The service became notorious for its use by ne’er-do-wells looking to make a quick buck by hijacking the processing power of victim machines to generate virtual money
In a short blog post on Tuesday, the operators of the Germany-based service wrote that their in-browser Monero miner will discontinue on March 8. The shutdown of a script that debuted in September 2017 is due to multiple reasons, but all of them revolve around actual money – the operation is deemed to be no longer “economically viable”.
Meanwhile, security journalist Brian Krebs cited security researcher Troy Mursch of Bad Packets Report as saying that the service has grown unpopular with miscreants due to its high fees, prompting them to take their “business” elsewhere.
The other side of the coin
Coinhive was touted as a way for website owners to generate revenue other than via ads, doing so by enabling websites to use visitors’ computing resources to mine for Monero, presumably with their consent. That said, the soon-to-be-defunct script made a name for itself due to its deployment for malicious cryptojacking attacks, which roughly coincided with the dramatic rise in the prices of digital currencies.
In those campaigns, miscreants would typically inject a mining script into a website and surreptitiously mine Monero for their Coinhive accounts. This entailed gobbling up the computing power of the visiting machines, leaving their owners with degraded system performance and higher energy bills. In one instance, almost 4,300 websites inadvertently became part of a cryptojacking attack, as they all loaded a plugin that had been maliciously tainted to add Coinhive code.
With Coinhive’s demise, all mining operations using the script, including the covert ones, are set to come to a grinding halt. However, that’s not to say that we should all heave a collective sigh of relief, as Coinhive has spawned a number of copycat services.
Over the months, Coinhive and numerous similar scripts have been detected on thousands of websites, including many legitimate but compromised websites, as well as in browser extensions and plugins and on typo-squatted domains.
In addition, malicious mining code has also been detected on unpatched enterprise servers and supplied alongside additional malware, as well as via malvertising campaigns and third-party add-ons for a media player.