Crypto-Loot

The browser cryptojacking scene has just expanded from one player to two with the recent launch of the Crypto-Loot service, a website that's eerily similar to the now notorious Coinhive in-browser miner.

The two services are identical, and both provide a simple JavaScript file that website owners can load on their sites to mine Monero using their site visitors' CPU power.

While both services allow website owners to keep the Monero funds mined on users' computers, there is a big difference in the revenue share. Compared to Coinhive, which keeps 30% and gives 70% to site operators, the upstart Crypto-Loot is trying to pull the rug from under Coinhive's feet by asking for only 12% and giving website owners 88%.

77% of users view in-browser mining as malware

Even if both are entirely legitimate services, these tools have been most often deployed by abusive site operators that mine for Monero without letting users know, without getting user approval, or without providing users with a way to turn the crypto-mining behavior off.

The number of cryptojacking abuses was so high compared to legitimate use cases that in a recent Twitter poll, 77% of all respondents considered in-browser mining technology as "malware," even if some sites did their due diligence and informed users in advance.

While Crypto-Loot is a relatively new addition to the cryptojacking scene, it's still a small player, but we don't doubt we'll see it abused, just like Coinhive.

New Coinhive campaigns

The last time we covered Coinhive abuses, we reported malware authors embedding the library in Chrome extensions, typosquatted domains, and malvertising campaigns.

The script also made its presence felt on some big-name domains such as The Pirate Bay and Showtime, but also in many more domains from the Alexa Top 1 Million.

The most notorious incidents involving sites secretly loading CoinHive mining scripts without telling users are the websites of AirAsia, TuneProtect, and the official website of Real Madrid star Cristiano Ronaldo. Another list of affected sites is available in this Cyren blog post.

In addition, some Tor2Web proxies have also started to inject Coinhive scripts. A user might be accessing a Dark Web portal from his normal browser, but in reality, the Tor2Web proxy is secretly mining Monero on his PC.

Another place where we found CoinHive scripts was in FiveM, a modding platform for Grand Theft Auto V. Because FiveM GTA V mods allow mod creators to insert JavaScript files, some "clever" modders decided to make a quick buck by adding Coinhive with their mod or server code. The FiveM platform maintainers recently released an update that blocks Coinhive scripts inside FiveM mods.

Some legitimate Coinhive uses

A place where the Coinhive script was properly included is Iridium, a Chrome extension for fine-tuning YouTube's interface. The Coinhive miner is enabled by default, but the extension's developer provided an option to turn the crypto-mining behavior off in case users experienced sluggish behavior.

Another proper use of Coinhive is PublicHD, a private torrent tracker, which allows users to gain site credits by letting the site operator mine Monero on their machines.

PublicHD mining options

Blocking cryptojacking on your computer

Users that want to block such crypto-mining scripts on their PCs have a series of alternatives at their disposal.

First, users can use any decent antivirus. Most antivirus vendors have already blocked Coinhive or at least are now providing an alert and possibility to block the script at the user's command.

Second, users can use an ad blocker to stop the script from executing at the browser level. To our knowledge, ad blockers like AdBlock Plus and AdGuard block CoinHive.

Third, users can use one of three Chrome extensions that block Coinhive — AntiMiner, No Coin, and minerBlock. Recently, No Coin also added support for blocking Crypto-Loot.

Fourth, users can use this classic Windows hosts trick to block the Coinhive or Crypto-Loot domains at the OS level.

And if you're too lazy, then rest assured that some companies like Cloudflare are at least booting some of these sites off their network.