Cryptojacking may not be entirely dead following the shutdown of a notorious cryptomining service, but it isn’t very healthy, according to a paper released this week.

Cryptomining websites embed JavaScript code that forces the user’s browser to begin mining for cryptocurrency. The digital asset of choice is normally Monero, which is often used in cybercrime because of its enhanced anonymity features.

Some cryptomining sites sought the visitor’s permission to co-opt their browser, often in exchange for blocking ads. Others did it surreptitiously (which is what we call cryptojacking). Either way, one name kept cropping up in these cases: Coinhive.

Coinhive provided Monero cryptomining scripts for use on websites, retaining 30% of the funds for itself. It showed up on large numbers of cryptomining and cryptojacking sites. Researchers tracked them with a tool called CMTracker.

Monero underwent a hard fork and its price plummeted. This contributed to Coinhive shuttering its service in March 2019, claiming that falling prices made it economically unviable.

Given Coinhive’s popularity, how prevalent is cryptojacking now? That’s what researchers at the University of Cincinnati and Lakehead University in Ontario, Canada explored in their paper, called Is Cryptojacking Dead after Coinhive Shutdown?

The researchers checked 2,770 websites that CMTracker had previously identified as cryptomining sites to see if they were still running the scripts. They found that 99% of sites had ceased activities, but that around 1% (24 sites) were still operating with working scripts that mined cryptocurrency. Manual checks on a subset of the sites found that a significant proportion (11.6%) were still running Coinhive scripts that were trying to connect to the operation’s dead servers.

So, where do these new scripts come from? The researchers found them linking back to eight distinct domains with names like and Searching on the eight domains surfaced 632 websites using their scripts. By far the most popular was

Browser-based cryptominers often seek out certain online properties like movie streaming sites to help ensure that victims stay connected, the paper said. However, they can use tricks like hidden pop-under windows to maintain a connection even after the user closes a browser tab, and technologies like WebSockets, WebWorkers and WebAssembly to make connections more robust and take direct advantage of client hardware.

The researchers said:

Cryptojacking did not end after Coinhive shut down. It is still alive but not as appealing as it was before. It became less attractive not only because Coinhive discontinued their service, but also because it became a less lucrative source of income for website owners. For most of the sites, ads are still more profitable than mining.

Will browser-based cryptojacking stay suppressed? A lot depends on its profitability. Should Monero or some other cryptojacking-friendly currency grow sufficiently in value, there will doubtless be another rush to capitalise on it.

This study didn’t look at server-side cryptojacking. This has been a scourge for companies like Tesla, which saw cryptojacking hackers compromise its cloud-based servers in early 2018. Something similar happened to the LA Times. The advantage in those attacks is that the servers keep mining, whereas a home user may shut down their laptop or desktop at the end of the day.

Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner