If you've landed on this page because you saw a strange message on a completely different website then followed a link to here, drop a note to the site owner and let them know what happened. If, on the other hand, you're on this page because you're interested in reading about the illicit use of cryptomining on compromised websites and how through fortuitous circumstances, I now own coinhive.com and am doing something useful with it, read on.
You know how people don't like ads? Yeah, me either (at least not the spammy tracky ones that invade both your privacy and your bandwidth), but I also like free content on the web and therein lies the rub; how do content producers monetise their work if they can't put ads on pages? Well naturally, you "Monetize Your Business with Your Users' CPU Power" which was Coinhives's (Archive) modus operandi. That's a link to the last snapshotted version on archive.org because if you go to coinhive.com today, you'll see nothing. The website is dead. However, it's now owned by me and it's just sitting there doing pretty much nothing other than serving a little bit of JavaScript. I'll come back to that shortly, let's return to the business model of Coinhive:
So, instead of serving ads you put a JavaScript based cryptominer on your victi... sorry - visitors - browsers then whilst they're sitting there reading your content, you're harvesting Monero coin on their machine. They're paying for the CPU cycles to put money into your pocket - ingenious! But there were two massive problems with this and the first one is probably obvious: it's a sleazy business model that (usually unknowingly) exploits people's electricity bills for the personal gain of the site operator. It might only be exploiting them a little bit (how much power can an in-browser JS cryptominer really draw?), but it still feels super shady. The second problem is that due to the anonymous nature of cryptocurrency, every hacker and their dog wanted to put Coinhive on any sites they were able to run their own arbitrary JavaScript on.
I'll give you a perfect example of that last point: in Feb 2018 I wrote about The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries wherein someone had compromised a JS file on the Browsealoud service and injected the Coinhive script into it. In that blog post I included the code Scott Helme had de-obfuscated which showed a very simple bit of JavaScript, really just the inclusion of a .js file from coinhive.com and the setting of a 32-byte key. And that's all an attacker needed to do - include the Coinhive JS, add their key and if they wished, toggle a few configurations. That's it, job done, instant crypto!
And then Coinhive was gone (ZDNET). (Also - "the company was making in an estimated $250,000 per month" - crikey!) The site disappeared and the domain stopped resolving. Every site that had Coinhive running on it, either by the design of the site owner or at the whim of a cryptojacker, stopped mining Monero. However, it was still making requests to the domain but without the name resolving anywhere, the only signs of Coinhive being gone were errors in the browser's developer tools.
In May 2020, I obtained both the primary coinhive.com domain and a few other ancillary ones related to the service, for example cnhv.co which was used for their link shortener (which also caused browsers to mine Monero). I'm not sure how much the person who made these available to me wants to share so the only thing I'll say for now is that they were provided to me for free to do something useful with. 2020 got kinda busy and it was only very recently that I was finally able to come back to Coinhive. I stood up a website and just logged requests. Every request resulted in a 404, but every request also went into a standard Azure App Service log. And that's where things got a lot more interesting.
Firstly, the high-level stats and as I was routing through Cloudflare, it was super easy to look at the volume of requests first:
read more (troyhunt)
You know how people don't like ads? Yeah, me either (at least not the spammy tracky ones that invade both your privacy and your bandwidth), but I also like free content on the web and therein lies the rub; how do content producers monetise their work if they can't put ads on pages? Well naturally, you "Monetize Your Business with Your Users' CPU Power" which was Coinhives's (Archive) modus operandi. That's a link to the last snapshotted version on archive.org because if you go to coinhive.com today, you'll see nothing. The website is dead. However, it's now owned by me and it's just sitting there doing pretty much nothing other than serving a little bit of JavaScript. I'll come back to that shortly, let's return to the business model of Coinhive:
So, instead of serving ads you put a JavaScript based cryptominer on your victi... sorry - visitors - browsers then whilst they're sitting there reading your content, you're harvesting Monero coin on their machine. They're paying for the CPU cycles to put money into your pocket - ingenious! But there were two massive problems with this and the first one is probably obvious: it's a sleazy business model that (usually unknowingly) exploits people's electricity bills for the personal gain of the site operator. It might only be exploiting them a little bit (how much power can an in-browser JS cryptominer really draw?), but it still feels super shady. The second problem is that due to the anonymous nature of cryptocurrency, every hacker and their dog wanted to put Coinhive on any sites they were able to run their own arbitrary JavaScript on.
I'll give you a perfect example of that last point: in Feb 2018 I wrote about The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries wherein someone had compromised a JS file on the Browsealoud service and injected the Coinhive script into it. In that blog post I included the code Scott Helme had de-obfuscated which showed a very simple bit of JavaScript, really just the inclusion of a .js file from coinhive.com and the setting of a 32-byte key. And that's all an attacker needed to do - include the Coinhive JS, add their key and if they wished, toggle a few configurations. That's it, job done, instant crypto!
And then Coinhive was gone (ZDNET). (Also - "the company was making in an estimated $250,000 per month" - crikey!) The site disappeared and the domain stopped resolving. Every site that had Coinhive running on it, either by the design of the site owner or at the whim of a cryptojacker, stopped mining Monero. However, it was still making requests to the domain but without the name resolving anywhere, the only signs of Coinhive being gone were errors in the browser's developer tools.
In May 2020, I obtained both the primary coinhive.com domain and a few other ancillary ones related to the service, for example cnhv.co which was used for their link shortener (which also caused browsers to mine Monero). I'm not sure how much the person who made these available to me wants to share so the only thing I'll say for now is that they were provided to me for free to do something useful with. 2020 got kinda busy and it was only very recently that I was finally able to come back to Coinhive. I stood up a website and just logged requests. Every request resulted in a 404, but every request also went into a standard Azure App Service log. And that's where things got a lot more interesting.
Firstly, the high-level stats and as I was routing through Cloudflare, it was super easy to look at the volume of requests first:
read more (troyhunt)
