Tech. Science. Culture.
We may earn a commission from links on this page

Hackers Hijacking CPUs to Mine Cryptocurrency Have Now Invaded YouTube Ads

We may earn a commission from links on this page.

Cryptojacking is a relatively new malware issue that has gradually become a widespread problem. Bad actors are injecting a piece of JavaScript into websites and advertisements that harnesses a victims CPU to mine cryptocurrencies. The latest network to be targeted by cryptojackers is Google’s advertising service on YouTube.

As Ars Technica first reported on Friday, users on social media started complaining earlier this week that YouTube ads were triggering their anti-virus software. Specifically, the software was recognizing a script from a service called CoinHive. The script was originally released as a sort of altruistic idea that would allow sites to make a little extra income by putting a visitor’s CPU processing power to use by mining a cryptocurrency called Monero. This could be used ethically as long as a site notifies its visitors of what’s happening and doesn’t get so greedy with the CPU usage that it crashes a visitor’s computer. In the case of YouTube’s ads running the script, they were reportedly using up to 80 percent of the CPU and neither YouTube nor the user were told what was happening.

From Ars Technica:

On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google’s DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.

In nine out of 10 cases, the ads will use publicly available JavaScript provided by Coinhive, a cryptocurrency-mining service that’s controversial because it allows subscribers to profit by surreptitiously using other people’s computers.


Trend Micro’s research found that in 10 percent of the cases a custom script was being used that still mined Monero but didn’t give CoinHive its usual 30 percent cut of the profits.

Gizmodo reached out to YouTube for comment on Trend Micro’s claims, and a spokesperson acknowledged the problem:

Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.


The part of the statement about the ads being blocked in less than two hours doesn’t align with Trend Micro’s assessment that the ad campaign has been a problem for at least a week. When we asked YouTube about this discrepancy, a spokesperson declined to comment any further.

But a source with direct knowledge of YouTube’s handling of the situation told Gizmodo that the two-hour measurement was just being applied to each individual ad run by the hackers, not the ads en masse. YouTube approves a clean ad submitted by a clean account set up by the hijacker. When the ad goes live, the attackers use various cloaking methods to subvert YouTube’s system and swap the ad with one that includes the malicious script. A couple hours later, the ad is detected, taken down, and the user who submitted it gets their account deleted. Wash. Rinse. Repeat. To sum this up in the most generous terms, YouTube and Google’s ad network, in general, has an ongoing and ever-evolving problem on its hands.


The thing about all of this is that cryptojacking isn’t that big of a deal. Flagged instances are becoming more frequent, but the harm to your privacy or system is virtually non-existent. What sucks is that someone out there (in this case the owner of a single CoinHive site key) is using your CPU power and electricity to make money and you don’t get a cut. You’re unwittingly funding cybercrime while YouTube makes its money from serving you ads. And from a big picture perspective, security flaws are being exposed. Just because the script wasn’t particularly dangerous this time around, doesn’t mean it couldn’t be some nasty ransomware next time.

[Ars Technica]