Security

Opt-in cryptomining script Coinhive 'barely used' say researchers

We wouldn't say 'barely', says Coinhive

By John Leyden

6 SHARE

Few sites are bothering to use the opt-in version of Coinhive, the controversial ride-along JavaScript crypto-mining package that requires end-users' consent to run.

So said security firm Malwarebytes in an analysis emitted on Monday, but Coinhive developers disputed those findings and argued that a third of cryptomining-using websites get their users' consent.

Cryptomining sees web pages operators use visitors' computers to mine for the Monero cryptocurrency as they surf a site. Sometimes the mining is covert, as a result of mining malware infections. Publishers can also run miningware without explicitly telling users about their efforts. On other occasions publishers formally tell visitors they're helping it to raise funds by running mining code.

Coinhive tried to make the last cryptomining scenario legit by offering software that only works after users opt-in. In October 2017 the outfit therefore introduced a new API (AuthedMine) that explicitly requires user input for any mining activity to be allowed.

Reg now behind invisible HTML5 Bitcoin paywall

READ MORE

Data from Malwarebytes, unveiled on Monday, said that in January and February 2018 the opt-in version of Coinhive was used by just 40,000 folk each day compared to three million users of its silent miner. The security software firm adds that even sites that do use the opt-in option may still be crippling machines by running an unthrottled miner, as was the case this month of Salon, a news website.

The developers of Coinhive disputed these figures. “We don't have statistics about the exact number of clients, but as for our raw hashrate: ~35% comes from AuthedMine,” the developers told El Reg via Twitter. “Many sites still use the classic implementation with their own (non intrusive) opt-in or with a prominent opt-out. Ultimately it's the decision of the website owners.”

Malwarebytes' findings were supported by security researcher Troy Mursch who said its figures are consistent with his own research.

The Coinhive crew went on to claim that Malwarebytes blocks AuthedMine, too. “Attempts to get this resolved remained unanswered,” they said.

Malwarebytes' The State of Malicious Cryptomining report also notes how groups used the WannaCry vulnerabilities to infect servers with cryptomining packages, a tactic previously reported by El Reg. ®

Bootnote: The "Read More" box above links to our 2017 April Fool's Day prank, in which we joked that we'd added cryptomining to the site. Not many months later, actual cryptomining became prevalent.

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

More from The Register

Kaspersky Lab loses the privilege of giving Twitter ad money

Twitter's loss is the EFF's gain

Sir, you've been using Kaspersky Lab antivirus. Please come with us, sir

US govt bans agencies from using Russian outfit's wares

Kaspersky Lab's move from Russia to Switzerland fails to save it from Dutch oven

Netherlands turns up the heat as transparency plans unveiled

Hackers latch onto new Apache Struts megavuln to mine cryptocurrency

Underground forums alight with Struts chat, we hear

Kaspersky VPN blabbed domain names of visited websites – and gave me a $0 reward, says chap

Updated DNS leak flaws are outside of bug-bounty scope

Another US government committee takes aim at Kaspersky Lab

Worries about 'espionage, sabotage, or other nefarious activities' cough - NSA! - cough

Judge bins sueball lobbed at Malwarebytes by rival antivirus maker for torpedoing its tool

Litigious security biz upset at blanket PC ban

NSA dev in the clink for 5.5 years after letting Kaspersky, allegedly Russia slurp US exploits

Bloke sent down after spilling Uncle Sam's cyber-weapons

'We've nothing to hide': Kaspersky Lab offers to open up source code

Response to US fretting over alleged ties to Russian snoops

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data