March 26, 2018

Multiple security firms recently identified cryptocurrency mining service Coinhive as the top malicious threat to Web users, thanks to the tendency for Coinhive’s computer code to be used on hacked Web sites to steal the processing power of its visitors’ devices. This post looks at how Coinhive vaulted to the top of the threat list less than a year after its debut, and explores clues about the possible identities of the individuals behind the service.

Coinhive is a cryptocurrency mining service that relies on a small chunk of computer code designed to be installed on Web sites. The code uses some or all of the computing power of any browser that visits the site in question, enlisting the machine in a bid to mine bits of the Monero cryptocurrency.

Monero differs from Bitcoin in that its transactions are virtually untraceble, and there is no way for an outsider to track Monero transactions between two parties. Naturally, this quality makes Monero an especially appealing choice for cybercriminals.

Coinhive released its mining code last summer, pitching it as a way for Web site owners to earn an income without running intrusive or annoying advertisements. But since then, Coinhive’s code has emerged as the top malware threat tracked by multiple security firms. That’s because much of the time the code is installed on hacked Web sites — without the owner’s knowledge or permission.

Much like a malware infection by a malicious bot or Trojan, Coinhive’s code frequently locks up a user’s browser and drains the device’s battery as it continues to mine Monero for as long a visitor is browsing the site.

According to publicwww.com, a service that indexes the source code of Web sites, there are nearly 32,000 Web sites currently running Coinhive’s JavaScript miner code. It’s impossible to say how many of those sites have installed the code intentionally, but in recent months hackers have secretly stitched it into some extremely high-profile Web sites, including sites for such companies as The Los Angeles Times, mobile device maker Blackberry, Politifact, and Showtime.

And it’s turning up in some unexpected places: In December, Coinhive code was found embedded in all Web pages served by a WiFi hotspot at a Starbucks in Buenos Aires. For roughly a week in January, Coinhive was found hidden inside of YouTube advertisements (via Google’s DoubleClick platform) in select countries, including Japan, France, Taiwan, Italy and Spain. In February, Coinhive was found on “Browsealoud,” a service provided by Texthelp that reads web pages out loud for the visually impaired. The service is widely used on many UK government websites, in addition to a few US and Canadian government sites.

What does Coinhive get out of all this? Coinhive keeps 30 percent of whatever amount of Monero cryptocurrency that is mined using its code, whether or not a Web site has given consent to run it. The code is tied to a special cryptographic key that identifies which user account is to receive the other 70 percent.

Coinhive does accept abuse complaints, but it generally refuses to respond to any complaints that do not come from a hacked Web site’s owner (it mostly ignores abuse complaints lodged by third parties). What’s more, when Coinhive does respond to abuse complaints, it does so by invalidating the key tied to the abuse.

But according to Troy Mursch, a security expert who spends much of his time tracking Coinhive and other instances of “cryptojacking,” killing the key doesn’t do anything to stop Coinhive’s code from continuing to mine Monero on a hacked site. Once a key is invalidated, Mursch said, Coinhive keeps 100 percent of the cryptocurrency mined by sites tied to that account from then on.

Mursch said Coinhive appears to have zero incentive to police the widespread abuse that is leveraging its platform.

“When they ‘terminate’ a key, it just terminates the user on that platform, it doesn’t stop the malicious JavaScript from running, and it just means that particular Coinhive user doesn’t get paid anymore,” Mursch said. “The code keeps running, and Coinhive gets all of it. Maybe they can’t do anything about it, or maybe they don’t want to. But as long as the code is still on the hacked site, it’s still making them money.”

Reached for comment about this apparent conflict of interest, Coinhive replied with a highly technical response, claiming the organization is working on a fix to correct that conflict.

“We have developed Coinhive under the assumption that site keys are immutable,” Coinhive wrote in an email to KrebsOnSecurity. “This is evident by the fact that a site key can not be deleted by a user. This assumption greatly simplified our initial development. We can cache site keys on our WebSocket servers instead of reloading them from the database for every new client. We’re working on a mechanism [to] propagate the invalidation of a key to our WebSocket servers.”

