Skip to main content

    Backdoor coin-mining hacks are spreading as prices rise

    Backdoor coin-mining hacks are spreading as prices rise


    The dark underbelly of the Bitcoin boom

    Share this story

    If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

    Illustration by Alex Castro / The Verge

    The cryptocurrency boom has given rise to a new kind of malware attack, with attacks growing ever more frequent as coin prices rise. A report today from Symantec details a surge in coin-mining scripts, which are often planted by hackers in the background of public websites. Once running, the script uses the visitor’s CPU to mine cryptocurrency, a power-intensive process that can be far more lucrative than traditional malware.

    Anti-virus tools like Symantec’s typically identify and block such programs, giving the firm a clear view into how widespread the miners are on the open web. Miner programs seem to track tightly with the price of Monero itself, which means they’ve seen a surge of activity in recent weeks.

    Symantec’s data shows daily detections clearing three million for the first time at the end of November, just as prices were beginning to rise above $200. Notably, Monero’s price has risen considerably since that data, clearing $350 per coin on December 16.

    Chart of Monero price correlatign with coin-miner malware detections

    Malicious mining programs typically mine the Monero currency rather than Bitcoin or Ethereum, drawn largely by Monero’s CPU-friendly hashing algorithm. Cryptocurrency prices tend to be tightly correlated, so Monero’s price has largely risen in sync with Bitcoin itself.

    The most popular background miner is Coinhive, which surfaced in September and was quickly blocked by a number of security firms. Coinhive’s official site has since disappeared in favor of an opt-in variant, but Symantec’s research shows the original plugin is alive and well.

    The plugins are most profitable when they can run in the background for significant periods of time, due to the nature of cryptocurrency mining. That’s made mining plugins particularly attractive for streaming sites, although they’re usually installed by third-party hackers without the permission of the site owners themselves. In September, Coinhive was discovered in the background of two Showtime websites. The application also been discovered in Chrome extensions and briefly installed by Pirate Bay as a purposeful revenue measure.

    Symantec also discovered miners in a number Android apps. The resulting work would have been far less effective on an underpowered mobile CPUs, but it hasn’t slowed the growth of the tactic. Symantec listed 35 separate Android apps with mining functions in 2017 so far, a 34 percent increase from last year.