Cryptocurrency Mining Company Coinhive Shocked To Learn Its Product Is Being Abused
from the who-knew? dept
So if you haven't noticed, the entire cryptocurrency mining thing has become a bit of an absurd stage play over the last few months. From gamers being unable to buy graphics cards thanks to miners hoping to cash in on soaring valuations, to hackers using malware to covertly infect websites with cryptocurrency miners that use visitors' CPU cycles without their knowledge or consent. As an additional layer of intrigue, some websites have also begun using such miners as an alternative to traditional advertising, though several have already done so without apparently deeming it necessary to inform visitors.
At the heart of a lot of this drama is crypotcurreny mining software company Coinhive, whose software is popping up in both malware-based and above board efforts to cash in on the cryptocurrency mining craze. Coinhive specifically focuses on using site visitor CPU cycles to help mine Monero. The company's website insists that their product can help websites craft "an ad-free experience, in-game currency or whatever incentives you can come up with." The company says its project has already resulted in the mining of several million dollars worth of Monero (depending on what Monero's worth any given day).
The folks behind the company told Motherboard this week they were blindsided by the way their software has quickly been adopted by both non-transparent websites, and malware authors looking to make some additional money:
"We were quite overwhelmed by the extremely fast adoption,” a member of the Coinhive team told Motherboard in an email. “In hindsight, we were also quite naive in our assumptions on how the miner would be used. We thought most sites would use it openly, letting their users decide to run it for some goodies, as we did with our test implementation on pr0gramm.com before the launch. Which is not at all what happened in the first few days with Coinhive."
You developed a technology with the capability of covertly hijacking a user's CPU cycles to make additional money, sold it to an industry with longstanding problems with both transparency and self defeating practices during an era where everything but the kitchen sink is hackable, and you're honestly surprised it's being abused? While it's obvious the malware itself isn't Coinhive's fault, this seems like either a notable lack of foresight, or a dash of disingenuous denial.
One team member attempted to downplay the scope of the problem, hoping nobody would notice the new reports this week indicating that over 4,000 UK and U.S. websites have been compromised by malware that embeds the Coinhive software:
"'Cryptojacking’ will probably be here to stay for a while. At least until the rising difficulty in the Monero network (and others) makes it impracticable or Browser vendors somehow block CPU heavy websites,” the Coinhive team member said. They caveated that reports of malicious Coinhive use “have slowed down tremendously, as ‘hackers’ realize there's not much to gain with our service."
Yes, not much to gain outside of, well, making money off of countless IT and server admins who don't realize this is even a threat yet in hundreds of countries around the world. It's worth noting that some in the security community have accused Coinhive of being complicit because they take a 30% cut of all of the cryptocurrency mining that occurs with their product, regardless of whether it's via malware implementations:
#Coinhive receives a 30% cut of all XMR mined through their platform. @SGgrc called them "essentially complicit" with #cryptojacking in a podcast back in November.https://t.co/7noxQURjsy
— Bad Packets Report (@bad_packets) February 11, 2018
As such there's little motivation on their end to thwart the trend of poorly implemented or downright hostile applications of the outfit's product, and it's not quite the kind of company journalism funding revolutions should probably be built upon. One anonymous Coinhive developer half-jokingly told Motherboard the company was doing websites a service by forcing them to be more aware of sloppy code or outdated server configurations:
"Food for thought; and we only mean this half serious: embedded miners in compromised websites are usually detected way sooner than other malicious browser scripts. Website owners recognize the breach and are finally forced to update their shitty WordPress installations."
Again, poor, non-transparent implementation of Coinhive's product by legitimate websites isn't necessarily Coinhive's fault. Nor is malware authors embedding Coinhive into their own, more malicious work. But Coinhive's lack of foresight and casual response to some fairly major issues--as well as the fact it's taking a cut of malware implementations--would seemingly open the door to other, similar companies which may be eager to elbow in on Coinhive's success with a bit more foresight and a dash more professionalism.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: abuse, coinhive, cryptocurrency, hacking, mining
Companies: coinhive
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
No-one "expect(s) Coinhive to police all the uses of its product." This is merely about acknowledging that the problem exists, and not acting so surprised about it. Google can't be 100% effective in policing YouTube, but it does make a reasonable effort.
[ link to this | view in chronology ]
Re: Re:
On the other hand, Coinhive was DESIGNED to facilitate abuse. That's it's purpose. It's baked in. The disingenuous denials from the lying filth at Coinhive, notwithstanding, it's obvious on inspection that they not only planned for this, they went out of their way to facilitate it. This is rather similar to many of the major spam operations which continue to insist that they had no idea their massive spamming engines would be used...to spam. That it's just an unforseen accident. That they never intended it. That it's just a few bad actors.
All of this is of course complete bullshit. Coinhive knew exactly what they were doing. Coinhive is behind this and should be treated the same as other organized criminal gang. For once, let's see the CFAA thrown at some assholes who deserve it.
[ link to this | view in chronology ]
Re: Re: Re:
I would like to disagree with you. It is entirely possible that they are completely ignorant. You have the advantage of forsite. It is completely obvious that it was going to be abused now. What about the first time it was released? What is will come down to is the response. It shouldn't be difficult to require your website to be registered in order to mine. Assuming that coinhive has a pool to go along with their software. Still hackers will figure ways around it but that would be a good first step.
[ link to this | view in chronology ]
Re: Re: Re: Re:
While possible, it's about as credible as a revenge porn site claiming "We couldn't possibly have predicted that someone would abuse our service by posting images without the subject's permission! The $2000 per image fee to remove the images is necessary to cover the cost of doing so."
