The creator of Have I Been Pwned, IS expert Troy Hunt reconfigured the domains of Coinhive, a cryptojacking service that was closed in 2019, and now they warn users about hacked sites that are still engaged in hidden mining.Let me remind you that Coinhive appeared in the fall of 2017 and was then positioned as an alternative to classic banner advertising. As a result, Coinhive only spawned a large-scale phenomenon that information security specialists called cryptojacking, or browser mining.
At its peak, Coinhive has been embedded in 200,000 routers, browser extensions, Microsoft Store apps, and even government websites.
However, in the end, in the spring of 2019, the service closed a year after the Monero hard fork, as the hash rate fell by more than 50%. In addition, the decision of the Coinhive developers influenced the overall “collapse” of the cryptocurrency market, since then XMR lost about 85% of its value.
As the founder of the leak aggregator Have I Been Pwned (HIBP) Troy Hunt now says in a blog post, he was given access to coinhive.com and other related domains for free, with the condition that he did something useful with them:
“In May 2020, I gained control of both the primary domain coinhive.com and several other secondary domains associated with the service, such as cnhv.co, which was used to shorten links (which also forced browsers to mine Monero). I’m not sure how much the person who provided me with these domains wants publicity, so the only thing I’ll say now is that they were provided to me for free to do something useful.”
While analyzing sites that are still driving traffic to Coinhive domains, Hunt noticed that scripts are active mainly on Chinese and Russian websites. Most of this traffic can be attributed to hacked MikroTik routers, which continue to inject Coinhive scripts whenever users visit any site.
In the end, the expert decided that he was using the coinhive.com domain to redirect people to his blog post about Coinhive. So, if people visit sites with Coinhive scripts, they see a dialog box that will warn them: “This site tried to run a cryptominer in your browser.” Moreover, the warning is a link that users can click on and learn more about Coinhive.
While Hunt is doing a good thing, the Coinhive example clearly shows that attackers can use abandoned domains to inject scripts into the browsers of unsuspecting visitors.
User Review( votes)