Exclusive: Security Expert Willem de Groot Speaks About Coinjacking in E-Commerce Sites

Willem de Groot, Co-Founder and former Head of Security at Byte.nl, spoke to us today about the CoinHive-related malware he found on thousands of e-commerce websites.


On Tuesday, Willem de Groot—Co-Founder and former Head of Security at Byte.nl, a web host in the Netherlands with more than 6,500 domains—published a piece on his blog at GitLab that showed no less than 2,496 e-commerce websites running CoinHive’s Monero mining script, which siphons the CPU power off of unsuspecting visitors to mine the cryptocurrency.

De Groot believes that hackers are to blame, as his findings show us that 85 percent of the websites running the script were connected to two CoinHive accounts.

We had a chance to speak with him today about his discovery, how he came about these numbers, and what people can do to make sure that their computers aren’t affected.

"I was sitting on the couch doing some shopping online, and then my laptop got hot. I dove into it and looked through our crawlers, which look for malware around the clock on the cached front pages of many sites. We were quickly able to see how many instances of this particular software were running,” de Groot told us.

“There are about 30,000 websites running it now, and the large part of it is 'gray area' sites—adult, illegal software, etc. I was surprised with the number of shops and other legitimate sites that are also running it,” he added.

While there is a tiny possibility that these websites may have added the script by their own volition, the numbers do not add up. Most of the sites running the script were sending data to one CoinHive account, indicating that a hacker must have injected the code.

“No sane merchant would offend their customers by stealing their battery. Also, the majority of the CoinHive instances are reported to the same ID, so it's only a few individuals or groups who operate this network,” de Groot said.

Since CoinHive’s script operates on the same principles as web advertisements (i.e., a piece of JavaScript code that identifies the service provider in some form), de Groot believes that the best thing that users can do to protect themselves is to run an ad blocker.

“Ad blockers are very effective at blocking it. But I think that what we will see coming up next is that thieves might change the address. I've already seen a few examples where they re-route the malware through other domains that are not known yet. They register domains to evade ad blockers,” he told us.

Despite these problems, ad blockers remain the best bet for combatting this issue, according to him. 

“We need some centralized efforts to maintain a list of all the domains that contain the malware. This is better suited to be done by an ad blocker for which most people report new malware to a central place,” he said.

CoinHive has been the subject of controversy for some time now, with major websites like UFC.com testing the software despite the fact that most of its users pay to gain access to their content.

High-profile websites like Politifact have also fallen victim to attacks like those found by Willem de Groot.

This information now reveals that “coinjacking” is a more widespread phenomenon than a couple of isolated incidents.