Just put your own cryptominer in there! 🙂

Two small typo: "single infected routed" <-- router

Keep up the excellent work! :)

ONE small typo... sheesh!

Cheers, fixed!

We published the first paper on this subject early on, I believe before coinhive was gone. We used similar research methodologies but much limited as to fit in a paper. A first look at browser-based cryptojacking: https://ieeexplore.ieee.org... (No paywall: https://arxiv.org/pdf/1803.... )

Just curious, how much could you obtain a domain for that had been making $250k monthly ? :-)

$0.

Great stuff, Troy. CSP and report-uri sound great, but couldn't men in the middle in that case modify the headers themselves?

Yes, so protect your transport layer properly and that won't happen! We're well beyond the point of discussing whether or not a site should be using HTTPS, that's just a given these days (but clearly based on this post, a bunch of sites still aren't getting that...)

At first I thought this was a 1st of April joke. But I'm kinda glad you don't follow that trend.

It is still confusing that lots of companies release business news on the same day. But I guess it's a nice way to sneak out news in a soft way (It'll take like a week before people are sure it's a joke or not) :P

Had to check the whois myself to be sure. Didn't help that my pi.hole blocks the coinhive.com domain either.

Neat.

For the wasm, could you have a cloudflare worker (or equivalent) respond to every request for a wasm file that did a similar thing with putting up a modal?

I'm looking to someone who understands WASM to answer for me 🙂

Did You Find answer ?

No.

I'm a bit worried that those 1.4M compromised routers will be spamming people in Brazil and Indonesia constantly. They probably don't speak English enough to understand this blog, so all they'll see is a modal they can't read on every insecure page they visit. Have you at least put a check on the source IP so that if someone closes the dialog, they won't see it again?

Considering their router is compromised (who knows what else is running inside it?!) I'd say keep showing it each visit/session. Hopefully they'll get annoyed enough to post a picture of it on facebook and somebody will answer/help them.

Language and country detection can be quirky, but could be done.

Roger nailed it. My immediate thought when reading Nzall's comment was "So someone's router has been maliciously compromised to intercept and modify traffic and the thing you're concerned about is the English text?!"

Having said that, there are two other thoughts I had and the first was not around IP checking but just dropping a cookie on the client to indicate the message had been seen therefore won't be shown again. I decided against this because I'd rather the message be annoying enough to do something about rather than just be dismissed. Let's not lose sight of the gravity of the situation here: something (either a website, library or router) has been maliciously compromised to serve malicious content and I'm happy for that to result in very "in your face" warnings.

The second thought was around the language and it's one of the reasons I've put the JS up on GitHub. If anyone would like to add localisation support to give people warnings in their own language, I'd love to push that feature out.

Stupid but simple idea: don't try to detect the user's language, just display the same message in all of the most likely languages at the same time (English, Russian, Chinese, Portuguese, and maybe a couple more).

I considered that too, but it gets *very* busy and still links through to a page entirely in English. Besides, I don’t need everyone to understand the message, I just need it to be brought to the attention of whoever runs the site.

Perhaps put small tabs with flags on them, so when they click a flag (representing a language they understand) they'll get text in that language.

https://uploads.disquscdn.c...

Suggestions:
English (obviously)
Chinese (simplified?)
Russian.

Basically the major regions you saw traffic from. Neighbouring contries tend to understand the same language. 5-8 should basically cover the world.

I think most of these flag artworks are public domain https://en.wikipedia.org/wi...

It might be important to get some media, particularly in those countries with most traffic originating from to do a story on this?!

I'm happy to take a pull request for that 🙂

I'm Brazilian, can translate to Portuguese (I'm not that familiar to GitHub).
However, IMHO, the warning should instruct people to reach the website owner and maybe that it (the website) could do evil stuff. I mean, English speaker or not, the avarage people have no idea what a cryptominer is.
Edit: took my chances at GitHub and found the "skeleton" to translate! Ready to work!
Edit2: failed to interact there.... here goes the translated lines, if anyone may add there:
case 'pt-br':
// modalContent = 'pt-br: Este website tentou rodar um minerador de criptomoeda no seu navegador. %link%.';
// linkContent = 'pt-br: Clique aqui para mais informações';
break;

Important to note that flags do not represent languages. Many countries have multiple linguistic groups in their citizenry.

