Future Tense

How Scammers Steal Your Computing Power to Mine Cryptocurrencies

Cryptojacking, explained.

Illustration of pickaxe hacking at a Bitcoin.
Natalie Matthews-Ramo

Cryptojacking, an internet scam found on thousands of websites in which nefarious actors mine cryptocurrencies on computers without users’ permission, has been on the rise since the prices of bitcoin and many other cryptocurrencies began spiking last year. The con involves websites stealing computational power from a visitor’s computer to execute the algorithms that are involved in cryptocurrency mining, which requires significant amounts of energy.

While it’s most common in the sketchier corners of the internet, hackers have also been able to inject the cryptojacking software onto websites for Showtime and PolitiFact and on e-commerce platforms. Patrons of a Buenos Aires, Argentina, Starbucks branch discovered in December that its Wi-Fi service was covertly using their computers for mining, and last week disgruntled netizens complained on social media that YouTube ads were also stealing mining power. AdGuard estimates websites can earn up to $326,000 per month from cryptojacking based on traffic to popular websites found to have the mining software.

Cryptocurrencies are digital currencies that exist on a blockchain, an encrypted digital ledger that securely keeps track of the order of transactions between computers. Mining in general requires a computer to solve extremely complex mathematical puzzles in order to produce a piece of data, which serves as a unit of a given cryptocurrency. The mining process needs to be difficult and energy-intensive to make sure that these data sets are scarce enough to serve as a currency. If it were too easy to mine a bitcoin, then the coin would have no value. Cryptojackers are essentially stealing the energy that mining requires.

One of the most popular tools among cryptojackers is a JavaScript plugin called Coinhive, which mines Monero, a privacy-focused cryptocurrency launched in 2014. Although not as valuable as bitcoin, a single Monero is worth roughly $300. And it’s easy to mine on a personal computer, unlike bitcoin, whose mining process usually requires large server farms. A portion of the processing power that a computer allots to a website with the Coinhive plugin goes toward the mining process. The creators of the tool then get a 22 percent cut of the mined Monero.

Coinhive and other in-browser miners are often employed in a deceptive manner. AdGuard released data in December showing that four of the most popular streaming and video-conversion sites (Streamango, RapidVideo, Openload, and OnlineVideoConverter), which collectively receive about 992 million monthly visits, take users’ processing power for mining without informing them.

To observe the effects of cryptojacking for myself, I went on publicwww.com, a search engine for source code, and found a list of websites that use Coinhive. Most of them appeared, based on their URLs, to feature either porn or pirated movies. I then visited five of the sites on separate Chrome windows at the same time, veering away from the NSFW content and toward websites for universities in Indonesia and Mexico. Only one site, the notorious Kiwi Farms forum, gave me the option to turn the miner on or off. Within 15 minutes, my laptop was hot to the touch, and the internal fan began whirring like a commercial airliner at takeoff. My cursor could no longer keep up with my finger’s trackpad movements, and the text that appeared on the screen was a good five words behind what I was typing on my keyboard. I opened the activity monitor, which showed a huge increase in processing:

Increase in processing power from effects of cryptojacking.

Yet, returning my computer to its regular functions didn’t require any help from my anti-virus software or trips to the Genius Bar. Simply exiting out of the offending websites did the trick.

My experience with cryptojacking was more annoying than destructive. But this is not to condone the practice—it does rely on deceit and can cause crashes and make your computer vulnerable to other malicious codes. There are also more invasive forms of the scam, like miners disguised as legitimate Android apps that users unknowingly download. “This is a theft of power and time from people,” said Tarah Wheeler, a cybersecurity policy fellow at the New America Foundation. (New America is a partner with Slate and Arizona State University in Future Tense.)

However, the creators of Coinhive say they didn’t intend for it to be malicious. Their website advises, “While it’s possible to run the miner without informing your users, we strongly advise against it. You know this. Long term goodwill of your users is much more important than any short term profits.”

I emailed the Coinhive team to ask if they knew whether anyone was using their miner legitimately, as all the coverage of their software I had seen had been in the context of the cryptojacking. They pointed me to a German image board called pr0gramm, which has been allowing users to access premium accounts with extra features in exchange for running the miner on a separate page. The team further claimed that some porn sites have been giving viewers the option to disable invasive pop-up ads by mining Monero. “Cryptomining in the browser is a very new concept and we (the web) still have to figure out how to use it properly. We have high hopes that a more ‘legitimate’ use of the miner will eventually prevail,” they wrote in the email.

At best, the outsourcing concept behind Coinhive could hold potential as a new way for websites to earn revenue. Users caught Pirate Bay, one of the most established internet hubs for sharing movies and other files, using Coinhive on some of its websites without prior notice in 2017. The site’s administrators explained in a blog post, “We really want to get rid of all the ads. But we also need enough money to keep the site running.”

While many weren’t pleased, some users actually seemed open to the idea of contributing spare processing power if it meant the end of pesky, and often crude, ads. Perhaps if Pirate Bay had presented cryptomining as a bargain beforehand, its users wouldn’t have been so irritated. As Wheeler, the cybersecurity policy fellow, said, “Cryptocurrency mining when you have the consent of the people that are visiting a site is like borrowing a cup of sugar from the neighbors. Cryptocurrency mining when you don’t have consent is like sneaking in and stealing the sugar.”

Almost everyone I conferred with about this monetization scheme mentioned SETI@home, a project at the University of California, Berkeley, that uses a radio telescope to listen for unnatural signals that could be evidence of extraterrestrial life. Whereas previous iterations of the project required a supercomputer to analyze all the data, researchers in 1999 released a software program to the general public that allowed people to donate their computers’ processing power while not in use. More than 4 million people have participated, and the collective effort of their idle computers has turbocharged the search. SETI represents what current efforts to outsource cryptomining could aspire to be. “[SETI] actually asked people if they could use the computers. … The research community has already found a way to do this with permission,” said Yvo Desmedt, professor of computer science at the University of Texas, Dallas.

However, there are many hurdles to jump before this vision can come to fruition. For the majority of people who are not familiar with the mechanics of plugins like Coinhive, the prospect of a website co-opting their computers to mine cryptocurrency may seem invasive. Bill Maurer, director of the Institute for Money, Technology and Financial Inclusion at the University of California, Irvine, said, “It depends on a pretty sophisticated consumer … you need to have a certain level of geekiness.”

And this revenue model also, of course, relies on the viability of cryptocurrencies, which have seen an overall slump in prices in 2018. Extreme volatility and high transaction costs have often precluded bitcoin owners from using it for purchasing—the online payment platform Stripe recently announced that it would no longer accept bitcoin as payment. The possibility of a large-scale hack or bubble burst bringing the whole currency system down may also prevent companies from implementing a cryptomining model. Nicole Becher, a fellow at New America’s Cybersecurity Initiative, surmised, “In the advertising world, you have to be able to sell this to a C-level [senior management] and say, ‘This is actually a new, viable to make money, so you can actually make payroll and actually become profitable.’ It’s all cool and nerdy, but at the end of the day, doesn’t it really come down to that?”