The longer the Coinhive script stays on a compromised site, in addition to the amount/duration of visitors, directly correlates to the profitably of the cryptojacking session. However, the operating cost is still nearly zero for the threat actor (hacker) planting the script. The processing burden of Coinhive is solely laid upon the client (end user). This leads to rapid battery drain and higher energy costs for the afflicted devices.
Since PublicWWW presented the most results, I chose their dataset to analyze. I began cataloging the domain names found by extracting the Coinhive Site Key from each site. Once this was completed, I was able to correlate a single site key to multiple Coinhive infested sites.
NOTE: I also used my own tools to independently verify the PublicWWW results. I felt confident in the data they provided after I had scanned the top 11,000 Coinhive infected sites myself and correlated the results.
The amount of websites tied to one Coinhive Site Key was somewhat astounding. This correlation was also recently noted by security researcher, Willem de Groot. He found 2,496 infected online stores, of which 85% were linked to only two Coinhive accounts.
The most used Coinhive Site Key I found was:
This one key was used on 4,722 sites. Almost all of the sites used the top-level domain “.ir” (ccTLD for Iran). Most of the domain names were four characters long consisting of only random numbers or three characters long consisting of only random words.
Example “numbers only” domains:
Example “letters only” domains:
Example “other” domains:
All domains were registered to a “Mohammad Khezri” of Iran. A reverse WHOIS search on DomainTools.com shows 6,040 domains are registered to him. These domains appeared to be parked using service called DNS4.IR that uses Coinhive to monetize the traffic.
Other individual Coinhive Site Keys were associated to a large amount of domain names. Site keys that were found on 100+ domains are shown below. I sampled the content of a handful of sites found for each key. I also looked for trends in the Nameservers (NS) used for each domain. This allowed me to get a general idea of the “theme” of each Coinhive Site Key used.
Overall, the bulk of the sites were either compromised websites or parked domains. The third-most used key no longer appeared to be actively engaged in cryptojacking and simply redirected to Bing.com.
The range of compromised sites varied greatly due to the sheer volume. Some notable and humorous sites that I encountered included:
Papa John’s Pizza – Puebla, Mexico
National Association of Doctors
In addition to Coinhive, a fake online pharmacy was found on their website.
Deposit Insurance of VietNam – Vietnamese equivalent of the FDIC
Ortel Communications (AS23772) – Large ISP in India
MacbookWarmer.com – “Stay Warm Whenever and Wherever”
While this one is clearly a well-thought-out spoof, cryptojacking is no laughing matter.
A PublicWWW search shows 4,260 WordPress sites are running Coinhive. A “weather widget” plugin was recently banned from the WordPress plugin repository, however other cryptojacking plugins are still available for site operators to utilize.
ProjectPoi (PPoi): 50
It’s clear the cryptojacking frenzy will continue into the near future. To protect yourself from cryptocurrency mining scripts while browsing, I recommend using any of the following Chrome extensions:
In the meantime, I will continue to monitor reports of cryptojacking while reviewing new Coinhive sites found daily.
For the latest updates on this topic, follow me on Twitter @bad_packets.