Coinhive’s Opt-In Version Barely Used, Says Malwarebytes

Malwarebytes published its analysis of cryptomining malware on Monday, revealing that CoinHive's "ethical" opt-in API doesn't see much use.

The number of times that Coinhive’s script has been associated with hackers is simply dizzying, with many websites hit by hijacking incidents that have visitors mining Monero without their knowledge or consent.

Malwarebytes has just finished an analysis of cryptomining malware and released a report guest-starring Coinhive. The study has revealed that the opt-in version of the mining script sees much less use than its “silent” version, which does not ask for visitors’ consent before using their CPUs to extract some Monero for the script operator’s wallet.

After describing the mining API and providing a bit of historical context, Malwarebytes goes on to depict the chaos that ensued after the initial release.

“Within weeks, the Coinhive API, void of any safeguards, was abused in drive-by cryptomining attacks. Similar to drive-by downloads, drive-by mining is an automated, silent, and platform agnostic technique that forces visitors to a website to mine for cryptocurrency. We witnessed an interesting campaign that was specifically designed for Android and drew millions of users to pages that immediately started to mine for Monero under the pretense of recouping server costs,” the report reads.

The cybersecurity company continues its analysis by stating that Coinhive created an opt-in API that allows web visitors to choose whether they want their CPUs used for mining or not, taking this step to “fend off criticism.”

The telemetry analysis, however, shows that very few websites choose to use the new API, which is known as AuthedMine.

According to Malwarebytes, AuthedMine got 40,000 uses per day on average, whereas the “silent” API got more than three million.

The largest Coinhive-related incident that we know of involved a group of streaming sites that mined Monero — perhaps all of them unwittingly — from over a billion users per month.

Interestingly enough, Coinhive does not appear to be the only actor out there providing mining scripts to both legitimate websites and hackers.

Malwarebytes notes that services like Coinhave and Coinloot have popped up as copycats, with Coinhave even offering payouts with lower commissions than Coinhive: 20% versus 30%, respectively.