That's fair.

Thanks for posting.

Ok, now I removed the coinhive script from my blog and I guess we wont meet again. Thank you for pointing me as admin to this issue. The blog has been "dead" for years and the script remained in there unnoticed until I checked it today.

Hey Troy,

Thanks for the great article, I heard about this hack a while back and wanted to learn more about the intricacies. You touched on the subject but I actually wanted to understand more deeply; if the visited website is completely transparent with its intention to mine crypto OR offer advertisements instead perhaps in a modal that appears upon the users arrival, ethically isn't this fine? Then the user has a choice on whether they would rather see ads or lend a thread for mining purposes.

My initial thought was that this would be a great alternative monetization method for website owners, because I personally hate seeing ads as they disrupt the UX. If the number of threads was cut to the minimum such that the users device does not slow down I would much rather have that. Any thoughts on this?

Thanks again!

I think it's extremely messy. Most people aren't going to have any idea what "lend a thread for mining" means and won't be in a position to make an informed decision. Coinhive died because it ultimately wasn't a viable business model, perhaps that's the lesson to take away from this.

Hey I used to use the program on my website that doesn't run ads (I put in the popup version that asks for consent) I read some of the comments and it sounds like it runs even after you close the website is this true I do not want to harm the users PC

It doesn't run once the website is unloaded.

Great writeup, but you really shouldn't link everyone (site visitors and owners alike) here, they just don't understand most of it. Instead, a simple page that briefly describes what happened, what to do as an owner and what to do as a visitor would suffice.

That’s not information I can cram into a modal on the impacted site, it needs more detail hence the link here. It’s easy to make the modal go away - remove Coinhive!

crazy thing is... I thought the idea of no-ad's was so cool I actually took the time to put the damn thing on 1 page on my website, with an in-your-face notice that I would be using 2 threads of their CPU so I could remain productive while being free from goggle, facebook, and amazon for funding.... then I heard the stupidity others were doing with the system and was really annoyed with both the hackers and the bloggers crying about a simple, elegant idea.... now i come to find that it waz a complete waist of code for 3 years now

My website has the message "this website attempted to run a cryptominer in your browser". How do I remove it, please?
Thanks

By reading this blog post and following the guidance in it.

This is fascinating. It has always been a frightening mistake to allow execution on the client. In short, the internet was a mistake. :)

Thanks! My website had this script, I managed to remove it.

I would never have known this had happened if I hadn't been posting the message.

That’s fantastic, thanks for sharing!

I thank you Troy, I used a Wordpress template offered for free. I imagine that many people have been caught in this scam.

Sorry my English from Google Translator, I don't speak English fluently.

Hey Troy, great article, had a good laugh!

FYI It looks like your RSS link (https://feeds.feedburner.co... has an invalid TLS certificate, and the view feed is broken.

Looks fine to me and given Google runs it, I’d be surprised if they screwed that up. What cert are you seeing?

Hi Troy, how do i stop the pop up from appearing on my site? Thank you

That’s explained in the blog post above.

My point is i did not understand what was shared above, hence, my asking. Kindly share a link or the paragraph where i can find the relevant information. Counting on it, thank you.

Search through all your files on your website for coinhive and then remove all references to Coinhive.

I'm not even that technical nor educated in this field, yet I find this overtake and overlay notification genial. Keep it up!

Looks like most of Georgia-s users were mining Crypto. We are only 3.4 million

How do I remove this sign from my website?

Remove Coinhive from your site! Read the blog post in its entirety, especially the paragraph beginning with "So, what's the fix?"

I was really intrigued by the idea of injecting headers into the site with FiddlerScript to do CSP testing/review. This was a great post, thanks Troy! I found the filters tab in fiddler a bit easier to work with if anyone else is trying to replicate this technique.