According to Adguard, 2.2 percent of the top 100,000 websites on Alexa are now mining through user PCs and many of which are not asking for user permission, which has led to many antivirus providers branding the software as nuisanceware.
It is not just legitimate website operators who are looking to cash in on cryptocurrency, however.
Talos researchers say that as the value of cryptocurrency continues to surge, "mining-related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks."
Over the past several months, the research team has noticed a wave of new attacks designed to take advantage of the interest in cryptocurrency, as well as a "marked increase" in cryptocurrency mining software which has been delivered to PCs as a malicious payload.
A cryptocurrency miner delivered as a malicious payload, dubbed Dark Test, has been spotted in the wild, and in addition, the RIG exploit kit has been delivering miners through smokeloader over the past few months.
Internet of Things (IoT) devices, in particular, are an attractive target as they lend computing power which is far less likely to be noticed by a victim.
While often limited, IoT devices -- such as smart lighting, appliances, and security systems -- are not usually directly overseen by users, and so may generate income for attackers for long periods of time.
Talos estimates that an average compromised system which is running cryptocurrency mining software and depositing the proceeds into attacker wallets will generate roughly $0.28 in Monero per day.
This doesn't sound like much, but once you enslave 2000 systems, this could equate to $568 per day or over $200,000 per year.
"This is all done with minimal effort following the initial infection," the team notes. "More importantly, with little chance of being detected, this revenue stream can continue in perpetuity."
Talos noticed Chinese and Russian criminals discussing cryptocurrency miners in 2016, and the latter has begun developing and selling mining packages over the past six months, as well as touting access to compromised systems for the sole purpose of cryptocurrency mining.
Some botnets, such as Satori, can enslave millions of devices at a time. If a botnet focuses on IoT devices and each one is mining for cryptocurrency, the possibilities for fraudulent income are endless.
In one campaign utilizing a cryptocurrency mining botnet noticed by the team, the attacker amassed enough computing resources to mine cryptocurrency worth $184,000.
"Once the currency is mined, there is no telling what the attacker might do with it," Talos says. "This could become a long-term investment (or even retirement) scheme for these attackers -- sitting on this currency until it hits such a point where the attacker decides to cash in."