{"id":2586,"date":"2024-09-25T18:55:23","date_gmt":"2024-09-25T18:55:23","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2586"},"modified":"2025-07-29T05:28:27","modified_gmt":"2025-07-29T05:28:27","slug":"coinhive-the-script-stealing-your-memory","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/coinhive-the-script-stealing-your-memory\/","title":{"rendered":"Coinhive: The script stealing your memory"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Make no mistake about it, most cyber criminals are trying to turn a buck. Besides holding files to ransom, selling stolen data or stealing banking credentials, hackers can earn a lot of money through what\u2019s known as \u2018coin miner\u2019 tools.\u00a0

As we\u2019ve touched on before<\/a>, mining trojans are generally used against enterprises in the hopes of enslaving servers with high processing power. The higher processing power means more crypto-currency equations can be solved which, in turn, means more currency for the attacker \u2013 all at the expense of the victim\u2019s computing resources.

Last week, however, an apparent attack against PolitiFact<\/a> illustrated a new tactic in the crypto-mining game: rather than attack one large enterprise with high processing power, criminals tried to subjugate the processing power of millions of ordinary users.

This was achieved through the alleged weaponisation of a legitimate mining operation called Coinhive<\/a>.\u00a0

What is Coinhive?<\/strong>

Coinhive is a new player in the coin mining game. It is pitched as an alternative to advertisements, enabling websites to earn revenue through the processing power of their readers. Essentially, Coinhive is a piece of javascript added to the website, which, when a user visits the webpage, is loaded in the visitor\u2019s browser. The result is a spike from the browser process (which the user might feel as slower response) with any coins mined going to the site\u2019s owner.

In the PolitiFact case, however, it looks as though the site owners did not install Coinhive. According to reports, it seems an attacker injected it into the page in order to tap into the computing power of the site\u2019s more than 3 million monthly users.\u00a0

How does it work?<\/strong>

Below we\u2019ll unpack how Coinhive operates. We\u2019ll be looking at its legitimate function as an alternative to advertisements when employed by a website owner:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Figure 1 Coinhive script<\/em>

Observed incidents<\/strong>

Pirate Bay<\/a> is one example of a site using Coinhive as way to monetize. It should be noted that most ad blockers will stop mining scripts (and Google Chrome also offers a dedicated blocker called minerBlock<\/a>).\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Figure 2 Pirate Bay -coinhive js<\/em>

The above snapshot is the Coinhive script found on Pirate Bay. The throttle\u2019s rate is set to 0.8 (in the PolitiFact example, there was no throttle set which means there was no maximum CPU usage \u2013 a sign its installation was malicious). \u00a0Next, we\u2019ll see that even visitors to Pirate Bay using private browsing were susceptible to the miner:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Figure 3 coinhive- enable private browsing site<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 4 chrome process spike<\/em>

Unwitting users tend to blame the drop in performance on their browser, but it is in fact the mining script eating their memory. Looking specifically inside Google Chrome\u2019s processes, we observed the following:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 5 Extension: SafeBrowse -cpu utilization<\/em>

A usage spike can be seen in the SafeBrowse extension, where the mining script is present.

A new era in mining?<\/strong>

A recent study<\/a> found that 220 of Alexa\u2019s top 100,000 sites were using either Coinhive or JSEcoin (another popular browser mining script) to put their audience\u2019s computing power to work. These sites had a total 500 million monthly users and, over the study\u2019s three-week period, more than $40,000 was generated.

The study also found that the sites using the mining scripts were predominately pirate video streaming, torrents, and pornography sites.\u00a0

Ultimately, if a website asks for your permission and you\u2019re happy to have your computer\u2019s processing power put to work for someone else\u2019s gain, then you have nothing to worry about. If, on the other hand, you notice a spike in CPU usage while browsing \u2013 and you have no idea why that\u2019s happened \u2013 it\u2019s a good idea to install either an ad blocker or mining blocker.<\/p>\n","protected":false},"excerpt":{"rendered":"

Make no mistake about it, most cyber criminals are trying to turn a buck. Besides holding files to ransom, selling stolen data or stealing banking credentials, hackers can earn a lot of money through what’s known as ‘coin miner’ tools.  As we’ve touched on before, mining trojans are generally used against enterprises in the hopes […]<\/p>\n","protected":false},"author":1,"featured_media":2592,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2586","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2586","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2586"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2586\/revisions"}],"predecessor-version":[{"id":4276,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2586\/revisions\/4276"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2592"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2586"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2586"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2586"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}