Tech

Coinhive cryptojacking service to shut down in March 2019

Coinhive wanted to be an alternative to classic banner ads but it became malware after constant abuse.

Written by Catalin Cimpanu, Contributor Feb. 27, 2019 at 11:55 a.m. PT

Image: Coinhive // Composition: ZDNet

Coinhive, an in-browser Monero cryptocurrency miner famous for being abused by malware gangs, announced this week its intention to shut down all operations next month, on March 8, 2019.

The service cited multiple reasons for its decision in a blog post published yesterday.

"The drop in hash rate (over 50%) after the last Monero hard fork hit us hard," the company said. "So did the 'crash' of the crypto currency market with the value of XMR depreciating over 85% within a year."

"This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive," the company said.

Coinhive said all in-browser Monero mining will stop working after March 8, and registered users will have until April 30 to withdraw funds from their accounts.

The service, which launched in mid-September 2017, promoted itself as an alternative to classic banner ads.

It worked on the idea that websites could load a JavaScript file (coinhive.js) on their pages. This JS file would mine Monero inside visitors' browsers on behalf of the site owners. The more time the users spent on the site, the more money the site owner would make.

But despite some public experimentation on The Pirate Bay, Coinive never caught on with major websites, being fiercly criticized for driving CPU usage inside browsers through the roof.

Instead, Coinhive became the go-to solution for cyber-criminal gangs who proceeded to hack sites all over the internet and leave the Coinhive file configured to mine Monero for their accounts.

This practice became widely known under different names, such as "cryptojacking," "in-browser mining," or "drive-by mining" and it became a real problem in late 2017 and the first half of 2018, with Coinhive scripts ending up on government sites, live chat widgets, gaming mods, famous sites, fundraising campaigns, Youtube ads, ad networks, browser extensions, routers, mobile apps, and desktop applications.

This got Coinhive's domain banned in both antivirus products and ad blocker browser extensions alike.

Coinhive's success also led to a copycat trend with tens of similar services popping up online. However, for most of its lifetime, the German company remained the dominant force on the legal and illegal in-browser cryptojacking scene.

According to security researcher Troy Mursch, Coinhive had a market share of 62 percent in August 2018, and according to an academic paper, the company was making in an estimated $250,000 per month up until last summer.

Coinhive remains the leader in the #cryptojacking industry with a 62% share of all websites using a JavaScript cryptocurrency miner. pic.twitter.com/YKbZpQ3qmP
— Bad Packets Report (@bad_packets) August 16, 2018

Coinhive's decline came as its success --by riding the spike and inherent downfall of Monero's price. The service was wildly popular in 2017 and early 2018, but as prices dropped in late 2018, so did Coinhive's usage --on both legitimate sites and in malware operations.

Speaking to ZDNet in early December, Jérôme Segura, malware researcher at Malwarebytes, shared his views on the cryptojacking scene that was showing signs of decline even back then.

"While 'cryptojacking' or 'drive-by mining' dominated the threat landscape in late 2017 and early 2018, it took a backseat for the rest of the year, with the notable exception of some campaigns powered by a large number of compromised IoT devices (i.e. MikroTik exploits)," Segura told ZDNet in December.

"As it stands, the profits generated from in-browser mining are not what they used to be, due to the decline in the value of cryptocurrencies," he said.

"Our telemetry shows a sharp decrease in Coinhive related traffic, although one of its competitors such as CoinIMP, have gained traction during the past few months," Segura said.

Speaking to ZDNet today, the Malwarebytes researcher stood by his December 2018 statement that in-browser cryptojacking, as a malware trend, is almost certain dead.

"There are still a lot of hacked sites with Coinhive code, but I have a feeling these are mostly remnants from past hacks," the researcher told us. "Most of what I see these days is CoinIMP [a Coinhive competitor] and it's been active again with Drupal hacks recently. But overall, I think the trend is nearing out."

Yesterday's announcement from Coinhive effectively puts an end to the in-browser cryptojacking trend that at one point dominated all of the security community's discussions in 2017 and 2018.