It’s become a bit of a cliché now to talk about the fact that hackers are executing malware on unsuspecting computers to use their system resources to mine cryptocurrency. But here we are, and we’ve reached “peak coinjack”.

An open-source application was recently released that allows anyone to execute a “man-in-the-middle” (MITM) attack on a public access point.

Called “CoffeeMiner” by its developers, it injects JavaScript code into every website that everyone in the network visits, and uses their CPUs to mine Monero or any other cryptocurrency that can be mined through JavaScript.

When a client wants to visit a webpage, it must first send the request—addressed to the destination server—to the router.

The router then picks up the response from the server and sends it to the client.

Using CoffeeMiner’s MITM software, the attacker intercepts this communication, inserting their own code into the server’s response and handing it over to the client as if though it were the wireless access point.

This effectively makes the attacker the “middleman” between the client and server, hence why this style of attack is named in such a way.

After analyzing the code, we have noticed that CoffeeMiner is a simple Python application that does not readily contain the mining script necessary for the attacker to turn a profit.

However, by pasting CoinHive’s script into “/miner_script/script.js”, the attacker suddenly gains this ability.

For now, all that “script.js” contains is a popup alert that shows the victim system that the script is running.

Also, the MITM attack is not valid for the entire network since the attacker has to manually type the victims’ IP addresses into a text file for it to work.

Although inefficient—probably because the developers intended it to be an academic project—CoffeeMiner can easily be retrofitted by an amateur Python developer to transform it into an efficient cryptojacking tool.

The CoffeeMiner tool—or something very similar—may have been responsible for the MITM attack that happened at a Starbucks store in Argentina in mid-December last year.

Some circumstantial evidence points to this, including the fact that CofeeMiner was first publicly committed to GitHub just six days after that attack.