We were unable to load Disqus. If you are a moderator please see our troubleshooting guide.

Anne O'Neamous • 1 year ago

Just put your own cryptominer in there! 🙂

Two small typo: "single infected routed" <-- router

Keep up the excellent work! :)

Anne O'Neamous • 1 year ago

ONE small typo... sheesh!

Troy Hunt • 1 year ago

Cheers, fixed!

Shayan Eskandari • 1 year ago

We published the first paper on this subject early on, I believe before coinhive was gone. We used similar research methodologies but much limited as to fit in a paper. A first look at browser-based cryptojacking: https://ieeexplore.ieee.org... (No paywall: https://arxiv.org/pdf/1803.... )

matrix • 1 year ago

Just curious, how much could you obtain a domain for that had been making $250k monthly ? :-)

Troy Hunt • 1 year ago

$0.

Hamid Nazari • 1 year ago

Great stuff, Troy. CSP and report-uri sound great, but couldn't men in the middle in that case modify the headers themselves?

Troy Hunt • 1 year ago

Yes, so protect your transport layer properly and that won't happen! We're well beyond the point of discussing whether or not a site should be using HTTPS, that's just a given these days (but clearly based on this post, a bunch of sites still aren't getting that...)

Roger Hågensen • 1 year ago

At first I thought this was a 1st of April joke. But I'm kinda glad you don't follow that trend.

It is still confusing that lots of companies release business news on the same day. But I guess it's a nice way to sneak out news in a soft way (It'll take like a week before people are sure it's a joke or not) :P

Greg Williams • 1 year ago

Had to check the whois myself to be sure. Didn't help that my pi.hole blocks the coinhive.com domain either.

Mike W • 1 year ago

Neat.

For the wasm, could you have a cloudflare worker (or equivalent) respond to every request for a wasm file that did a similar thing with putting up a modal?

Troy Hunt • 1 year ago

I'm looking to someone who understands WASM to answer for me 🙂

YMEJD • 1 year ago

Did You Find answer ?

Troy Hunt • 1 year ago

No.

Nzall • 1 year ago

I'm a bit worried that those 1.4M compromised routers will be spamming people in Brazil and Indonesia constantly. They probably don't speak English enough to understand this blog, so all they'll see is a modal they can't read on every insecure page they visit. Have you at least put a check on the source IP so that if someone closes the dialog, they won't see it again?

Roger Hågensen • 1 year ago

Considering their router is compromised (who knows what else is running inside it?!) I'd say keep showing it each visit/session. Hopefully they'll get annoyed enough to post a picture of it on facebook and somebody will answer/help them.

Language and country detection can be quirky, but could be done.

Troy Hunt • 1 year ago

Roger nailed it. My immediate thought when reading Nzall's comment was "So someone's router has been maliciously compromised to intercept and modify traffic and the thing you're concerned about is the English text?!"

Having said that, there are two other thoughts I had and the first was not around IP checking but just dropping a cookie on the client to indicate the message had been seen therefore won't be shown again. I decided against this because I'd rather the message be annoying enough to do something about rather than just be dismissed. Let's not lose sight of the gravity of the situation here: something (either a website, library or router) has been maliciously compromised to serve malicious content and I'm happy for that to result in very "in your face" warnings.

The second thought was around the language and it's one of the reasons I've put the JS up on GitHub. If anyone would like to add localisation support to give people warnings in their own language, I'd love to push that feature out.

Adam Rosenfield • 1 year ago

Stupid but simple idea: don't try to detect the user's language, just display the same message in all of the most likely languages at the same time (English, Russian, Chinese, Portuguese, and maybe a couple more).

Troy Hunt • 1 year ago

I considered that too, but it gets *very* busy and still links through to a page entirely in English. Besides, I don’t need everyone to understand the message, I just need it to be brought to the attention of whoever runs the site.

Roger Hågensen • 1 year ago

Perhaps put small tabs with flags on them, so when they click a flag (representing a language they understand) they'll get text in that language.

https://uploads.disquscdn.c...

Suggestions:
English (obviously)
Chinese (simplified?)
Russian.

Basically the major regions you saw traffic from. Neighbouring contries tend to understand the same language. 5-8 should basically cover the world.

I think most of these flag artworks are public domain https://en.wikipedia.org/wi...

It might be important to get some media, particularly in those countries with most traffic originating from to do a story on this?!

Troy Hunt • 1 year ago

I'm happy to take a pull request for that 🙂

João Bortotti • 1 year ago

I'm Brazilian, can translate to Portuguese (I'm not that familiar to GitHub).
However, IMHO, the warning should instruct people to reach the website owner and maybe that it (the website) could do evil stuff. I mean, English speaker or not, the avarage people have no idea what a cryptominer is.
Edit: took my chances at GitHub and found the "skeleton" to translate! Ready to work!
Edit2: failed to interact there.... here goes the translated lines, if anyone may add there:
case 'pt-br':
// modalContent = 'pt-br: Este website tentou rodar um minerador de criptomoeda no seu navegador. %link%.';
// linkContent = 'pt-br: Clique aqui para mais informações';
break;

Also a WebmasterTim • 1 year ago

Important to note that flags do not represent languages. Many countries have multiple linguistic groups in their citizenry.

