From Porn Sites to Starbucks Wi-Fi, CPUs Are Getting Hijacked to Mine Cryptocoins

Image Source: Starbucks
Image Source: Starbucks

It’s one thing to wake up and discover that you missed the boat on a cryptocurrency boom that’s making a handful of people very wealthy. It’s another thing to find out that your computer is making someone else rich while it gives you poor performance and jacks up your electricity bill. With the spread of cryptojacking, that infuriating scenario is happening to more people.


Cryptojacking first hit the mainstream back in September when visitors to the torrent site The Pirate Bay noticed something weird going on. Whenever the users visited the page, their CPU performance turned into trash. It turned out that the administrators of the site were trying out a new tool called Coinhive. By adding a simple script to a webpage, administrators can use a little bit of a visitor’s processing power to mine the cryptocurrency known as Monero. The major cryptocurrencies use a complex equation that takes a lot of processing power to solve. Once the equation is solved a new unit of currency is created, and the miner responsible for the completion gets to keep it. Monero works this way, and when a person creates a Coinhive account, they can use their site visitors’ computers to create a big network of processing power that pumps that cryptocurrency into their personal wallet.

When The Pirate Bay tried it out, it was just an experiment to see if the scheme could help pay the non-profit site’s bills. Administrators had screwed up and an error in the settings caused the script to consume all of a user’s resources. In its most noble implementation, an administrator could just use a little bit of a visitors CPU power, fully inform the user of what’s happening, and get a little extra digital money for providing a service people want. That all sounds nice, but it was inevitable this would be used for evil.

In just a matter of months, the abuse of Coinhive’s service and similar scripts has exploded. Recently, researchers have found that almost one billion visitors to a handful of video streaming websites had unwittingly been mining Monero for one or more third-parties. And at least one Starbucks location was recently found to be using Coinhive on patrons who connected to its wi-fi network.

In the case of the video sites, researchers at AdGuard wrote in a blog post on Wednesday that they had discovered that four popular streaming sites—Openload, Streamango, Rapidvideo, and OnlineVideoConverter—were all guilty of cryptojacking visitors’ computers without informing them. You may not of heard of these sites, but because users can upload everything from pirated movies to pornography on some of them, they are quite popular indeed. On three of the four sites, embedded video players were delivering the nefarious script, and AdGuard’s people suspect that administrators weren’t necessarily aware of what was happening. With the four sites reaching a combined 992 million visitors a month, AdGuard estimates that a staggering $326,000 worth of Monero could be generated in that time.

That figure, of course, doesn’t take into account the lost productivity that visitors may have experienced or the rise in energy costs distributed amongst the users. Mining cryptocurrency is a game that’s become almost exclusively the realm of people who can afford large specialized mining operations. Warehouses of servers use high-powered processors and tons of electricity to beat everyone and win the tokens. But turning a network of people who are watching pirated videos or porn into a big supercomputer is a lot cheaper. Security firm Trustwave estimated that if Coinhive runs on a computer 24 hours a day for a month, it would add somewhere between $2.90 and $5 to a user’s electricity bill. That might not seem like a lot, but multiply the highest estimate by 992 million people and you get just over $4.9 billion in energy costs that a cryptojacker just saved by crowdsourcing.

But Coinhive isn’t intended to run 24 hours a day. Its script is just supposed to run when a site’s window is open in your browser. Unfortunately, according to Bleeping Computer, some cryptojackers have been using a simple piece of JavaScript to open a tiny hidden window behind a user’s taskbar. If the user just shuts down the window they’re browsing in and doesn’t close the full application, mining could persist indefinitely.


And it’s not just individuals being targeted. Last week, a patron of Starbucks in Buenos Aires tweeted a screenshot at the coffee giant that showed its wi-fi was being used to deploy Coinhive’s script.


On Monday, Starbucks finally responded to the man’s warning and tweeted back:

As soon as we were alerted of the situation in this specific store last week, we took swift action to ensure our internet provider resolved the issue and made the changes needed in order to ensure our customers could use Wi-Fi in our store safely.


A Starbucks spokesperson told Motherboard that this was an isolated incident and that the wi-fi wasn’t run by Starbucks. “We don’t have any concern that this is widespread across any of our stores,” the spokesperson said. Giving Starbucks the benefit of the doubt, let’s remember that the company does control the wi-fi at thousands of other locations. When you consider that dozens or hundreds of people will likely use the wi-fi at each location every day, a lucky hacker could pull in a huge score.

In early November, Ars Technica pointed out a report from security researcher Willem de Groot that found that hackers had compromised and injected Coinhive’s script into the code of close to 2,500 websites. According to de Groot, 85 percent of the sites were generating Monero for two Coinhive accounts, and he has reason to believe the scattered accounts that make up the other 15 percent belong to a single person or group.


The Google Play store has also been a ripe target for cryptojackers. In October, someone managed to sneak a wallpaper app into the store with Coinhive’s script, it was downloaded 50,000 times. A week later, two more offending apps were discovered in the store that had a combined total of 15 million downloads.

It’s clear this is an exploding problem. If you notice a strange slowdown in your computer’s performance, or the fan suddenly starts working overtime, you should check your CPU usage for anything fishy. We have some tips for protecting yourself against Coinhive, and AdGuard has some more info about recent developments in the cryptojacking sphere.



Just for giggles, I decided to take a look at the source code for this page to see if coinhive was in there.

It was not.

But this was.

Touché, Gizmodo.