The End of CoinHive and the Rise of Cryptojacking

Cryptojacking is the unauthorized use of a computer to mine cryptocurrency. This article traces the development of Cryptojacking from ByteCoin and Monero, used by the CoinHive service. It examines how Cryptojacking works, the latest research, and content security policy solutions that limit source loading and report Cryptojacking scripts.

The End of CoinHive and the Rise of Cryptojacking

CoinHive is a service that was created in September 2017. It allows users to mine Monero cryptocurrency using JavaScript. CoinHive has remarkably changed the income models of content developers over the course of its 18 month-long adventure. However, due in large part to the drop in hash rate (over 50%) after a previous Monero hard fork, and the crash of the market with the value of XMR depreciating more than 85% in one year, the service will end on 8 March, 2019. In this blog post, we look at how crypto mining has developed and how attackers have taken advantage of these models to develop a new attack vector called Cryptojacking.

The End of CoinHive and the Rise of Cryptojacking

The Beginning of ByteCoin and Monero

In 2013, Nicolas van Saberhagen released the CryptoNote protocol. It was commonly used on the infrastructure of many coin types, including ByteCoin. The inventor of ByteCoin has been unknown since he announced the cryptocurrency anonymously on the Bitcointalk forum.

In the Bitcointalk forum, a user named ‘thankful_for_today’ pointed out that 82% of the ByteCoin currency is available on the market. This means that the currency was centralized in one place. The user realized that CryptoNote was a promising protocol, and in 2014 they decided, with the support of the community, to collate its important features in a new currency project called BitMonero, also known as Monero.

What Sets Monero Apart From Other Cryptocurrencies?

Monero promotes itself as a private and secure currency, with a balanced share among users. Monero mining is possible through computers, mobile phones, tablets, and many web browsers. Someone who wants to be a part of the Monero community could do so without the necessity of additional hardware requirements.

Since ASICs (Application-Specific Integrated Circuits) cause cryptocurrencies to centralize on users who have equipments and a powerful economic background, Monero used memory-hard algorithms such as CryptoNight instead of CPU-hard algorithms such as SHA-256.

Mining Monero with ease over web browsers and many other devices allowed people to support organizations such as UNICEF Australia, BailBlock, and Change.org. In time, the idea that Monero might be used as an income source on websites grew widely among some website owners.

Using Monero as an Income Model on Websites

CoinHive became popular by transforming Monero into a service that could be used by everyone. A CoinHive generated script code could be added to your website, allowing you to mine Monero through the browsers of users who visit your website. The first well-known site to use this new income model was The Pirate Bay (TPB). Instead of showing ads to users, TPB mined Monero without users’ knowledge. This not only caused an antagonistic reaction in the community, but also introduced the new model to the world.

Attackers began inserting the script they acquired from CoinHive into websites they had taken control of, in order to transform these website visits into valuable sources of income. This gave birth to the phenomenon of Cryptojacking within the security industry.

Although browser extensions provide one solution to the problem of cryptomining for end-users, website owners need a much more comprehensive solution.

Cryptojacking Research

According to How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World, research by University of California in Riverside, ten million users worldwide have been affected by Cryptojacking attacks. Researchers admit that there aren’t enough studies on this topic in the field, since systems like VirusTotal aren’t designed to detect and analyze Cryptojacking attacks. It will become essential for the industry to create a system that take URLs and checks the websites for Cryptojacking code.

The researchers stated that they found 2770 individual Cryptojacking examples in the 853,956 websites tested. Of these vulnerable websites, 868 are among the Alexa Top 100 thousand. They also provided the formula they used to calculate how much attackers earn by injecting their malicious Cryptojacking code on users’ websites.

For example, let’s calculate how much TPB earns by Monero mining through user browsers. We know that TPB has 211 million monthly users, and the duration of the time spent on the browser by a single user is 326 seconds.

According to the research, from which the table is taken, “malicious miners can gain more than 1.7 million US Dollars, from more than 10 million users per month.” (University of California paper)

The Solution to Cryptojacking Attack: Content Security Policy

The Content Security Policy (CSP) header acts as an additional security layer against various attacks, such as Cross-site Scripting (XSS) attacks. Using the directives of CSP, you can control the resources from which script, style, image, and sound are loaded.

The whitelisting approach is used when setting the rules in CSP. This allows the website owner to state only the allowed sources, which helps filter out the unwanted ones. Declaring the allowed sources in the CSP header of the HTTP response is all that is required to activate this feature.

Content-Security-Policy: script-src 'self' https://apis.google.com

For example, this code allows loading scripts only from the same origin (self), and  https://apis.google.com. When the header is set this way, calling inline scripts, using scripts through event triggers will not be possible. Therefore, the script-src directive of the CSP header might be very useful to prevent Cryptojacking attacks.

Using the report-uri Directive to Follow-up on Violations

Content Security Policy not only limits the source loading but also reports the actions you specify to a particular address. By setting the report-uri directive in CSP in addition to script-src, you can be informed of the attempted Cryptojacking scripts attacks on your website.

Content-Security-Policy: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser;

This sample data will be sent to the address specified above using POST method.

{
 "csp-report": {
   "document-uri": "http://example.org/page.html",
   "referrer": "http://evil.example.com/",
   "blocked-uri": "http://evil.example.com/evil.js",
   "violated-directive": "script-src 'self' https://apis.google.com",
   "original-policy": "script-src 'self' https://apis.google.com; report-uri

http://example.org/my_amazing_csp_report_parser"
 }
}

This is what each element on the report specifies:

  • document-uri: the page that the intrusion was detected
  • referrer: the referrer of the page
  • blocked-uri: the blocked source  
  • violated-directive: the security directive that has been violated
  • origin-policy: the CSP directives in use

What is the Future of Cryptocurrency on Websites?

Cryptocurrencies are arguably one of the biggest inventions of our era. New and upcoming forms of cryptocurrency are inevitably accompanied by new attack vectors. The oldest and most well-known income model for website owners, displaying ads to users, have started to be replaced by cryptocurrency mining using the brilliant invention of CoinHive. And, though CoinHive no longer exists, it’s possible that we’ll see alternative implementations. So, it is vital to act now to protect your website from attacks that will naturally arise as malicious hackers continue to find ways to abuse new and upcoming online business models.

Further Information

You can read more about Monero in Serhack’s book, Mastering Monero: The future of private transactions.