Cryptojacking malware Coinhive found on 30,000+ websites

Since first going mainstream with The Pirate Bay and Showtime, cryptojacking has quickly become a favorite revenue stream for cybercriminals. Cryptojacking typically begins after Coinhive (JavaScript code) is embedded on a compromised website. Unsuspecting visitors then begin mining the cryptocurrency Monero (XMR) in their browser.

How Cryptojacking Works
How cryptojacking works illustration by the European Union Agency for Network and Information Security (ENISA).

The longer the Coinhive script stays on a compromised site, in addition to the amount/duration of visitors, directly correlates to the profitably of the cryptojacking session. However, the operating cost is still nearly zero for the threat actor (hacker) planting the script. The processing burden of Coinhive is solely laid upon the client (end user). This leads to rapid battery drain and higher energy costs for the afflicted devices.

So how many websites have Coinhive embedded in them? This answer varies depending on the search engine used. To test, I searched for the name of the Coinhive JavaScript library, “coinhive.min.js” via four search engines: Censys, PublicWWW, Shodan, and ZoomEye. The following amount of Coinhive sites were found on 2017-11-04

Censys: 1,640
PublicWWW: 30,611
Shodan: 941
ZoomEye: 474

Since PublicWWW presented the most results, I chose their dataset to analyze. I began cataloging the domain names found by extracting the Coinhive Site Key from each site. Once this was completed, I was able to correlate a single site key to multiple Coinhive infested sites.

NOTE: I also used my own tools to independently verify the PublicWWW results. I felt confident in the data they provided after I had scanned the top  11,000 Coinhive infected sites myself and correlated the results.

The amount of websites tied to one Coinhive Site Key was somewhat astounding. This correlation was also recently noted by security researcher, Willem de Groot. He found 2,496 infected online stores, of which 85% were linked to only two Coinhive accounts.

The most used Coinhive Site Key I found was:

This one key was used on 4,722 sites. Almost all of the sites used the top-level domain “.ir” (ccTLD for Iran). Most of the domain names were four characters long consisting of only random numbers or three characters long consisting of only random words.

Example “numbers only” domains:

Example “letters only” domains:

Example “other” domains:

All domains were registered to a “Mohammad Khezri” of Iran. A reverse WHOIS search on shows 6,040 domains are registered to him. These domains appeared to be parked using service called DNS4.IR that uses Coinhive to monetize the traffic.

Other individual Coinhive Site Keys were associated to a large amount of domain names. Site keys that were found on 100+ domains are shown below. I sampled the content of a handful of sites found for each key. I also looked for trends in the Nameservers (NS) used for each domain. This allowed me to get a general idea of the “theme” of each Coinhive Site Key used.

Coinhive Site Keys found on 100+ domains organized by total domains associated.

Overall, the bulk of the sites were either compromised websites or parked domains. The third-most used key no longer appeared to be actively engaged in cryptojacking and simply redirected to

The range of compromised sites varied greatly due to the sheer volume. Some notable and humorous sites that I encountered included:

Papa John’s Pizza – Puebla, Mexico

Papa John's Pizza - Puebla, Mexico

National  Association of Doctors

National  Association of Doctors

In addition to Coinhive, a fake online pharmacy was found on their website.

National  Association of Doctors fake online pharmacy

Deposit Insurance of VietNam – Vietnamese equivalent of the FDIC

Vietnamese equivalent of the FDIC, Deposit Insurance of VietNam

Ortel Communications (AS23772) – Large ISP in India

Ortel Communications – “Stay Warm Whenever and Wherever”

While this one is clearly a well-thought-out spoof, cryptojacking is no laughing matter. - About

A PublicWWW search shows 4,260 WordPress sites are running Coinhive. A “weather widget” plugin was recently banned from the WordPress plugin repository, however other cryptojacking plugins are still available for site operators to utilize.

Various techniques have been used to spread the Coinhive infestation further, from Android apps to an open Amazon S3 bucket of

Coinhive is not the only JavaScript miner available for cryptojacking use. Many competitors have popped up in its wake. Using PublicWWW, I found JSECoin was in a distant second place behind Coinhive on 905 websites.

Non-Coinhive Miners Pie Chart

Non-Coinhive JavaScript cryptocurrency miners found on PublicWWW:
JSEcoin: 905
Crypto-Loot: 123
AFMiner: 77
ProjectPoi (PPoi): 50
Coinhave: 43
Coinerra: 11
MineMyTraffic: 3
Papoto: 1

It’s clear the cryptojacking frenzy will continue into the near future. To protect yourself from cryptocurrency mining scripts while browsing, I recommend using any of the following Chrome extensions:

uBlock Origin

Many anti-malware applications also block cryptojacking scripts, such as Malwarebytes and Avast.

A request has been made to Google Developers to add functionality in Chrome itself to block malicious JavaScript usage. Anyone can comment to share their feedback with Google here.

In the meantime, I will continue to monitor reports of cryptojacking while reviewing new Coinhive sites found daily.

For the latest updates on this topic, follow me on Twitter @bad_packets.

6 thoughts on “Cryptojacking malware Coinhive found on 30,000+ websites”

  1. These results are astonishing. I’ve been mostly working with censys datasets, with some more details using their bigquery datasets. Although I’m going to look into publicwww as well. However with the new method of obfuscation it might be harder to find out about new websites. I’d love to talk to you more about the paper I’m working on and given how fast pace this is changing I’d like to get the initial paper out as soon and as complete as possible.
    Please if you got a chance email me so we could chat about collaboration on this subject

  2. Great work, thanks for the info. I’ve been trying to follow up with your research and find sites that are still infected. I’ve downloaded your list of urls to a flat file and run this bash command “while read -r url; do echo $url; curl $url | grep coinhive;done /dev/null ” which should show websites that have coinhive in them, however I haven’t seen a single one and the script’s gone through about 200 already. Are all of the websites mentioned cleaned up already? Thanks!


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.