As cryptojacking has spread around the web—largely thanks to the original “in-browser miner,” Coinhive, and its copycats—implementations have generally not lived up to those lofty aims. Instead, the technique is used to exploit unknowing people’s resources, both their hardware and electric bills, and it is increasingly blocked as malware by scanners and ad-blockers. So far, efforts to keep cryptojacking on the straight and narrow have largely fizzled.
Cryptojacking doesn’t require a download, starts instantly, and works efficiently. Making it even more insidious, hackers can sneak a mining component onto unsuspecting websites and pilfer cryptocurrency off of the legitimate site’s traffic. Illicit cryptojacking software has plagued unsuspecting sites like Politifact and Showtime. In one especially glaring incident from early December, a customer using the public Wi-Fi at a Buenos Aires Starbucks discovered that someone had manipulated the Wi-Fi system, delaying the connection in order to mine Monero with shoppers’ devices.
Despite those high-profile sneak attacks, researchers say that most cryptojacking is intentional, and that the practice is evolving in concerning ways.
“There was a steady increase in CoinHive usage through late November and early December, presumably driven by the surge in cryptocurrency valuations,” says Paul Ducklin, senior technologist at the security firm Sophos. “It’s hard to guess the motivation of an unknown website operator, but based on an analysis of our detection data for the month of November, most coinmining sites were doing it on purpose, and a significant majority were taking all the CPU they could get.”
Those elevated processing demands can do real damage to victim devices over time. One type of Android malware, called Loapi, mines cryptocurrency so intensely that it can cause physical harm to the devices it runs on.
In another innovation from November, security researchers at Malwarebytes Labs discovered that some cryptojackers had found a way to persist even after users closed the mining tab. To do so, the cryptojacker opens a stealthy browser window called a “pop-under” that hides behind the Windows taskbar clock.
Coinhive concedes that its attempt to close Pandora’s box with the AuthedMine version hasn’t quite worked so far, in part because adblockers and antivirus treat it the same way it does any other cryptojacker.
Sophos, for one, currently considers all cryptojackers to be “parasitic” malware. Browser developers, like those that work on the Chromium Project that underlies Google Chrome, have also considered ways to handle cryptojackingand whether to block it to protect users. The Opera browser recently announced that it is adding a mechanism called “NoCoin” to its built-in ad blocker to stop mining scripts.
A Browser Transformation
As cryptojacking has taken off, it has also served as a sort of conceptual unifier for the various mining technologies that have been slowly percolating over the years. Coinhive has even started promoting a type of anti-spam mechanism called a Proof of Work Captcha, an idea that has been around for years. Instead of checking whether a user is human, this tool solves processor-intensive mathematical mining puzzles to make it slower and less economically feasible for spammers to load certain pages or perform certain actions on a site. These captchas result in less annoyance for individual users, but they tax device processors and can take a long time to finish on older machines.
The more these mining technologies layer on top of each other—whether for legitimate purposes or scams—the more web users may begin to experience a changed browsing landscape. Between October and November, the number of mobile devices that encountered at least one cryptojacking script increased by 287 percent, according to analysis by the mobile security firm Wandera.
Cryptojacking could evolve to the point that the processing power of a user’s device matters more than ever to their browsing experience, and even access to information and services, says Dan Cuddeford, Wandera’s director of sales engineering. “I still like what in my mind are legitimate uses for cryptojacking,” Cuddeford says. “But we may be in a situation in the future where you’re able to get access more quickly because you’re able to solve these puzzles faster. The faster the CPU you have, the quicker you can progress to the next screen, and everyone could start to be treated differently.”
Some uses of cryptojacking still offer opt-in transparency, the approach the security community has pushed for to legitimize and de-stigmatize the technology. But within the melange of sketchy uses, it’s troubling to consider that in-browser mining could ultimately become its own form of paid prioritization, where the people who can afford more processing power are preferred by services online.