Skip to content ↓ | Skip to navigation ↓

A couple of years ago it felt like you couldn’t turn your head in any direction without seeing another headline about cryptomining and – its more evil sibling – cryptojacking.

Countless websites were hijacked, and injected with cryptocurrency-mining code designed to exploit the resources of visiting computers. Victims included the likes of the LA Times, and political fact-checking website Politifact.

Even a European water utility’s operational network was said to have fallen foul of hackers planting cryptomining code.

In one infamous case, thousands of government websites in the United States and UK – including the Information Commissioner’s Office (ICO) and USCourts.gov – were simultaneously hijacked by cryptomining code after hackers poisoned a widely-used accessibility plugin.

Some developers even coded their apps to “unobtrusively” mine for cryptocurrency in lieu of users taking out a subscription, and hundreds of thousands of unpatched IoT devices were cryptojacked.

Meanwhile, well-known sites such as Showtime, Salon.com and The Pirate Bay, willingly ran cryptomining code on their webpages as they hunted for a way to generate revenue in a world where online ads were increasingly being blocked.

What drove all of this cryptomining was a sharp increase in the value of cryptocurrencies, combined with the emergence of Coinhive – a service which offered a simple way to turn any webpage into a source of revenue. Just a line or two of Javascript, embedded on a webpage, could seize CPU cycles from visiting computers and mine for cryptocurrency within the user’s browser.

But in February 2019, Coinhive shut down, saying that because the cryptocurrency market had crashed and the hard fork of the Monero cryptocurrency its service was no longer economically viable.

Researchers at the University of Cincinnati, and Lakehead University in Canada, decided to investigate whether hackers have continued to cryptojack since the demise of Coinhive, and what – if any – changes there have been.

In their paper, entitled “Is Cryptojacking Dead after Coinhive Shutdown?”, researchers Said Varlioglu, Bilal Gonen, Murat Ozer, and Mehmet F. Bastug examined 2,770 websites that had been running Coinhive’s cryptomining code before it was shut down.

99% of the examined websites were no longer cryptojacking. However, although the vast majority of cryptojacking websites were no longer cryptomining, the researchers were able to track eight unique mining scripts on the remaining 1% of cryptojacking sites.

As a result of this discovery, the researchers say they were able to detect 632 unique cryptojacking websites, some of which receive “millions of visitors per year”.

Although there’s still clearly room for improvement, that’s a dramatic reduction from three years ago – when Coinhive’s script was running on 30,000 websites.

Unfortunately for internet surfers, today’s in-browser cryptomining scripts are not like Coinhive. They are written with obfuscation in mind, and more effort is made to attempt to avoid detection.

However, the researchers say “a regular user can easily detect a cryptojacking website based on common patterns”:

WebSockets, WebWorkers and WebAssembly (wasm) con-nections underlie a Cryptojacking activity to get the connections robust. The existence of such connectionsmay indicate a cryptojacking activity. Miners use WebSocket (wss://) protocol to make the user keep connected. WebSocket is used to establish a connection with the server. It is a different protocol from HTTP. It provides full-duplex communication channels over a single TCP connection. Thus, it is used as acontinuous/persistent connection between a user and a server.

Besides that, a cryptojacking website runs four JavaScript workers as threads connecting blob links. Four JavaScript workers redirect the user to miner deployers. A blob link is seen as four different links with octet stream type in Chromenetwork activities. Thus, four java workers are employed by a direct server (mining pool) or another website (minerdeployer). Also, those call stack threads are called “LongTasks” by Chrome.

Hmm. I’m not sure I’d agree that a “regular user” would be able to “easily” detect that.

The report’s conclusion, however, makes for some encouraging reading about the state of cryptojacking today:

“Cryptojacking is not dead after the Coinhive shutdown. It is still alive, but not as attractive as it used to be.”

Ultimately, it’s all going to be about the money. If they can make money out of it, they’ll do it. If they feel it’s not a good source of income, or there are easier and more effective ways to make money, then that’s where the cryptojackers will go next.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.