Cryptojacking isn't a path to riches - payout is a lousy $5.80 a day

Hackers shouldn't quit their day scams if they want to eat

Cryptojacking, the hijacking of computing resources to mine cryptocurrency, turns out to be both relatively widespread and not particularly profitable, according to a paper published by code boffins from Braunschweig University of Technology in Germany.

In a paper distributed via ArXiv, researchers Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck analyzed the prevalence of cryptomining on websites and found that 1 out of every 500 of the top million Alexa-ranked sites hosts cryptojacking code.

Where cryptocurrencies like Bitcoin depend on CPU cycles for solving the computational puzzles that generate currency, cryptocurrencies like Monero, Bytecoin, and Electroneum rely on memory resources. Commodity hardware can't compete with GPUs and ASICs in the computation of Bitcoin hashes, but it can help churn out memory-bound calculations. That's made pretty much any internet user's hardware potentially useful for those looking to turn stolen processor time into something of value.

Cryptojacking code gets placed on websites, either as a result of a security flaw or deliberate action by the site owner. The two most common libraries are CoinHive and Advisorstat, the researchers say. When someone visits a site that implements these or similar libraries, the visitor's device will begin cryptographic number crunching and credit the work to someone else, the attacker or site owner, with the software's developers also taking a cut.

Fine in theory, sucks in practice

In theory, this can be remunerative. The researchers calculate that a cryptomining script on a popular website like Pornhub, with 81 million visitors a day last year, could earn US$50,208 per day, at an exchange rate of 1 XMR (Monero) per US$225. That's less than the $81,000 per day the site would earn from advertising, based on a CPM of US$1.

But on average, most cryptojackers don't earn much. "With a hash rate of 80 H/s and CoinHive’s payout ratio, a miner earns about US$5.80 per day per website on average, which supports our observation that web-based cryptojacking currently provides only limited profit," the paper explains.

The ten most profitable cryptomining sites identified generate between US$119 to US$340 per day.

Existing detection methods – static blacklists – fall short, the researchers contend, noting that their approach mixing static and dynamic analysis performs better. And they argue that browser makers should move toward mining-aware browsing by implement tab-based CPU quotas to detect unauthorized mining.


Pulitzer-winning website Politifact hacked to mine crypto-coins in browsers


"The only reliable indicator in the presence of an adversary that actively tries to avoid detection is the measurement of prolonged and excessive CPU usage," they say.

Underscoring the interest in cryptojacking among miscreants, security biz Talos on Thursday delved into the doings of an individual identified as "Rocke," whom the firm links to a number of recent malicious mining campaigns.

Rocke, says David Liebenberg, senior threat analyst at Talos in a blog post, operates from China's Jiangxi Province, based on details in various associated code repositories and email accounts. The firm anticipates that Rocke will continue to deploy browser-based miners, trojans, and the Cobalt Strike malware, while also exploring social engineering attacks.

"Despite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating," said Liebenberg. "Rocke's various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals." ®

Similar topics

Other stories you might like

  • Travis CI exposes free-tier users' secrets – new claim
    API can be manipulated to reveal tokens in clear text log data

    Travis CI stands for "Continuous Integration" but might just as well represent "Consciously Insecure" if, as security researchers claim, the company's automation software exposes secrets by design.

    Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.

    In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Apple gets lawsuit over Meltdown and Spectre dismissed
    Judge finds security is not a central feature of iDevices

    A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.

    The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.

    Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."

    Continue reading

Biting the hand that feeds IT © 1998–2022