Cryptojacking, which exploded in popularity this fall, has an ostensibly worthy goal: Use an untapped resource to create an alternative revenue stream for games or media sites, and reduce reliance on ads. It works by embedding a JavaScript component in a website that can leverage a visiting device's processing power to mine a cryptocurrency (usually Monero). Each visitor might only do a tiny bit of mining while they're there, but every user lending some hash power over time can generate real money. And users might not even notice what's happening. In theory, it can be a win-win. In practice, not so much.
As cryptojacking has spread around the web—largely thanks to the original "in-browser miner," Coinhive, and its copycats—implementations have generally not lived up to those lofty aims. Instead, the technique is used to exploit unknowing people's resources, both their hardware and electric bills, and it is increasingly blocked as malware by scanners and ad-blockers. So far, efforts to keep cryptojacking on the straight and narrow have largely fizzled.
Cryptojacking doesn't require a download, starts instantly, and works efficiently. Making it even more insidious, hackers can sneak a mining component onto unsuspecting websites and pilfer cryptocurrency off of the legitimate site's traffic. Illicit cryptojacking software has plagued unsuspecting sites like Politifact and Showtime. In one especially glaring incident from early December, a customer using the public Wi-Fi at a Buenos Aires Starbucks discovered that someone had manipulated the Wi-Fi system, delaying the connection in order to mine Monero with shoppers' devices.
Despite those high-profile sneak attacks, researchers say that most cryptojacking is intentional, and that the practice is evolving in concerning ways.
"There was a steady increase in CoinHive usage through late November and early December, presumably driven by the surge in cryptocurrency valuations," says Paul Ducklin, senior technologist at the security firm Sophos. "It's hard to guess the motivation of an unknown website operator, but based on an analysis of our detection data for the month of November, most coinmining sites were doing it on purpose, and a significant majority were taking all the CPU they could get."
Those elevated processing demands can do real damage to victim devices over time. One type of Android malware, called Loapi, mines cryptocurrency so intensely that it can cause physical harm to the devices it runs on.
And since cryptojacking is so new, hackers still constantly develop innovations to maximize their intake. For example, Coinhive charges fees to website operators who use its mining script. So hackers have been avoiding those and dodging detection by malware scanners and ad blockers by hosting their own mining intermediary for JavaScript components to call back to. Scanners and blockers can easily blacklist anything talking to Coinhive, but it's much more difficult to keep up with an endless list of independent hosts.
In another innovation from November, security researchers at Malwarebytes Labs discovered that some cryptojackers had found a way to persist even after users closed the mining tab. To do so, the cryptojacker opens a stealthy browser window called a "pop-under" that hides behind the Windows taskbar clock.
Coinhive responded to criticisms about lack of transparency by releasing a new version of its JavaScript miner called AuthedMine. Instead of running automatically and invisibly, AuthedMine takes the novel step of actually asking permission to run. But while that type of disclosure mechanism could legitimize cryptojacking, researchers say that it hasn't gained much ground—and that it will be difficult, if not impossible, to completely rein more aggressive models in.
Coinhive concedes that its attempt to close Pandora's box with the AuthedMine version hasn't quite worked so far, in part because adblockers and antivirus treat it the same way it does any other cryptojacker.
"At this point we have to consider AuthedMine to only be a partial success," the company said in a statement to WIRED. "Most adblockers have now blocked AuthedMine, despite our best intentions. Even some antiviruses (like Norton) consider AuthedMine as a threat now—which entirely defeats the purpose of using AuthedMine instead of our original implementation. We're looking for other ways to make this work."
Sophos, for one, currently considers all cryptojackers to be "parasitic" malware. Browser developers, like those that work on the Chromium Project that underlies Google Chrome, have also considered ways to handle cryptojacking and whether to block it to protect users. The Opera browser recently announced that it is adding a mechanism called "NoCoin" to its built-in ad blocker to stop mining scripts.
As cryptojacking has taken off, it has also served as a sort of conceptual unifier for the various mining technologies that have been slowly percolating over the years. Coinhive has even started promoting a type of anti-spam mechanism called a Proof of Work Captcha, an idea that has been around for years. Instead of checking whether a user is human, this tool solves processor-intensive mathematical mining puzzles to make it slower and less economically feasible for spammers to load certain pages or perform certain actions on a site. These captchas result in less annoyance for individual users, but they tax device processors and can take a long time to finish on older machines.
The more these mining technologies layer on top of each other—whether for legitimate purposes or scams—the more web users may begin to experience a changed browsing landscape. Between October and November, the number of mobile devices that encountered at least one cryptojacking script increased by 287 percent, according to analysis by the mobile security firm Wandera.
Cryptojacking could evolve to the point that the processing power of a user's device matters more than ever to their browsing experience, and even access to information and services, says Dan Cuddeford, Wandera's director of sales engineering. "I still like what in my mind are legitimate uses for cryptojacking," Cuddeford says. "But we may be in a situation in the future where you’re able to get access more quickly because you’re able to solve these puzzles faster. The faster the CPU you have, the quicker you can progress to the next screen, and everyone could start to be treated differently."
Some uses of cryptojacking still offer opt-in transparency, the approach the security community has pushed for to legitimize and de-stigmatize the technology. But within the melange of sketchy uses, it's troubling to consider that in-browser mining could ultimately become its own form of paid prioritization, where the people who can afford more processing power are preferred by services online.