These are people not just writing the software, but setting up a business and a revenue transfer system. They'll have thought about the implications.
[ link to this | view in chronology ]
Re: Re: Re: Re:
No. It is not possible. I realize that doing actual research and reading is against the creed of most people who post here, but if you actually LOOK AT THEIR DESIGN, it is obvious on inspection to the trained eye that it was designed for abuse.
And even without out that, only a pathetically naive, hopeless ignorant fool would believe for even a moment that people with the technical sophistication required to design and build Coinhive are somehow, curiously, amazingly, magically unaware of how it works.
Your pathetically feeble attempt to make excuses for the abusive filth at Coinhive marks you as either a moron or a shill. Which is it?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Do you have any data in support of your claim or is this just another of many childish rants?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
He's too busy name calling and trying to act superior to actually get into a discussion as to why his conclusion is the correct one, of course, but he'll demand that everyone believe it without question nonetheless.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
I still don't see how they're so different. Yes, Coinhive stands to make potentially more from abuse of its platform than does Google (though with the cost of ads that's a subject for more investigation). And maybe Coinhive's platform is much more easily abused, something the developers should and possibly did recognize.
But scale isn't really part of the equation here. They're both platforms that can be abused and through which both providers profit from abuse and non-abuse alike. If you condemn one you condemn both.
I'm no fan of Coinhive and how it can be abused but I'd urge caution before lighting up the torches and taking the pitchforks out for a stroll. Where is the line drawn clearly enough that some legislator out to make a name for him/herself can't abuse /that/?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Please read more carefully....
Not that they haven't supplied a proof of concept as to how to abuse unlimited in-browser computation....
Now, about what might be done about that moral hazard....if Coinhive is getting a cut, maybe....
maybe they should refuse coins from untrusted sources....
maybe they could (and I realize this is difficult) make a point of contacting those doing the mining in a web browser....
but both of these glib solutions have rabbit holes to go down, so
maybe somebody has a better idea.... like me actually controlling my computer and knowing what it does, and someone making that convenient while still allowing me to read techdirt....
[ link to this | view in chronology ]
Re: Re: Please read more carefully....
It's the other sites you have to worry about.
[ link to this | view in chronology ]
Re: Re: Re: Please read more carefully....
The wingnuts would often point me back to sites like WorldNetDaily for "proof." Sites that monetize the wingnuts by selling them books, bumper stickers and whatnot for all their conspiracy theories. And displaying ads for gold scams and whatnot. Wingnuts are a lucrative demographic.
It seems reasonable to expect that such sites are now monetizing the wingnuts with Coinhive and other more modern methods.
Which would answer the question of why certain wingnuts keep posting here despite their hatred of the site and its users. It's safer than sites that would cater to their, er, point of view.
[ link to this | view in chronology ]
Re:
I'm not sure where to start listing the massive fundamental differences, but there's a lot of them...
[ link to this | view in chronology ]
Playing dumb trumps admitting greed
[ link to this | view in chronology ]
Re: Playing dumb trumps admitting greed
Cheers… Ishy
[ link to this | view in chronology ]
Re: Re: Playing dumb trumps admitting greed
[ link to this | view in chronology ]
Re: Re: Playing dumb trumps admitting greed
[ link to this | view in chronology ]
Re: Re: Re: Playing dumb trumps admitting greed
[ link to this | view in chronology ]
1. Install the software.
2. Mine for currency.
3. Profit!
Step three is the one that loses me. You have this currency that's online only and I've never understood how to turn that into actual money. Or how to take actual money and buy online currency with it. You know, for when you might want to use something like BitCoin to make a payment without having to run a mining program and hope it comes up with the required amount in a reasonable amount of time.
Different sites and services say they accept things like BitCoin, so how do I get BitCoin? "Well, uh, you have to install a wallet, a miner, run the miner..."
So I just get free cryptocurrency out of thin air? Cool, sign me up.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
There are coin exchanges which let you buy and sell the various cryptocurrency. They will also keep your coin wallets for you, but that can be risky as several have been hacked and drained of their holdings.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
(While people who talk about the gold standard tend to be nuts, at least gold is a physical object. Our economic system has gone several layers of abstraction beyond "exchange shiny things".)
Cryptocurrency is like a perfect satire of how currency works.
[ link to this | view in chronology ]
Re:
If you look at the history of money, "actual" is a flexible concept. Gold exists, though its currency value is much higher than its utility value. Rai stones were used with an IOU system. Most modern currencies are little more than numbers in a computer; if Bitcoin had any "official" recognition, we might say it's more real than the US dollar (there's a proof-of-work, whereas the Fed can just make up US dollars).
In other words, "actual money" is anything that's generally treated as money.
[ link to this | view in chronology ]
Re: Re:
OK, <i>mainstream</i> money. :)
[ link to this | view in chronology ]
Hackable kitchen sinks
[ link to this | view in chronology ]
So what if we supply automatic weapons to five year olds?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: I started hating cryptocurrencies
But, I do love the way that your anti-cryptocurrency post is linked to what appears to be a honeypot site to "earn" them for "free". Still not sure where you really stand, huh?
[ link to this | view in chronology ]
Re: Re: I started hating cryptocurrencies
Or, to be charitable, possibly the linked-to site could maybe be (the? a?) place where he(?) got into the cryptocurrency thing, and he(?) just didn't explain it properly. Seems less likely to me, but I suppose it's not impossible.
[ link to this | view in chronology ]