CoffeeMiner hijacks public Wi-Fi users' browsing sessions to mine cryptocurrency

A new attack called CoffeeMiner can exploit public Wi-Fi services to secretly mine cryptocurrencies.
Written by Charlie Osborne, Contributing Writer

A researcher has published a proof-of-concept (PoC) project called CoffeeMiner which shows how threat actors can exploit public Wi-Fi networks to mine cryptocurrencies.

Last week, a software developer called Arnau disclosed research into how public networks offering access to the Internet can be harnessed to generate revenue for attackers.

Interest in cryptocurrency has grown of late due to the surge in pricing for Bitcoin (BTC) and to a lesser extent, Ethereum (ETH). However, cryptocurrency has always been a common factor for some cyberattackers which utilize ransomware to force their victims to pay a "ransom" to gain access to compromised systems locked by malware.

According to the developer, public Wi-Fi may also now be a source of income for hackers that successfully pull off man-in-the-middle (MiTM) attacks to launch cryptocurrency miners.

The project, released to the public for academic study, leans upon the recent discovery of a cryptocurrency miner discovered on a Starbucks Wi-Fi network.

CoffeeMiner works in a similar way. The attacking code aims to force all devices connected to a public Wi-Fi network to covertly mine cryptocurrency.

The attack works through the spoofing of Address Resolution Protocol (ARP) messages by way of the dsniff library which intercepts all traffic on the public network.

Mitmproxy is then used to inject JavaScript into pages the Wi-Fi users visit. To keep the process clean, the developer injected only one line of code which calls a cryptocurrency miner.


The miner is then served through an HTTP server. The mining software in question is called CoinHive, which is used to mine Monero and is considered by some antivirus firms as a threat.

Once compiled, these elements come together as a single script which can be deployed by attackers on public Wi-Fi networks. Unwitting victims are rerouted through a server controlled by attackers and their devices will mine cryptocurrency as they browse.

The only limit is the amount of time a victim spends on a page. CoinHive works best when visits to a page average 40 seconds -- but this does not mean other cryptocurrency miners would not overcome this problem.

"The idea is to have the CoffeeMiner script that performs the ARPspoofing attack and set ups the mitmproxy to inject the CoinHive cryptominer into victims' HTML pages," the developer says.

See also: CES 2018 likely to feature a heavy dose of blockchain, cryptocurrency

Arnau has tested the attack in real-life scenarios, such as in coffee shops, and found CoffeeMiner to be successful.

"For a further version, a possible feature could be adding an autonomous Nmap scan, to add the IPs detected to the CoffeeMiner victim list," the developer added. "Another further feature could be adding sslstrip to make sure the injection also in the websites that the user can request over HTTPS."

How blockchain technology can transform our world

Previous and related coverage

    Quant Trojan upgrade targets Bitcoin, cryptocurrency wallets

    Popular malware updates have highlighted a growing trend in targeting Bitcoin stashes.

    500 million PCs are being used for stealth cryptocurrency mining online

    Your PC may be used to find cryptocurrency when you visit websites, with or without your consent.

    The risky business of bitcoin: High-profile cryptocurrency catastrophes of 2017

    As Bitcoin lurches toward mainstream acceptance, ZDNet reviews the high-profile disasters, data breaches, vulnerabilities, and criminal cases that shook up digital currency in 2017.

      Editorial standards