Browsealoud plugin hacked to mine Monero on 4,000 Govt websites

There were thousands of UK and US government websites mining Monero including UK’s NHS and US’s Court.

It has been raining on cryptocurrency in 2018 especially Bitcoin whose value touched the sky and made people millionaires in days. It also encouraged hackers and cybercriminals to take advantage of the situation and make easy money but the price for it is being paid by unsuspected users.

UK and US government sites hacked to mine Monero

On February 11th, an IT security researcher Scott Helme discovered that there are over 4,000 government websites that have been hacked to mine Monero cryptocurrency including the official website of American court system (, the website of U.K.’s Information Commissioner’s Office (, U.K.’s General Medical Council (GMC), National Health Service (NHS) and United States Social Security Administration.

According to Helme’s blog post, the targeted websites were infected with a malware that has been using the computing power of sites visitors to mine Monero. Remember, the technique in which websites are compromised to mine cryptocurrency is also known as in-browser cryptojacking in which CPU power of unsuspected website visitors is secretly used by hackers to generate cryptocurrency while users end up with expensive electricity bills.

Hackers hacked Browsealoud plugin to infect govt websites

Upon further digging, Helme found that hackers compromised a popular Browsealoud plugin to make their way into the government websites and infected them with cryptocurrency mining malware. The Browsealoud plugin helps visitors access content on websites including dyslexia patients, users not familiar with the English language and mild visual impairments.

There are over 3 million Browsealoud users around the world while 6,000 websites are currently using the plugin. However, this time the plugin was used for malicious purposes allowing hackers to manipulate its original code with a Javascript code provided by Coinhive, a company that provides cryptocurrency miner and sends any coins mined to the browser of the websites’ owners.

At the time of publishing this article, HackRead noticed that the Browsealoud plugin was closed on 11th February and its official page on WordPress now shows the message “This plugin was closed on February 11, 2018, and is no longer available for download.”

Authorities are examining the situation

The British National Cyber Security Centre (NCSC) said that they are familiar with the situation. According to their official statement: “NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency. The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely. At this stage, there is nothing to suggest that members of the public are at risk.”

Now that the authorities are aware of the situation Helme fears hackers can pull a similar stunt in the future which could be devastating. The news came as a shock since the general perception about government owned websites is that they are secured and scanned for malware and malicious codes by their administrators on regular bases.

Brandon Dixon, VP at digital threat management firm RiskIQ told HackRead “We are seeing threat actors around the world exploiting what is already a hostile currency in a lawless digital world. Threat actors hack vulnerable sites or spin up fake, illegitimate websites to siphon money off of major brands, often with typosquatting domains and fraudulent branding. By leveraging domains or subdomains that appear to belong to major brands, these actors trick people into visiting their sites running cryptocurrency mining scripts to monetize their content. When we looked at domains running the cryptocurrency mining script Coinhive, we found many examples of typosquatting and domain infringement,” 

Cryptocurrency mining is increasing

The IT security community is rightly worried about the sudden surge in cryptocurrency mining attacks. Some are even considering it as a replacement for ransomware. Lately, some high-profile websites and institutions have been found infected with cryptocurrency mining malware including YouTubeOracleBlackBerryStarbucks and even the Russia based world’s largest oil pipeline company Transneft.

Hackers are using YouTube Ads to Mine Monero Cryptocurrency
Screenshot shows YouTube ads were hacked to mine Monero

In December last year, Sucuri security firm identified 5,000 WordPress websites were infected with CoinHive cryptocurrency miner scripts and generating Monero through visitors computing power. In some cases, researchers have also identified that hackers are using leaked NSA exploitEternalBlue, EsteemAudit and EternalSynergy in their cryptocurrency mining malware which means the worse is still to come. 

The full list of infected sites is available here.

Related Posts