AUTHEDMINE

Coinhive has responded to such criticism by releasing a version of their code called “AuthedMine,” which is designed to seek a Web site visitor’s consent before running the Monero mining scripts. Coinhive maintains that approximately 35 percent of the Monero cryptocurrency mining activity that uses its platform comes from sites using AuthedMine.

But according to a report published in February by security firm Malwarebytes, the AuthedMine code is “barely used” compared to the use of Coinhive’s mining code that does not seek permission from Web site visitors. Malwarebytes’ telemetry data (drawn from antivirus alerts when users browse to a site running Coinhive’s code) determined that AuthedMine is used in a little more than one percent of all cases that involve Coinhive’s mining code.

Image: Malwarebytes. The statistic above refer to the number of times per day between Jan. 10 and Feb. 7 that Malwarebytes blocked connections to AuthedMine and Coinhive, respectively.

Asked to comment on the Malwarebytes findings, Coinhive replied that if relatively few people are using AuthedMine it might be because anti-malware companies like Malwarebytes have made it unprofitable for people to do so.

“They identify our opt-in version as a threat and block it,” Coinhive said. “Why would anyone use AuthedMine if it’s blocked just as our original implementation? We don’t think there’s any way that we could have launched Coinhive and not get it blacklisted by Antiviruses. If antiviruses say ‘mining is bad,’ then mining is bad.”

Similarly, data from the aforementioned source code tracking site publicwww.com shows that some 32,000 sites are running the original Coinhive mining script, while the site lists just under 1,200 sites running AuthedMine.

WHO IS COINHIVE?

[Author’s’ note: Ordinarily, I prefer to link to sources of information cited in stories, such as those on Coinhive’s own site and other entities mentioned throughout the rest of this piece. However, because many of these links either go to sites that actively mine with Coinhive or that include decidedly not-safe-for-work content, I have included screenshots instead of links in these cases. For these reasons, I would strongly advise against visiting pr0gramm’s Web site.]

According to a since-deleted statement on the original version of Coinhive’s Web site — coin-hive[dot]com — Coinhive was born out of an experiment on the German-language image hosting and discussion forum pr0gramm[dot]com.

A now-deleted “About us” statement on the original coin-hive[dot]com Web site. This snapshop was taken on Sept. 15, 2017. Image courtesy archive.org.

Indeed, multiple discussion threads on pr0gramm[dot]com show that Coinhive’s code first surfaced there in the third week of July 2017. At the time, the experiment was dubbed “pr0miner,” and those threads indicate that the core programmer responsible for pr0miner used the nickname “int13h” on pr0gramm. In a message to this author, Coinhive confirmed that “most of the work back then was done by int13h, who is still on our team.”

I asked Coinhive for clarity on the disappearance of the above statement from its site concerning its affiliation with pr0gramm. Coinhive replied that it had been a convenient fiction:

“The owners of pr0gramm are good friends and we’ve helped them with their infrastructure and various projects in the past. They let us use pr0gramm as a testbed for the miner and also allowed us to use their name to get some more credibility. Launching a new platform is difficult if you don’t have a track record. As we later gained some publicity, this statement was no longer needed.”

Asked for clarification about the “platform” referred to in its statement (“We are self-funded and have been running this platform for the past 11 years”) Coinhive replied, “Sorry for not making it clearer: ‘this platform’ is indeed pr0gramm.”

After receiving this response, it occurred to me that someone might be able to find out who’s running Coinhive by determining the identities of the pr0gramm forum administrators. I reasoned that if they were not one and the same, the pr0gramm admins almost certainly would know the identities of the folks behind Coinhive.

WHO IS PR0GRAMM?

So I set about trying to figure out who’s running pr0gramm. It wasn’t easy, but in the end all of the information needed to determine that was freely available online.

