Hackers make $100k per month with fraudulent Monero mining

Mattie Hesen


There might be a downward trend in “cryptojacking” but it seems revenue gains from using illegal mining software is on the rise. Digital Trends reports the RWTH University in Aachen Germany describes in detail how the browser-based miner Coinhive is used to produce more than $250,000 in Monero (XMR) per month (the trading value at the time of the report).

Coinhive didn’t start out with a bad purpose. Initially, the miner was designed to allow crypto-enthusiasts to provide some of their spare computing power to mine the Monero network. The core is aimed at websites attempting to earn revenue without ads. In exchange for ad-free viewing, the user’s computer will slow down while mining coins.

However, the hackers have set up Coinhive to send the XMR mined by users to their own digital wallets. This was done by hacking websites and secretly installing the malicious code. Coinhive has also been embedded into seemingly harmless browser extensions.

The report says:

“If we sum up the block rewards of the actually mined blocks over the observation period of four weeks, we find that Coinhive earned 1,271 XMR.”

Also, the Coinhive miner represents 1.8% of Monero’s hashing power. Despite Moneros’ fluctuating trading value the hackers are gaining over $100,000 a month and 30% of the amount goes to the Coinhive developers.

Interestingly, the German research states the fraudulently mined Monero went to only 10 wallet addresses. It seems attackers employ a “short link” service to redirect ads to their servers and pay a commission to website administrators. They explained the creator of the short link gets a share of the block reward mined by all the users visiting the short links.

The research team from the German RWTH University ran a “WebAssembly” script to detect web-based mining software running online. The scan results show Coinhive is most prevalent as it accounted for 75% of mining usage.

Coinhive is based on JavaScript and since its such a popular programming language the miner became a preferred target for attackers. So far it has affected various websites including those belonging to the government and corporations.