Cryptojacking – how your computer gets hijacked to mine Monero

When a new technology emerges, especially in computing, the unscrupulous will invariably find a way to use it to exploit others for their own gain. Usually, it’s not a particularly original idea, but rather using a computer and network to execute an old hustle at a larger scale.

E-mail dramatically reduced the cost of sending a text message to anyone connected to the Internet. The other edge of the sword was that it also benefited direct marketers by slashing the cost of sending spam.

Social networks allowed us to connect more easily with long-lost friends and family, but they also allow scammers to target victims in personalized ways.

Cryptocurrencies will be no different, from seeing the repeats of the way financial markets were manipulated decades ago before stricter regulations were enforced, to more technical exploits.

Cryptojacking is one such example, where an attacker “steals” your computer resources to mine a cryptocurrency of their choice, usually Monero.

The scare quotes in the previous sentence are there because, by the strictest definition, the attackers aren’t really stealing anything. You haven’t lost the use of your CPU or graphics card, but they are performing work for someone else you did not authorize.

Those who have some knowledge of information security matters might recognize cryptojacking as just another form of botnet. A botnet is a networked set of computers which have been compromised in some way to do the bidding of someone that shouldn’t be able to give them commands.

Botnets were frequently used to flood websites with network traffic to take them offline—also known as a distributed denial of service attack. They may also be used to send spam or perform click fraud, where your computer visits a website and clicks on items to generate fake web traffic and advertising revenue for the operator.

However, those who have been around a bit longer may recognize botnets and cryptojacking as just a souped-up version of computer time theft.

Back when computers were massive and expensive, rather than buying a whole mainframe for yourself you could rent time on one that was made available for time-sharing.

If you wanted to run a program, but couldn’t afford to pay for the time on the mainframe, you might find ways to “steal” the computer time by getting unauthorized access.

The proliferation of personal computers and the advent of the Internet has simply allowed attackers to commit large-scale computer time theft.

Why Monero?

A report released last week stated that Monero appears to be a favourite among cryptojackers. The research found that at least $175 million worth of Monero—about 5% of the total circulation—came from malicious mining.

The Monero Malware Response Workgroup said that hackers take advantage of Monero’s privacy features to perform illicit mining.

However, there is probably more than one reason Monero is so popular, and it links back to a web-based miner called Coinhive which the research could not take into account (it therefore stands to reason that the above figures are actually much higher).

According to Coinhive, it selected Monero for its JavaScript mining software because its proof-of-work consensus algorithm, CryptoNight, was designed to run well on consumer CPUs.

Other algorithms that are resistant to specialised mining hardware known as ASICsmay be designed to run on graphics hardware. However, it is reasonable to assume that fewer computers on the Internet will have great graphics cards than solid CPUs.

Therefore, for a web-based miner Monero makes more sense.

By the same argument, Monero would also make more sense for cryptojackers who want to extract the maximum potential from the computers they use to mine on their behalf.

Who is Coinhive?

In September 2017, a user called pr0gramm posted a link to Coinhive on Hacker News. The first few comments seemed positive—here was potentially an alternative to ads for generating revenue for a website.

Of course, everyone was assuming website visitors would be duly informed and given the option to turn the miner off, if they so wished, as per Coinhive’s example implementation

However, within days Coinhive was being used by websites like The Pirate Bay to mine Monero without the consent of its vistors.

By October, it had seen widespread adoption in cryptojacking malware that was being used to infect websites. Cloudflare banned it from its platform, and anti-virus vendors updated their software to detect Coinhive web-miners and block them.

Coinhive’s own story is also not without controversy.

Initially, its website stated that the script was developed for use on a German image sharing website called Pr0gramm. Visitors had to explicitly launch the miner, and were able to control how much CPU power the miner uses.

However, the claim of being linked to Pr0gramm was soon removed from the website.

With the identity of the current owners of Pr0gramm, and the creators of Coinhive unknown, security journalist Brian Krebs went digging and published an exposéconnecting the two companies.

This resulted in backlash from Pr0gramm’s community, which donated over €207,000 to cancer research, playing on the double-meaning of Krebs’ surname in German (crab/cancer).

The article also resulted in German computer expert Dominic Szablewski, who originally launched Pr0gramm in 2007, to come forward as the creator of Coinhive.

“When some trolls in 2015 found out who was behind pr0gramm, I received death threats for various moderation decisions on that board. I decided to get out of it and sold pr0gramm,” Szablewski wrote on his blog.

“I was still working on Pr0gramm behind the scenes and helped with technical issues from time to time, but abstained from moderating completely.”

Szablewski said that just like Pr0gramm, he found a company interested in his new venture.

“They have taken over Coinhive and are now working on a big overhaul,” he said.

While Coinhive may be infamous for its widespread use in cryptojacking malware, in the end it also turns out to simply be a tool that can be misused by those who would do so.