I Now Own the Coinhive Domain. Here's How I'm Fighting Cryptojacking and Doing Good Things with Content Security Policies.

If you've landed on this page because you saw a strange message on a completely different website then followed a link to here, drop a note to the site owner and let them know what happened. If, on the other hand, you're on this page because you're interested in reading about the illicit use of cryptomining on compromised websites and how through fortuitous circumstances, I now own coinhive.com and am doing something useful with it, read on.

You know how people don't like ads? Yeah, me either (at least not the spammy tracky ones that invade both your privacy and your bandwidth), but I also like free content on the web and therein lies the rub; how do content producers monetise their work if they can't put ads on pages? Well naturally, you "Monetize Your Business with Your Users' CPU Power" which was Coinhives's modus operandi. That's a link to the last snapshotted version on archive.org because if you go to coinhive.com today, you'll see nothing. The website is dead. However, it's now owned by me and it's just sitting there doing pretty much nothing other than serving a little bit of JavaScript. I'll come back to that shortly, let's return to the business model of Coinhive:

So, instead of serving ads you put a JavaScript based cryptominer on your victi... sorry - visitors - browsers then whilst they're sitting there reading your content, you're harvesting Monero coin on their machine. They're paying for the CPU cycles to put money into your pocket - ingenious! But there were two massive problems with this and the first one is probably obvious: it's a sleazy business model that (usually unknowingly) exploits people's electricity bills for the personal gain of the site operator. It might only be exploiting them a little bit (how much power can an in-browser JS cryptominer really draw?), but it still feels super shady. The second problem is that due to the anonymous nature of cryptocurrency, every hacker and their dog wanted to put Coinhive on any sites they were able to run their own arbitrary JavaScript on.

I'll give you a perfect example of that last point: in Feb 2018 I wrote about The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries wherein someone had compromised a JS file on the Browsealoud service and injected the Coinhive script into it. In that blog post I included the code Scott Helme had de-obfuscated which showed a very simple bit of JavaScript, really just the inclusion of a .js file from coinhive.com and the setting of a 32-byte key. And that's all an attacker needed to do - include the Coinhive JS, add their key and if they wished, toggle a few configurations. That's it, job done, instant crypto!

And then Coinhive was gone. (Also - "the company was making in an estimated $250,000 per month" - crikey!) The site disappeared and the domain stopped resolving. Every site that had Coinhive running on it, either by the design of the site owner or at the whim of a cryptojacker, stopped mining Monero. However, it was still making requests to the domain but without the name resolving anywhere, the only signs of Coinhive being gone were errors in the browser's developer tools.

In May 2020, I obtained both the primary coinhive.com domain and a few other ancillary ones related to the service, for example cnhv.co which was used for their link shortener (which also caused browsers to mine Monero). I'm not sure how much the person who made these available to me wants to share so the only thing I'll say for now is that they were provided to me for free to do something useful with. 2020 got kinda busy and it was only very recently that I was finally able to come back to Coinhive. I stood up a website and just logged requests. Every request resulted in a 404, but every request also went into a standard Azure App Service log. And that's where things got a lot more interesting.

Firstly, the high-level stats and as I was routing through Cloudflare, it was super easy to look at the volume of requests first:

That's a substantial number of requests; peaking at 3.63M in a day for a service that doesn't even exist anymore. But the number that really impressed me (if "impressed" is the right word here...) was the number of unique visitors per day:

Daaaamn! More than 2 years after Coinhive was gone and the miner is still embedded in enough places to be serving more than 100k unique visitors per day. Whoa. I wonder where they're all coming from?

Just for context, Have I Been Pwned (which sees about 200k visitors per day) has a geographical distribution as follows:

I'm loath to draw stereotypical conclusions about the association of hackers to Russia and China, but it's a bit inescapable here. Later on, when I analysed the various URLs that were injecting Coinhive, there was (anecdotally) a strong presence of Russian and Chinese websites.

Moving on, here's a typical log entry captured once I stood up the empty website:

#Fields: date time s-sitename cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

2021-03-27 02:59:32 COINHIVE GET /lib/coinhive.min.js X-ARR-LOG-ID=061e55e4-6380-4e88-a7f6-d4ea53071b71 443 - 172.69.166.8 Mozilla/5.0+(Linux;+Android+8.0.0;+ATU-LX3)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/88.0.4324.181+Mobile+Safari/537.36 ARRAffinitySameSite=0e2a05ba3fa8945356c52a5d6a03ef6078571b96359db7d489b1580040a9fdec https://lookedon.com/ coinhive.com 404 0 2 470 1424 15
The JS file being requested is how Coinhive was usually embedded in a site. The IP is Cloudflare's (remember, they're a reverse proxy so it's their IP the website receives) and the response code is 404 as there was no resource to return. The referrer is the interesting one because this tells us where the script was requested from, in this case a website at lookedon.com. A quick glance at that site at the time of writing and yeah, that's a cryptominer in the HTML source:

Before we go any further delving into the ins and outs of cryptominers, I strongly recommend watching this video by Hugo Bijmans and Christian Doerr from the Delft University of Technology presenting at the USENIX Security Symposium a couple of years ago. It's only 21 minutes long and it gets straight to the point:

There's also a much more comprehensive paper from Hugo and colleagues titled Inadvertently Making Cyber Criminals Rich: A Comprehensive Study of Cryptojacking Campaigns at Internet Scale. If you want to go much deeper, have a good read through this. (Incidentally, I've been in touch with Hugo and we're discussing how to best use the data I'm logging for both research and defensive purposes.)

I pulled down several days of logs beginning 2021-03-27 and imported them into a DB where I could analyse things more easily (8.9M rows in total). I looked firstly at the content that was being requested (all subsequent figures exclude the cnhv.co link shortener domain unless otherwise stated):

The prevalence of the JavaScript miners is no surprise, and the Delft guys talk about the role of the WebAssembly (.wasm) in their paper. There were references to WASM in the original Coinhive script, but of course nobody has been loading that for quite some time so I can only assume it's being embedded by other means. The logs don't have a referrer on any of the WASM entries either so it's not clear where the requests are originating from: