Web-based cryptocurrency mining, also known as cryptojacking or drive-by mining, never stood a chance to become an alternative revenue stream or replace classic ads.
According to new academic research published this month, a website that includes three ads makes 5.5 times more revenue than a website that deploys a cryptojacking script for the average duration of a web visit.
To become profitable, a website using web-based cryptojacking scripts would need to keep a user on its pages for more than 5.53 minutes, researchers said.
In-browser mining slows downs PCs
But keeping users on sites with cryptojacking scripts has negative side effects on the user's device, as the web-based mining script quickly bogs down resources and slows down the user's device.
Researchers -- from the University of Crete and the University of Illinois at Chicago -- said that websites that utilize cryptojacking scripts end up gobbling up 59 times more of the user's CPU than a website showing ads.
Websites with cryptojacking scripts also require 1.7 times more RAM than classic ad-supported websites.
Also, cryptojacking-supported sites generate 3.4 times more background traffic than ad-supported sites, as they need to constantly report their earnings back to the crypto-mining services.
Researchers also found that in-browser cryptocurrency miners also severely affect parallel running processes, with cryptojacking sites degrading the performance of parallel running applications with up to 57% when left in the browser's background.
All in all, the research team said that visiting a website utilizing cryptojacking scripts consumes on average 2.08 more energy than regular ad-based sites, and the user's device operates up to 52.8% higher temperatures.
Good on some sites, but bad for most
However, researchers conclude that cryptojacking can be an effective monetization scheme, but only for a certain class of websites, where users tend to spend a lot of time, such as movie streaming services or online games.
Here, in-browser miners have a good amount of time to gather revenue for the website operators, revenue that would have never been available just by showing a few ads at page load.
But for anything else, using classic ads will generate more profit and avoid annoying users with scripts that spike their CPUs and slow down their devices, which may lead to reputational damage to websites that engage in such practices.
Cryptojacking is dead
The phenomenon of web-based cryptojacking has mostly died down these days, after experiencing an explosion in late 2017 and throughout 2018.
When it launched, it was touted as an alternative revenue stream for the classic ad-supported model -- which has its own and many flaws.
However, in-browser mining never caught on with popular websites, and it was mostly abused by cybercrime groups who hacked into legitimate websites and left hidden cryptojacking scripts behind to mine Monero on site visitors' devices without permission.
Most cryptojacking operations went dead after the Coinhive service shut down in March 2019, and, according to Malwarebytes, most websites still running in-browser miners are abandoned sites that have been hacked in the past two years and nobody bothered to clean them.
ZDNet readers can find out more details in a pre-print of the "Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of Cryptojacking" white paper that is going to be presented in September this year at the 22nd Information Security Conference (ISC), in New York, USA.
Related cybersecurity coverage:
- Facebook files lawsuit against two Android app developers for click fraud
- Google researchers disclose vulnerabilities for 'interactionless' iOS attacks
- AT&T employees took bribes to plant malware on the company's network
- US military purchased $32.8m worth of electronics with known security risks
- GitHub sued for aiding hacking in Capital One breach
- Cisco to pay $8.6 million for selling vulnerable software to US government
- iOS developers still failing to build end-to-end encryption into apps TechRepublic
- The best identity theft monitoring services for 2019 CNET