FTC logo

The US Federal Trade Commission (FTC) is now open to taking complaints from US users about cryptojacking —the practice of using JavaScript code to mine cryptocurrencies inside users' browsers without notifying them in advance or requesting permission.

While cryptocurrency mining has been a thing for years and is the primary and only method through which new cryptocurrencies are generated, mining was usually done via special hardware rigs or custom software installed on users' computers.

Generating cryptocurrency via these two methods has been usually pretty hard, especially for malware authors, as it required tricking users into install malware or hacking countless of servers across the web.

Things changed last fall with Coinhive

But things radically changed last fall when a German company launched a web service named Coinhive that lets any website owner add a JavaScript library to their site and generate cryptocurrency by using the CPU power of site visitors, instead of the site owner's own hardware resources.

Due to its easy implementation model —requiring only the loading of a JavaScript library— Coinhive usage exploded last September, with the Coinhive library becoming a favorite tool among malware developers, and countless of copycat services popping up all over the Internet, trying to capitalize on the cryptojacking craze.

In-browser mining scripts have become today's hottest malware trend, and any crook looking for a quick profit is either deploying a cryptojacking JS script on hacked sites, gaming modules, browser extensions, desktop apps, and in any place capable of running JavaScript code.

But despite its broad use, cryptojacking scripts is primarily a problem on the web, where users are bound to stumble upon one or more website or malicious browser extension that secretly tries to take advantage of their PCs' computational power.

The FTC is listening

"Cryptojacking scams have continued to evolve, and they don’t even need you to install anything," the FTC said today in a statement.

"Scammers can use malicious code embedded in a website or an ad to infect your device. Then they can help themselves to your device’s processor without you even knowing.

"You might make an unlucky visit to a website that uses cryptojacking code, click a link in a phishing email, or mistype a web address. Any of those could lead to cryptojacking," the FTC added. "While the scammer cashes out, your device may slow down, burn through battery power, or crash."

Today's FTC announcement is ground-breaking. This is the first official signal from US authorities that cryptojacking is an illegal practice, especially when done without the user's consent.

"It's a truly historic moment," Troy Mursch, a security researcher specialized in finding cryptojacking campaigns and the co-author of the first scientific paper on cryptojacking, told Bleeping Computer today in a private conversation.

"It's the first time a US government organization has mentioned the word cryptojacking," Mursch added. "It's good to see them finally taking issues seriously and publishing that advisory."

"It will definitely help raise awareness on the issue, especially now that we've seen many governments and educational institutions affected in recent cryptojacking campaigns [1, 2]," Mursch said, he being the one who discovered both campaigns in the first place.

Anyone affected can file an FTC complaint

The FTC is now asking users who think they are/were the subject of illegal cryptojacking while visiting online websites to file an official grievance with the Agency via its regular complaints page located at ftc.gov/complaint.

"The individual user reports to the FTC I think will be helpful for the Agency to gauge the scope of the issue and hear from consumers that are affected," Mursch said.

This is not the FTC's first rodeo in regards to illegal cryptocurrency mining operations. While not targeting in-browser (website-based) cryptocurrency mining, the FTC had taken action against illegal cryptocurrency mining in the past, twice —both times in 2015 [1, 2].

Finding, dealing, and protecting against cryptojacking

Besides enticing users to file official complaints, the FTC has also provided the following advice for dealing with in-browser cryptocurrency threats.

✦  Follow tried-and-true advice for avoiding malware: use antivirus software, set software and apps to update automatically, never install software or apps you don’t trust, don’t click links without knowing where they lead, and be careful about visiting unfamiliar sites.
✦  Look for and close performance hogs: It can be hard to diagnose cryptojacking, but one common symptom is poor device performance. Consider closing sites or apps that slow your device or drain your battery.
✦  Consider playing defense: Some browser extensions and ad blockers say they help defend against cryptojacking, doing things like blocking mining code. These tools may be worth considering, but always do your homework first. Read reviews and check trusted sources before installing any online tools. Remember, too, that some websites may keep you from using their site if you have blocking software installed.

Besides the FTC's advice for using antivirus products and ad blocker browser extensions to block websites with hidden cryptojacking scripts, we also want to add on this list No Coin (a Chrome/Firefox/Opera browser extension dedicated to blocking cryptojacking scripts exclusively) and ZeroDot1's CoinBlockerLists (the biggest and most complete list of cryptojacking-related domains that can be imported into many ad blocker extensions and DNS blacklist apps).

Bleeping Computer has also published a tutorial on how to spot cryptojacking using Chrome's Task Manager.

Related Articles:

Make-A-Wish Website Compromised for Cryptojacking Operation

New KingMiner Threat Shows Cryptominer Evolution

Misconfigured Docker Services Actively Exploited in Cryptojacking Operation

Exposed Docker APIs Continue to Be Used for Cryptojacking