Security News

The End of Coinhive; The end of cryptojacking?

Michal Salát, 8 March 2019

Will Coinhive’s end lead to the end of browser-based cryptomining and cryptojacking?

Cryptojacking stole the limelight away from ransomware at the end of 2017, becoming a major cyberthreat that continued into 2018. On March 8, 2019 Coinhive, the service that enables websites around the world to use browser CPUs to mine Monero, will shut down. Will Coinhive’s end also end browser-based cryptomining and jacking?

The rise of web-based cryptomining

Crypto coins are generated by solving a complex mathematical problem that meets certain criteria. The result confirms a set of transactions. If such a result is found, the first one to publish it receives a reward and the transaction fees from the given set. Various crypto coins use different algorithms, but most of them have been implemented in miner applications for CPU and GPU. JavaScript is a programming language used to implement the miner application and — as it’s supported by most browsers, meaning no special software is required to mine— makes it an attractive mining option. Most JavaScript miners mine Monero (XMR), because the mining algorithm is suitable for computations on a CPU, whereas mining Bitcoin (BTC), for example, on a CPU wouldn’t make much sense due to the algorithm and mining difficulty.

Mining cryptocurrency is a legit business, but to do this on a large scale, strong computing power is required. There are miners who run huge server farms to earn money with Bitcoin mining or mining of other cryptocurrencies. Running these server farms requires a high financial investment both for the infrastructure and electricity. For this reason, web-based cryptomining became popular; it doesn’t require the miner to install extra software and can be injected into websites.

Going from mining their own business to jacking around

Like most lucrative online activities, cryptomining became an attractive business model for cybercriminals. Cybercriminals began using other people’s computers and browsers to mine cryptocurrencies, without their permission, known as cryptojacking.

When it comes to cryptojacking, cybercriminals can either install software onto victims’ computers to mine or use websites to mine by implementing mining scripts into a website’s code. When a user visits an infected website, the script starts mining crypto coins using the visitor’s computing power. Installing software onto PCs requires skill, time and effort. Additionally, the chances of people noticing their computer is mining are higher when their computer’s GPU is being used to mine, slowing down their devices. Browser-based cryptojacking therefore became very popular; cybercriminals hijack websites to inject Coinhive’s JavaScript to mine using site visitors’ browsers, profiting from the time spent on the infected websites.

Cryptojacking in the gray zone

In terms of cybersecurity, cryptojacking landed in a bit of a gray zone. While the effects of cryptojacking, especially browser-based cryptojacking which mainly includes slowing down the browser, are bothersome, they aren’t devastating and often users are unaware their browser is mining. Not all browser-based cryptomining is malicious. There is a legitimate use of the cryptocurrency miners where websites give users the option to mine, to in return avoid seeing ads, or in the case of UNICEF to raise money for a charitable cause. We at Avast reached a point, however, where we needed to decide whether or not we should block all browser-based miners to protect our user base from cryptojacking.

We decided to create a set of strict rules, and miners that adhere to the rules and request to be whitelisted are not blocked, but those that do not are blocked by our antivirus. We consider mining on webpages to be ethical when users are explicitly asked permission, before the mining begins, and are educated on the process.

The decline in jacking

Security companies blocking web-based cryptojacking might be one of many reasons why cryptojacking is on a decline. In their blog post about discontinuing Coinhive, the Coinhive team mentioned the drop in the hash rate after the Monero fork and the crash of the cryptocurrency market, along with the upcoming fork and algorithm update of Monero, which will cause the hashrate to drop.

The number of browser cryptojacking attempts we blocked during Monero’s peak followed the trends in the value of Monero, as can be seen in the charts below. Bitcoin and the cryptocurrency market as a whole had a similar trend line. Coinhive’s decision to discontinue their service may not come as a surprise, given the drop in the value of cryptocurrencies and the fact that the service was often used by bad actors for cryptojacking without asking the users’ permission, resulting in the cryptominer being blocked by security companies.

The End of an Era

It’s difficult to predict whether or not browser-based cryptojacking will ever rise again after Coinhive discontinues its service or if another mining service will fill Coinhive’s void. According to Bad Packets Report, Coinhive had a 62% share of website miners in August 2018. Even if another service decides to fill the gap Coinhive will leave, it may not be as successful as Coinhive once was, if it doesn’t allow cybercriminals to mine for their own financial gain.

The steady drop in Monero’s and other crypto currencies’ value might also be forcing cybercriminals to focus their attention on other, more profitable, activities. A possible rise in Monero’s value could cause cybercriminals to mine more again, but they would likely do this using PCs, if they care to make the extra effort.  

Ultimately, Coinhive going out of business is a good thing for security, privacy, and transparency. Their business model relied upon taking 30% of all the coins mined on their service, and reportedly 100% of the money from coin that was mined on accounts that had been shut down for abuse. Its flaws were clear. With the value of Monero dropping significantly over the course of 2018, the hard forks and AV on their tail, it was impossible for Coinhive to maintain profit. Pushed by the AV companies, Coinhive has launched a service with explicit opt-in, so that will show us the true size of the legitimate market and if cryptomining can indeed be an alternative to advertising.