Let me be crystal clear on this point: All of the data I gathered (and presented in the detailed ‘mind map’ below) was derived from either public Web site WHOIS domain name registration records or from information posted to various social media networks by the pr0gramm administrators themselves. In other words, there is nothing in this research that was not put online by the pr0gramm administrators themselves.

I began with the pr0gramm domain itself which, like many other domains tied to this research, was originally registered to an individual named Dr. Matthias Moench. Mr. Moench is only tangentially connected to this research, so I will dispense with a discussion of him for now except to say that he is a convicted spammer and murderer, and that the last subsection of this story explains who Moench is and why he may be connected to so many of these domains. His is a fascinating and terrifying story.

Through many weeks of research, I learned that pr0gramm was originally tied to a network of adult Web sites linked to two companies that were both incorporated more than a decade ago in Las Vegas, Nevada: Eroxell Limited, and Dustweb Inc. Both of these companies stated they were involved in online advertising of some form or another.

Both Eroxell and Dustweb, as well as several related pr0gramm Web sites (e.g., pr0mining[dot]com, pr0mart[dot]de, pr0shop[dot]com) are connected to a German man named Reinhard Fuerstberger, whose domain registration records include the email address “admin@pr0gramm[dot]com”. Eroxell/Dustweb also each are connected to a company incorporated in Spain called Suntainment SL, of which Fuerstberger is the apparent owner.

As stated on pr0gramm’s own site, the forum began in 2007 as a German language message board that originated from an automated bot that would index and display images posted to certain online chat channels associated with the wildly popular video first-person shooter game Quake.

As the forum’s user base grew, so did the diversity of the site’s cache of images, and pr0gramm began offering paid so-called “pr0mium” accounts that allowed users to view all of the forum’s not-safe-for-work images and to comment on the discussion board. When pr0gramm last July first launched pr0miner (the precursor to what is now Coinhive), it invited pr0gramm members to try the code on their own sites, offering any who did so to claim their reward in the form of pr0mium points.

A post on pr0gramm post concerning pr0miner, the precursor to what would later become known as Coinhive.

DEIMOS AND PHOBOS

Pr0gramm was launched in late 2007 by a Quake enthusiast from Germany named Dominic Szablewski, a computer expert better known to most on pr0gramm by his screen name “cha0s.”

At the time of pr0gramm’s inception, Szbalewski ran a Quake discussion board called chaosquake[dot]de, and a personal blog — phoboslab[dot]org. I was able to determine this by tracing a variety of connections, but most importantly because phoboslab and pr0gramm both once shared the same Google Analytics tracking code (UA-571256).

Reached via email, Szablewski said he did not wish to comment for this story beyond stating that he sold pr0gramm a few years ago to another, unnamed individual.

Multiple longtime pr0gramm members have remarked that since cha0s departed as administrator, the forum has become overrun by individuals with populist far-right political leanings. Mr. Fuerstberger describes himself on various social media sites as a “politically incorrect, Bavarian separatist” [Wiki link added]. What’s more, there are countless posts on pr0gramm that are particularly hateful and denigrating to specific ethnic or religious groups.

Responding to questions via email, Fuerstberger said he had no idea pr0gramm was used to launch Coinhive.

“I can assure you that I heard about Coinhive for the first time in my life earlier this week,” he said. “I can assure you that the company Suntainment has nothing to do with it. I do not even have anything to do with Pr0gram. That’s what my partner does. When I found out now what was abusing my company, I was shocked.”

Below is a “mind map” I assembled to keep track of the connections between and among the various names, emails and Web sites mentioned in this research.

A “mind map” I put together to keep track of and organize my research on pr0gramm and Coinhive. This map was created with Mindnode Pro for Mac. Click to enlarge.

GAMB

I was able to learn the identity of Fuerstberger’s partner — the current pr0gramm administrator, who goes by the nickname “Gamb” — by following the WHOIS data from sites registered to the U.S.-based company tied to pr0gramm (Eroxell Ltd).

