what they used to be, due to the decline in the value of cryptocurrencies. Our telemetry shows a sharp decrease in Coinhive related traffic, although one of its competitors, CoinIMP, has gained traction during the past few months. For 2019, we can expect to see fewer campaigns where Content Management Systems are injected with coin miners but instead see other web threats become more prevalent, in particular, web skimmers.”

Declaring a malware trend is particularly hazardous, as with the decline in market values brought a decline in use. If for whatever reason, though improbable, the price in cryptocurrencies skyrockets there will be a new drive to use scripts like Coinhive or CoinIMP could occur. While certainly not the threat it was in 2018 cryptojacking may yet see a revival. The revival of the humble worm which was responsible for the virulence of the WannaCry ransomware incident can be seen as an example of this. That been said the rise in prevalence of web skimmers may be one to watch out for. In November 2018, Malwarebytes published an article detailing how popular football clothing brand Umbro was hit by such a piece of malware. A web skimmer allows the hacker to seamlessly steal payment and contact information from visitors purchasing products or services online. In essence, it is comparable to credit card skimmers which have been a nightmare to combat. While it was argued, incorrectly for the most part, that cryptojacking was harmless, web skimming is most certainly not and victims could find their bank accounts cleared out before they realize it.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal