Cryptocurrency Mining Company Coinhive Shocked To Learn Its Product Is Being Abused

from the who-knew? dept

Thu, Feb 15th 2018 10:44am — Karl Bode

So if you haven't noticed, the entire cryptocurrency mining thing has become a bit of an absurd stage play over the last few months. From gamers being unable to buy graphics cards thanks to miners hoping to cash in on soaring valuations, to hackers using malware to covertly infect websites with cryptocurrency miners that use visitors' CPU cycles without their knowledge or consent. As an additional layer of intrigue, some websites have also begun using such miners as an alternative to traditional advertising, though several have already done so without apparently deeming it necessary to inform visitors.

At the heart of a lot of this drama is crypotcurreny mining software company Coinhive, whose software is popping up in both malware-based and above board efforts to cash in on the cryptocurrency mining craze. Coinhive specifically focuses on using site visitor CPU cycles to help mine Monero. The company's website insists that their product can help websites craft "an ad-free experience, in-game currency or whatever incentives you can come up with." The company says its project has already resulted in the mining of several million dollars worth of Monero (depending on what Monero's worth any given day).

The folks behind the company told Motherboard this week they were blindsided by the way their software has quickly been adopted by both non-transparent websites, and malware authors looking to make some additional money:

"We were quite overwhelmed by the extremely fast adoption,” a member of the Coinhive team told Motherboard in an email. “In hindsight, we were also quite naive in our assumptions on how the miner would be used. We thought most sites would use it openly, letting their users decide to run it for some goodies, as we did with our test implementation on pr0gramm.com before the launch. Which is not at all what happened in the first few days with Coinhive."

You developed a technology with the capability of covertly hijacking a user's CPU cycles to make additional money, sold it to an industry with longstanding problems with both transparency and self defeating practices during an era where everything but the kitchen sink is hackable, and you're honestly surprised it's being abused? While it's obvious the malware itself isn't Coinhive's fault, this seems like either a notable lack of foresight, or a dash of disingenuous denial.

One team member attempted to downplay the scope of the problem, hoping nobody would notice the new reports this week indicating that over 4,000 UK and U.S. websites have been compromised by malware that embeds the Coinhive software:

"'Cryptojacking’ will probably be here to stay for a while. At least until the rising difficulty in the Monero network (and others) makes it impracticable or Browser vendors somehow block CPU heavy websites,” the Coinhive team member said. They caveated that reports of malicious Coinhive use “have slowed down tremendously, as ‘hackers’ realize there's not much to gain with our service."

Yes, not much to gain outside of, well, making money off of countless IT and server admins who don't realize this is even a threat yet in hundreds of countries around the world. It's worth noting that some in the security community have accused Coinhive of being complicit because they take a 30% cut of all of the cryptocurrency mining that occurs with their product, regardless of whether it's via malware implementations:

#Coinhive receives a 30% cut of all XMR mined through their platform. @SGgrc called them "essentially complicit" with #cryptojacking in a podcast back in November.https://t.co/7noxQURjsy

— Bad Packets Report (@bad_packets) February 11, 2018

As such there's little motivation on their end to thwart the trend of poorly implemented or downright hostile applications of the outfit's product, and it's not quite the kind of company journalism funding revolutions should probably be built upon. One anonymous Coinhive developer half-jokingly told Motherboard the company was doing websites a service by forcing them to be more aware of sloppy code or outdated server configurations:

"Food for thought; and we only mean this half serious: embedded miners in compromised websites are usually detected way sooner than other malicious browser scripts. Website owners recognize the breach and are finally forced to update their shitty WordPress installations."

Again, poor, non-transparent implementation of Coinhive's product by legitimate websites isn't necessarily Coinhive's fault. Nor is malware authors embedding Coinhive into their own, more malicious work. But Coinhive's lack of foresight and casual response to some fairly major issues--as well as the fact it's taking a cut of malware implementations--would seemingly open the door to other, similar companies which may be eager to elbow in on Coinhive's success with a bit more foresight and a dash more professionalism.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: abuse, coinhive, cryptocurrency, hacking, mining
Companies: coinhive

32 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

An Onymous Coward (profile), 15 Feb 2018 @ 11:18am

I have to ask, Karl, how this differs from people posting offensive, libelous, or otherwise inappropriate content on YouTube given Google's complicity in that they also benefit from the additional content. It seems a double standard to expect Coinhive to police all the uses of its product but not expect Google to police theirs.
[ link to this | view in chronology ]
- Roger Strong (profile), 15 Feb 2018 @ 11:50am
  
  Re:
  If Google benefits from offensive of libelous content, it's not on the same level as Coinhive's 30% cut.
  
  No-one "expect(s) Coinhive to police all the uses of its product." This is merely about acknowledging that the problem exists, and not acting so surprised about it. Google can't be 100% effective in policing YouTube, but it does make a reasonable effort.
  [ link to this | view in chronology ]
  - Anonymous Coward, 15 Feb 2018 @ 12:13pm
    
    Re: Re:
    In addition: YouTube wasn't explicitly designed from the first day to be a channel for libel. It was designed to be a place to post and watch videos. Some of those are libelous, some are abusive, some are (pick your term), but the overwhelming majority are none of these things.
    
    On the other hand, Coinhive was DESIGNED to facilitate abuse. That's it's purpose. It's baked in. The disingenuous denials from the lying filth at Coinhive, notwithstanding, it's obvious on inspection that they not only planned for this, they went out of their way to facilitate it. This is rather similar to many of the major spam operations which continue to insist that they had no idea their massive spamming engines would be used...to spam. That it's just an unforseen accident. That they never intended it. That it's just a few bad actors.
    
    All of this is of course complete bullshit. Coinhive knew exactly what they were doing. Coinhive is behind this and should be treated the same as other organized criminal gang. For once, let's see the CFAA thrown at some assholes who deserve it.
    [ link to this | view in chronology ]
    - Anonymous Coward, 15 Feb 2018 @ 1:51pm
      
      Re: Re: Re:
      "All of this is of course complete bullshit. Coinhive knew exactly what they were doing. Coinhive is behind this and should be treated the same as other organized criminal gang. For once, let's see the CFAA thrown at some assholes who deserve it."
      
      I would like to disagree with you. It is entirely possible that they are completely ignorant. You have the advantage of forsite. It is completely obvious that it was going to be abused now. What about the first time it was released? What is will come down to is the response. It shouldn't be difficult to require your website to be registered in order to mine. Assuming that coinhive has a pool to go along with their software. Still hackers will figure ways around it but that would be a good first step.
      [ link to this | view in chronology ]
      - Roger Strong (profile), 15 Feb 2018 @ 2:14pm
        
        Re: Re: Re: Re:
        
        It is entirely possible that they are completely ignorant.
        
        While possible, it's about as credible as a revenge porn site claiming "We couldn't possibly have predicted that someone would abuse our service by posting images without the subject's permission! The $2000 per image fee to remove the images is necessary to cover the cost of doing so."
        
        These are people not just writing the software, but setting up a business and a revenue transfer system. They'll have thought about the implications.
        [ link to this | view in chronology ]
      - Anonymous Coward, 16 Feb 2018 @ 12:38am
        
        Re: Re: Re: Re:
        "It is entirely possible that they are completely ignorant. "
        
        No. It is not possible. I realize that doing actual research and reading is against the creed of most people who post here, but if you actually LOOK AT THEIR DESIGN, it is obvious on inspection to the trained eye that it was designed for abuse.
        
        And even without out that, only a pathetically naive, hopeless ignorant fool would believe for even a moment that people with the technical sophistication required to design and build Coinhive are somehow, curiously, amazingly, magically unaware of how it works.
        
        Your pathetically feeble attempt to make excuses for the abusive filth at Coinhive marks you as either a moron or a shill. Which is it?
        [ link to this | view in chronology ]
        
        Anonymous Coward, 16 Feb 2018 @ 6:15am
        
        Re: Re: Re: Re: Re:
        "I realize that doing actual research and reading is against the creed of most people who post here"
        
        Do you have any data in support of your claim or is this just another of many childish rants?
        [ link to this | view in chronology ]
        
        PaulT (profile), 16 Feb 2018 @ 6:45am
        
        Re: Re: Re: Re: Re: Re:
        The fun part of what he's saying is that it's totally subjective. That is, a person can look at the details he looked at and come to a totally different, but equally valid, conclusion. I also somehow doubt that he actually has the "trained eye" he claims is required either.
        
        He's too busy name calling and trying to act superior to actually get into a discussion as to why his conclusion is the correct one, of course, but he'll demand that everyone believe it without question nonetheless.
        [ link to this | view in chronology ]
        
        PRMan, 16 Feb 2018 @ 10:38am
        
        Re: Re: Re: Re: Re:
        I find the most brilliant developers are often the most socially naive.
        [ link to this | view in chronology ]
  - An Onymous Coward (profile), 15 Feb 2018 @ 3:48pm
    
    Re: Re:
    I still don't see how they're so different. Yes, Coinhive stands to make potentially more from abuse of its platform than does Google (though with the cost of ads that's a subject for more investigation). And maybe Coinhive's platform is much more easily abused, something the developers should and possibly did recognize.
    
    But scale isn't really part of the equation here. They're both platforms that can be abused and through which both providers profit from abuse and non-abuse alike. If you condemn one you condemn both.
    
    I'm no fan of Coinhive and how it can be abused but I'd urge caution before lighting up the torches and taking the pitchforks out for a stroll. Where is the line drawn clearly enough that some legislator out to make a name for him/herself can't abuse /that/?
    [ link to this | view in chronology ]
    - amoshias (profile), 15 Feb 2018 @ 4:35pm
      
      Re: Re: Re:
      You really, truly don't see the difference between someone creating a platform which people can use to say mean or even illegal things, and someone creating a platform where people can reach into my computer without my consent and use it to make money?
      [ link to this | view in chronology ]
- Christenson, 15 Feb 2018 @ 11:55am
  
  Re: Please read more carefully....
  The criticism is for Coinhive not recognizing the impending inherent moral hazard...which is a little different than youtube, where moderation is the general approach to the problem.
  
  Not that they haven't supplied a proof of concept as to how to abuse unlimited in-browser computation....
  
  Now, about what might be done about that moral hazard....if Coinhive is getting a cut, maybe....
  maybe they should refuse coins from untrusted sources....
  maybe they could (and I realize this is difficult) make a point of contacting those doing the mining in a web browser....
  
  but both of these glib solutions have rabbit holes to go down, so
  maybe somebody has a better idea.... like me actually controlling my computer and knowing what it does, and someone making that convenient while still allowing me to read techdirt....
  [ link to this | view in chronology ]
  - Anonymous Coward, 15 Feb 2018 @ 1:03pm
    
    Re: Re: Please read more carefully....
    As for controlling what computation is happening on your computer, Techdirt is fine! I'm writing this comment with JavaScript disabled. Hence the only computation Techdirt is doing on my computer is to give it some data formats to parse and text to be laid out. Sure that's being done by a massively bloated program no one fully understands, but we can at least understand which aspects of it are being used.
    
    It's the other sites you have to worry about.
    [ link to this | view in chronology ]
    - Roger Strong (profile), 15 Feb 2018 @ 2:36pm
      
      Re: Re: Re: Please read more carefully....
      A decade ago I was often debunking "North American Union by 2007, er 2008, er 2010!!!" claims. Along with the "Amero" and "NAFTA Superhighway", FEMA death camps" and other claims that were supposed to come true by then.
      
      The wingnuts would often point me back to sites like WorldNetDaily for "proof." Sites that monetize the wingnuts by selling them books, bumper stickers and whatnot for all their conspiracy theories. And displaying ads for gold scams and whatnot. Wingnuts are a lucrative demographic.
      
      It seems reasonable to expect that such sites are now monetizing the wingnuts with Coinhive and other more modern methods.
      
      Which would answer the question of why certain wingnuts keep posting here despite their hatred of the site and its users. It's safer than sites that would cater to their, er, point of view.
      [ link to this | view in chronology ]
- PaulT (profile), 16 Feb 2018 @ 1:29am
  
  Re:
  You don't see the difference between saying that a piece of software should be better designed to prevent abuse and stating that YouTube need to police hundreds of hours of content uploaded by users every minute to see if there's anything in them that some other people might find offensive?
  
  I'm not sure where to start listing the massive fundamental differences, but there's a lot of them...
  [ link to this | view in chronology ]
Mononymous Tim (profile), 15 Feb 2018 @ 1:14pm

Playing dumb trumps admitting greed
Sadly, too many outfits these days are actually proud of both because money is involved.
[ link to this | view in chronology ]
- Ishtiaq (profile), 15 Feb 2018 @ 10:03pm
  
  Re: Playing dumb trumps admitting greed
  You know, this sort of thing cracks me up. How many commentators would quite happily download a pirate copy of something, but get angry when someone does pretty much the same thing to them?
  
  Cheers… Ishy
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 Feb 2018 @ 5:28am
    
    Re: Re: Playing dumb trumps admitting greed
    There you go projecting again.
    [ link to this | view in chronology ]
  - Anonymous Coward, 16 Feb 2018 @ 6:18am
    
    Re: Re: Playing dumb trumps admitting greed
    You know, this sort of thing cracks me up. How many copyright holders would quite happily download an unauthorized copy of something, but get angry when someone does pretty much the same thing to them?
    [ link to this | view in chronology ]
    - Wendy Cockcroft, 16 Feb 2018 @ 7:16am
      
      Re: Re: Re: Playing dumb trumps admitting greed
      LOL! The number of times TD has reported on them doing exactly that...!
      [ link to this | view in chronology ]
Rekrul, 15 Feb 2018 @ 4:11pm

Maybe I'm just thick, but I've never understood the whole cryptocurrency system. Most articles claiming to explain it usually boil down to;

1. Install the software.

2. Mine for currency.

3. Profit!

Step three is the one that loses me. You have this currency that's online only and I've never understood how to turn that into actual money. Or how to take actual money and buy online currency with it. You know, for when you might want to use something like BitCoin to make a payment without having to run a mining program and hope it comes up with the required amount in a reasonable amount of time.

Different sites and services say they accept things like BitCoin, so how do I get BitCoin? "Well, uh, you have to install a wallet, a miner, run the miner..."

So I just get free cryptocurrency out of thin air? Cool, sign me up.
[ link to this | view in chronology ]
- Anonymous Coward, 15 Feb 2018 @ 5:12pm
  
  Re:
  It's free, except for the electricity costs, the wear + tear on the mining device, etc.
  [ link to this | view in chronology ]
- Anonymous Coward, 16 Feb 2018 @ 3:27am
  
  Re:
  >I've never understood how to turn that into actual money.
  
  There are coin exchanges which let you buy and sell the various cryptocurrency. They will also keep your coin wallets for you, but that can be risky as several have been hacked and drained of their holdings.
  [ link to this | view in chronology ]
- Toom1275 (profile), 16 Feb 2018 @ 7:09am
  
  Re:
  I read somewhere that hoarding cryptocurrency is akin to hoarding gold. The hoarded item has monetary value purely because people believe it does.
  [ link to this | view in chronology ]
  - Thad, 16 Feb 2018 @ 9:17am
    
    Re: Re:
    The same is true of any currency. The paper and plastic rectangles in your pocket carry value because of laws, contracts, social consensus, and economic forces, not because there's an inherent value to paper and plastic rectangles.
    
    (While people who talk about the gold standard tend to be nuts, at least gold is a physical object. Our economic system has gone several layers of abstraction beyond "exchange shiny things".)
    
    Cryptocurrency is like a perfect satire of how currency works.
    [ link to this | view in chronology ]
- Anonymous Coward, 16 Feb 2018 @ 7:28am
  
  Re:
  
  You have this currency that's online only and I've never understood how to turn that into actual money.
  
  If you look at the history of money, "actual" is a flexible concept. Gold exists, though its currency value is much higher than its utility value. Rai stones were used with an IOU system. Most modern currencies are little more than numbers in a computer; if Bitcoin had any "official" recognition, we might say it's more real than the US dollar (there's a proof-of-work, whereas the Fed can just make up US dollars).
  
  In other words, "actual money" is anything that's generally treated as money.
  [ link to this | view in chronology ]
  - Rekrul, 21 Feb 2018 @ 5:14pm
    
    Re: Re:
    
    If you look at the history of money, "actual" is a flexible concept.
    
    OK, <i>mainstream</i> money. :)
    [ link to this | view in chronology ]
Anonymous Coward, 15 Feb 2018 @ 4:34pm

Hackable kitchen sinks
You mean that there isn't a hackable kitchen sink yet?
[ link to this | view in chronology ]
Anonymous Coward, 15 Feb 2018 @ 6:28pm

So what if we supply automatic weapons to five year olds?
You can't expect us to know what will happen!
[ link to this | view in chronology ]
Anonymous Coward, 16 Feb 2018 @ 6:00am

Your winnings, sir.
[ link to this | view in chronology ]
PaulT (profile), 19 Feb 2018 @ 9:02am

Re: I started hating cryptocurrencies
Yeah, that's not really about cryptocurrencies. It's an investor jumping on the bandwagon without understanding what he's investing in, then panicking and jumping out before the next upturn. Doesn't really matter which currency or commodity you invested in, anyone who just follows a bandwagon without research or a long term plan will risk this every time.

But, I do love the way that your anti-cryptocurrency post is linked to what appears to be a honeypot site to "earn" them for "free". Still not sure where you really stand, huh?
[ link to this | view in chronology ]
- The Wanderer (profile), 20 Feb 2018 @ 4:22am
  
  Re: Re: I started hating cryptocurrencies
  I believe that "claim to be against the thing you're spamming for" technique is a known method for making spam posts look plausible; it's not exactly common, but it's not at all unheard-of.
  
  Or, to be charitable, possibly the linked-to site could maybe be (the? a?) place where he(?) got into the cryptocurrency thing, and he(?) just didn't explain it properly. Seems less likely to me, but I suppose it's not impossible.
  [ link to this | view in chronology ]