This article is more than 1 year old

Remember cryptojacking from way, way back (2019)? Site infections are down 99% – thanks to death of Coinhive

Not totally eradicated yet, ads make more dosh

Cryptojacking, the theft of computing power to mine digital currency, has been around at least since 2013 – and has shrunk in use dramatically with the death of Monero-mining service Coinhive.

Since Coinhive's closure last year, cryptojacking has been almost eliminated, according to a group of researchers from the University of Cincinnati in America, and Lakehead University in Canada, because online ads generate more revenue.

Coinhive provided JavaScript code that websites could incorporate to make visitors' computers mine Monero, a cryptocurrency that happens to appeal to cybercriminals because it's difficult to trace. Though Coinhive's code was marketed as a monetization alternative to advertising, it was quickly abused – a mining script can also be injected into a website by hackers without the site owner's knowledge.

Cryptojacking illustration

Cryptojacking isn't a path to riches - payout is a lousy $5.80 a day


When the service launched in September 2017, Monero could be exchanged for about $100 apiece. By early January, 2018, its price peaked at almost $500.

On March 8, 2019, Coinhive shutdown because, the company said, the project was no longer economically viable. The price of Monero then was about $50 and today it's trading at around $35.

In a paper [PDF] distributed through ArXiv, "Is Cryptojacking Dead after Coinhive Shutdown?", presented earlier this month at the third International Conference on Information and Computer Technologies in Santa Clara, Calif., boffins Said Varlioglu, Murat Ozer, and Bilal Gonen (U. Cincinnati), and Mehmet F. Bastug (Lakehead U.) found that cryptojacking mostly vanished with the departure of Coinhive.

The researchers used a cryptojacking detector known as CMTracker to look for cryptojacking code. They evaluated 2,770 websites, manually and automatically, that had been flagged by CMTracker before the Coinhive shutdown. And 99 per cent of them no longer run cryptojacking code. The remaining 1 per cent still do, using eight distinct mining scripts.

  • */perfekt/perfekt.js
  • */tkefrep/tkefrep.js

These scripts were subsequently spotted on 632 websites in the wild. That's a significant decrease from 2017 when Coinhive code alone could be found on more than 30,000 websites.

The researchers point to a 2019 research paper [PDF], "Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of Cryptojacking," that found ads are 5.5x more profitable than web-based cryptocurrency mining and that mining-focused websites need to keep a visitor's mining tab open for at least 5.53 minutes to generate more revenue than online ads.

That's based on a website with three ad slots priced at $1 per thousand impressions that receives 100,000 visitors a month.

That same paper also noted the consequences of cryptojacking to victims: increasing device temperature by up to 52.8 per cent, decreasing performance by up to 57 per cent, and multiplying CPU usage up to 1.7x, all of which show up in the victim's electricity bill.

Among those still carrying out cryptojacking operations, modern web technology like WebSockets, WebWorkers and WebAssembly commonly play a role. The researchers from U. Cincinnati and Lakehead U. observe that miscreants tend to place their code on free movie websites because victims will remain there on the same page for a long time.

"It is still alive but not as appealing as it was before," the researchers explain in their paper. "It became less attractive not only because Coinhive discontinued their service, but also because it became a less lucrative source of income for website owners. For most of the websites, ads are still more profitable than mining." ®

More about


Send us news

Other stories you might like