Adam Rosenfield • 1 year ago

That's fair.

bvmr events • 9 months ago

Thanks for posting.

M.A. Buth • 1 year ago

Ok, now I removed the coinhive script from my blog and I guess we wont meet again. Thank you for pointing me as admin to this issue. The blog has been "dead" for years and the script remained in there unnoticed until I checked it today.

Christopher Le • 1 year ago

Hey Troy,

Thanks for the great article, I heard about this hack a while back and wanted to learn more about the intricacies. You touched on the subject but I actually wanted to understand more deeply; if the visited website is completely transparent with its intention to mine crypto OR offer advertisements instead perhaps in a modal that appears upon the users arrival, ethically isn't this fine? Then the user has a choice on whether they would rather see ads or lend a thread for mining purposes.

My initial thought was that this would be a great alternative monetization method for website owners, because I personally hate seeing ads as they disrupt the UX. If the number of threads was cut to the minimum such that the users device does not slow down I would much rather have that. Any thoughts on this?

Thanks again!

Troy Hunt • 1 year ago

I think it's extremely messy. Most people aren't going to have any idea what "lend a thread for mining" means and won't be in a position to make an informed decision. Coinhive died because it ultimately wasn't a viable business model, perhaps that's the lesson to take away from this.

Jaiden Ranada • 1 year ago

Hey I used to use the program on my website that doesn't run ads (I put in the popup version that asks for consent) I read some of the comments and it sounds like it runs even after you close the website is this true I do not want to harm the users PC

Troy Hunt • 1 year ago

It doesn't run once the website is unloaded.

Madis • 1 year ago

Great writeup, but you really shouldn't link everyone (site visitors and owners alike) here, they just don't understand most of it. Instead, a simple page that briefly describes what happened, what to do as an owner and what to do as a visitor would suffice.

Troy Hunt • 1 year ago

That’s not information I can cram into a modal on the impacted site, it needs more detail hence the link here. It’s easy to make the modal go away - remove Coinhive!

Cody N. Reed • 1 year ago

crazy thing is... I thought the idea of no-ad's was so cool I actually took the time to put the damn thing on 1 page on my website, with an in-your-face notice that I would be using 2 threads of their CPU so I could remain productive while being free from goggle, facebook, and amazon for funding.... then I heard the stupidity others were doing with the system and was really annoyed with both the hackers and the bloggers crying about a simple, elegant idea.... now i come to find that it waz a complete waist of code for 3 years now

Emanuele Michetti • 1 year ago

My website has the message "this website attempted to run a cryptominer in your browser". How do I remove it, please?
Thanks

Troy Hunt • 1 year ago

By reading this blog post and following the guidance in it.

Zvyozdochka • 1 year ago

This is fascinating. It has always been a frightening mistake to allow execution on the client. In short, the internet was a mistake. :)

Rudinei Tavares • 1 year ago

Thanks! My website had this script, I managed to remove it.

I would never have known this had happened if I hadn't been posting the message.

Troy Hunt • 1 year ago

That’s fantastic, thanks for sharing!

Rudinei Tavares • 1 year ago

I thank you Troy, I used a Wordpress template offered for free. I imagine that many people have been caught in this scam.

Sorry my English from Google Translator, I don't speak English fluently.

Ed • 1 year ago

Hey Troy, great article, had a good laugh!

FYI It looks like your RSS link (https://feeds.feedburner.co... has an invalid TLS certificate, and the view feed is broken.

Troy Hunt • 1 year ago

Looks fine to me and given Google runs it, I’d be surprised if they screwed that up. What cert are you seeing?

Alade Adeleke • 1 year ago

Hi Troy, how do i stop the pop up from appearing on my site? Thank you

Troy Hunt • 1 year ago

That’s explained in the blog post above.

Alade Adeleke • 1 year ago

My point is i did not understand what was shared above, hence, my asking. Kindly share a link or the paragraph where i can find the relevant information. Counting on it, thank you.

Taylor Robinson • 1 year ago

Search through all your files on your website for coinhive and then remove all references to Coinhive.

Rasmus Kors • 1 year ago

I'm not even that technical nor educated in this field, yet I find this overtake and overlay notification genial. Keep it up!

Giorgi • 1 year ago

Looks like most of Georgia-s users were mining Crypto. We are only 3.4 million

Steven de Cuba • 1 year ago

How do I remove this sign from my website?

Troy Hunt • 1 year ago

Remove Coinhive from your site! Read the blog post in its entirety, especially the paragraph beginning with "So, what's the fix?"

I was really intrigued by the idea of injecting headers into the site with FiddlerScript to do CSP testing/review. This was a great post, thanks Troy! I found the filters tab in fiddler a bit easier to work with if anyone else is trying to replicate this technique.