Hard Times for Cryptojacking

What is Cryptojacking? It is an attack in which hackers secretly utilize the computing power of your device to mine cryptocurrency – The cybercrime climate is flexible enough to quickly adapt to new circumstances and trends. The fact that cryptocurrency markets skyrocketed in the past several years has encouraged malicious actors to find ways of getting on board the hype train.

The exploitation vectors stem from the very essence of how digital coins come into existence – they are mined. This activity boils down to verifying cryptocurrency-related transactions and adding them to the blockchain, a decentralized digital ledger underlying these systems. Computation power is the fundamental resource required for the mining routine.

The bad news is, online malefactors have come up with techniques to harness the processing capacity of other people’s computers and web servers behind the victim’s backs. One of these methods, generally referred to as cryptojacking, is to infect a machine with malware that will stealthily siphon off its CPU or GPU power.

Another common mechanism is to abuse legit JavaScript based mining platforms, such as now closed Coinhive. In this scenario, the crooks injected the Coinhive Monero miner script into sites without the owners’ awareness so that the visitors’ processing units contribute to filling up the villains’ cryptocurrency wallets.

Whereas the cryptojacking epidemic appears to have taken the computer world by storm, there are a few things that may undermine its nefarious progress. Below are some insights into this phenomenon’s evolution and the latest initiatives that might cause it to take a nosedive in the near future.

The plague reached tremendous heights

According to security analysts, the cryptojacking landscape saw a huge spike in 2018. The extent of this growth ended up so tangible that surreptitious miners outstripped ransomware, which had dominated the cybercrime ecosystem for years. Specifically, cryptojacking infections hit about ten times more companies than ransom Trojans did last year.

Obviously, the black hats were strongly motivated to give their tactics an overhaul at some point. The most likely game-changer was that cryptojacking code is covert by design, contrary to a ransomware attack that makes itself felt through numerous symptoms instantly. Given the stealth, the perpetrators can maintain persistence and continue to take advantage of the contaminated hosts over a long timeframe without really raising red flags. Furthermore, they may leave backdoors in the systems for future attacks. Sometimes hackers don’t need to compromise big and secure websites. It is enough to hack a small third-party component like a widget.

Yet another possible stimulus for this shift had to do with the plummeting of Bitcoin’s value, which incentivized the criminals to opt for moneymaking methods with higher ROI (Return on Investment). This factor, combined with the decreasing number of ransomware victims who coughed up the ransoms in Bitcoin, changed the “status quo” on the global computer threat arena.

The operators of cryptojacking campaigns have also diversified their portfolio by bundling extra malware into their payloads. The drive-by entities mostly include banking trojans, such as the notorious TrickBot and Panda Banker, as well as the above-mentioned ransomware. This allows for monetizing every infection instance even if the core element of the raid doesn’t work out.

Rogue crypto-mining has also become a serious menace for enterprises. Corporate networks are juicy targets for the threat actors due to a large amount of their aggregate CPU power. If the malicious code hits one machine, it may be able to spread laterally across the enterprise environment and parasitize on the other computers and servers. On top of that, the compromised businesses run the risk of being additionally confronted with concomitant malware that often tailgates inside as a secondary payload. If the extra infection is ransomware, it will mutilate corporate data and hold it for ransom.

One more wakeup call is the recent discovery of eight apps on the official Microsoft Store that contained an obfuscated cryptojacking component. These booby-trapped entities were reportedly added to the popular software repository between April and December last year. Interestingly, they exploit GTM (Google Tag Manager), an analytics system tasked with helping application developers measure their e-marketing efforts. When downloaded and installed, the tricky apps in question trigger a GTM instance that fetches the Coinhive JavaScript library. In the aftermath of this activity, the miner starts consuming most of the computer’s CPU power to generate Monero cryptocurrency for the unscrupulous devs.

It’s not all doom and gloom?

On the one hand, the scourge of cryptojacking has grown into a major concern. According to the findings of Palo Alto Networks, malicious code accounts for mining nearly 5% of the entire Monero cryptocurrency volume. That’s worth more than $100 million. On the other hand, some bad news has surfaced for the operators of these dodgy campaigns lately.

The development crew behind Mozilla Firefox, one of the world’s most popular web browsers, announced an initiative to block cryptomining scripts. This move is supposed to prevent in-browser miners from doing their filthy job. The engineers have even responded to one of the relevant bug reports by uploading a walkthrough on how to disable the adverse activity. The corresponding feature is going to complement Mozilla’s Content Blocking privacy toolkit in the near future. The changes will reportedly take effect in Firefox v67.

At the early stage of implementation, though, the cryptojacking kill switch will be a part of the browser’s custom settings rather than the default presets. It means the user will be able to opt for blocking the scripts by putting a checkmark in the right box. The status of this feature is going to be reflected in the site information screen linked-to directly from the URL bar.

Another heads-up for the cryptojacking industry players might have a more dramatic impact and stop many of these campaigns in their tracks. It’s about Coinhive, the most heavily exploited cryptomining service that provides webmasters and web application authors with a JavaScript-based Monero miner. In case this script is running on a site, it will use the CPU resources of every visiting computer to generate cryptocurrency.

The proprietors of Coinhive have decided to discontinue their service. The halt took place on March 8, 2019. Judging by the corresponding blog post, one of the motivations for such a move is the 50% decrease in the hash rate that resulted from the last hard fork of the Monero network. Furthermore, the value of this coin dropped by more than 85% last year. Consequently, the Coinhive team says their business is no longer “economically viable”.


The cryptojacking hoax is swinging up and down. It originally appeared on the threat map during the cryptocurrency boom of 2017 that led to the value of some digital coins going up multiple times. However, in an environment as volatile as that, it’s hard to say for sure what the future holds.

The first small steps by browser vendors are definitely welcome, but they aren’t likely to influence the epidemic on a large scale. The shutdown of Coinhive is a much more promising initiative in terms of countering the bad trend. Are there similar controversial services waiting for their chance to fill the void? Time will tell.

In the meantime, it is necessary to take care of online security. No miner (or any other malware) will penetrate your system if you do not click suspicious links and email attachments. Having an up-to-date antivirus suite and reliable VPN service will add more points to your security.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts