The Coinhive crypto mining[1] code has been recently detected on more than 300 government and university websites worldwide, cyber security researcher Troy Mursch reported[2] Saturday, May 5. According to the report, all the affected websites are using a vulnerable version of the Drupal content management system.
As the researcher posted on Twitter[3] May 4, he was alerted to this particular campaign via the attack on the websites of the San Diego Zoo, and the government of Chihuahua, Mexico. Both websites reportedly had Coinhive injected into their Javascript libraries in the same way.
Coinhive is a JavaScript program created to mine Monero[4] (XMR) via a web browser. It is marketed[5] to website owners as an alternative form of monetization, instead of online advertising.
According to Mursch, this recent “high-profile” case of cryptojacking[6] – the use of another’s device to mine crypto without their knowledge – infected 348 websites, including such websites as The National Labor Relations Board, a U.S. federal agency, and the Lenovo user account website.
As Mursch discovered, most of affected sites’ domains were in the U.S. and mainly hosted on Amazon[7]. The full list of infected websites is attached[8] to the original report.
Since its creation in 2017, malicious deployment[9] of the Coinhive miner have led to it becoming the number one “Most Wanted Malware”[10], according to a Jan. 2018 report.
Coinhive has in fact been used as an alternative for online ads, which can be less malicious but still misleading, by high-profile brands such as Salon[11] and The Pirate Bay[12].