All Favorites

Turning Coinhive Against Cryptojackers

In Q2 of 2020, we saw a 163% increase in detected cryptojacking attempts (ZDNet). For a cryptomining method many presumed to be dead and gone, a 163% increase is a startling one. Cryptojacking leverages browser-based scripts through Javascript or other languages to run background processes on a computer, using that computer to mine for cryptocurrency (mainly Monero) while that computer accesses a seemingly safe website.

Until it was “shut down” in 2019, Coinhive served as one of the core tools for standing up these cryptojacking sites. The domain made an estimated $250,000 a month as bad actors used the service to advance their nefarious goals. Despite being shut down, however, we still saw the meteoric rise in detected cryptojacking attempts, so clearly, things were not all as they seemed with Coinhive.

Turning the Tables with Coinhive

Troy Hunt noticed this disparity and decided to take matters into his own hands. For years, Hunt has strived to turn the public eye towards the rampant cybersecurity issues that are plaguing the world today. Through projects like HaveIBeenPwned.com, Hunt has proven a pioneer of sparking awareness around identity security, even testifying about data breaches before U.S. Congress.

So, when Hunt found out that Coinhive was still potentially being used to attack unsuspecting site visitors, he outright purchased the domain and decided to use some trickery of his own to stop cryptojackers while also fostering awareness that attacks can happen from anywhere.

Troy Hunt writes:

In May 2020, I obtained both the primary coinhive.com domain and a few other ancillary ones related to the service, for example cnhv.co which was used for their link shortener (which also caused browsers to mine Monero). I’m not sure how much the person who made these available to me wants to share so the only thing I’ll say for now is that they were provided to me for free to do something useful with. 2020 got kinda busy and it was only very recently that I was finally able to come back to Coinhive. I stood up a website and just logged requests. Every request resulted in a 404, but every request also went into a standard Azure App Service log. And that’s where things got a lot more interesting.

Find out how Hunt used his newly acquired domain to advance content security policies here: I Now Own the Coinhive Domain. Here’s How I’m Fighting Cryptojacking and Doing Good Things with Content Security Policies.

About the author

Zach DeMeyer

Zach is the Technical/Content Writer at Gestalt IT with a degree in Mechanical Engineering from the Colorado School of Mines. A storyteller at heart, he loves being on the cutting edge of new technology and telling the world about it. When he's not working, he enjoys all things outdoors, music, and soccer.