After closure of Coinhive the number of crypto-jacking attacks decreased by 99%

A group of researchers from the American University of Cincinnati and Canadian University of Lakehead estimated that after the closure of the mining service Coinhive a year ago, the number of crypto-jacking attacks decreased by 99%, while browser mining almost disappeared.

According to analysts, online advertising brings a much greater income.

Let me remind you that Coinhive appeared in the fall of 2017 and was then positioned as an alternative to classic banner advertising. As a result, Coinhive only generated a large-scale phenomenon, which IS experts called crypto-jacking, or browser mining.

It became quite “unsuccessful” for users to enter any site that has special JavaScript Coinhive embedded in its code (or another similar service, of which dozens soon appeared), and the resources of the victims’ machines were already used to mine the Monero cryptocurrency.

Coinhive operators, however, admitted that they did not want to create a tool to enrich cybercriminals and openly condemned the actions of attackers.

“We were stunned by how quickly our decision found a wide response. Looking back, I can say that we were very naive when we built theories about how our miner will be used. We believed that most sites would use Coinhive openly, allowing users to decide whether to launch it for some bonuses, as we ourselves did, during testing on pr0gramm.com before launch. But in the very first days after the appearance of Coinhive, everything went completely wrong,” – said one of the anonymous service developers.

Ultimately, in spring 2019, the service closed a year after the Monero hard fork, as the hash rate dropped by more than 50%. In addition, the decision of the Coinhive developers was influenced by the general “collapse” of the cryptocurrency market, since then XMR lost about 85% of the cost.

Now, a year after these events, researchers say that after the closure of Coinhive, crypto jacking has almost disappeared. However, back in October 2019, Europol also classified crypto-jacking as a threat to the past.

For their analysis, experts used the CMTracker crypto-jacking detector, designed to search for mining code sites. Manually and automatically, experts examined 2770 sites that were marked by CMTracker even before Coinhive was closed.

It turned out that 99% of these resources are not mining anymore. The remaining percentage still uses eight different mining scripts:

  • cc/lib/minero.min.js
  • com/lib/base.js
  • win/46B8.js
  • */perfekt/perfekt.js
  • */tkefrep/tkefrep.js
  • co/javas.js
  • xyz/sadig6.js
  • bid/jo/jo/miner_compressed/webmr.js

These scripts were seen on 632 sites. This is a significant improvement compared to 2017, when Coinhive alone could be found on more than 30,000 sites. In their report, experts refer to another study in 2019, which examined the profitability of browser mining and the associated costs. That report stated that network advertising was 5.5 times more profitable than mining. Thus, mining-oriented resources need to keep the visitor’s tab open for at least 5.53 minutes in order to receive a comparable or greater income than from online advertising.

“He [crypto-jacking] is still alive, but not as attractive as before,” the researchers conclude.

In a fresh analysis, experts note that attackers really try to place the mining code on free movie sites, as this can force victims to remain on one page for a long time.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Lists of installed Android applications

Android allows third parties to receive lists of all applications installed on the device

A group of scientists from universities in Switzerland, Italy and the Netherlands said that the …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.