Among the many domains registered to Eroxell was deimoslab[dot]com, which at one point was a site that sold electronics. As can be seen below in a copy of the site from 2010 (thanks to archive.org), the proprietor of deimoslab used the same Gamb nickname.

Deimos and Phobos are the names of the two moons of the planet Mars. They also refer to the names of the fourth and fifth level in the computer game “Doom.” In addition, they are the names of two spaceships that feature prominently in the game Quake II.

A screenshot of Deimoslab.com from 2010 (courtesy of archive.org) shows the user “Gamb” was responsible for the site.

A passive DNS lookup on an Internet address long used by pr0gramm[dot]com shows that deimoslab[dot]com once shared the server with several other domains, including phpeditor[dot]de. According to a historic WHOIS lookup on phpeditor[dot]de, the domain was originally registered by an Andre Krumb from Gross-Gerau, Germany.

When I discovered this connection, I still couldn’t see anything tying Krumb to “Gamb,” the nickname of the current administrator of pr0gramm. That is, until I began searching the Web for online forum accounts leveraging usernames that included the nickname “Gamb.”

One such site is ameisenforum[dot]de, a discussion forum for people interested in creating and raising ant farms. I didn’t know what to make of this initially and so at first disregarded it. That is, until I discovered that the email address used to register phpeditor[dot]de also was used to register a rather unusual domain: antsonline[dot]de.

In a series of email exchanges with KrebsOnSecurity, Krumb acknowledged that he was the administrator of pr0gramm (as well as chief technology officer at the aforementioned Suntainment SL), but insisted that neither he nor pr0gramm was involved in Coinhive.

Krumb repeatedly told me something I still have trouble believing: That Coinhive was the work of just one individual — int13h, the pr0gramm user credited by Coinhive with creating its mining code.

“Coinhive is not affiliated with Suntainment or Suntainment’s permanent employees in any way,” Krumb said in an email, declining to share any information about int13h. “Also it’s not a group of people you are looking for, it’s just one guy who sometimes worked for Suntainment as a freelancer.”

COINHIVE CHANGES ITS STORY, WEB SITE

Very soon after I began receiving email replies from Mr. Fuerstberger and Mr. Krumb, I started getting emails from Coinhive again.

“Some people involved with pr0gramm have contacted us, saying they’re being extorted by you,” Coinhive wrote. “They want to run pr0gramm anonymously because admins and moderators had a history of being harassed by some trolls. I’m sure you can relate to that. You have them on edge, which of course is exactly where you want them. While we must applaud your efficiency for finding information, your tactics for doing so are questionable in our opinion.”

Coinhive was rather dramatically referring to my communications with Krumb, in which I stated that I was seeking more information about int13h and anyone else affiliated with Coinhive.

“We want to make it very clear again that Coinhive in its current form has nothing to do with pr0gramm or its owners,” Coinhive said. “We tested a ‘toy implementation’ of the miner on pr0gramm, because they had a community open for these kind of things. That’s it.”

When asked about their earlier statement to this author — that the people behind Coinhive claimed pr0gramm as “their platform of 11 years” (which, incidentally, is exactly how long pr0gramm has been online) — Coinhive reiterated its revised statement: That this had been a convenient fabrication, and that the two were completely separate organizations.

On March 22, the Coinhive folks sent me a follow-up email, saying that in response to my inquiries they consulted their legal team and decided to add some contact information to their Web site.

“Legal information” that Coinhive added to its Web site on March 22 in response to inquiries from this reporter.

That addition, which can be viewed at coinhive[dot]com/legal, lists a company in Kaiserlautern, Germany called Badges2Go UG. Business records show Badges2Go is a limited liability company established in April 2017 and headed by a Sylvia Klein from Frankfurt. Klein’s Linkedin profile states that she is the CEO of several organizations in Germany, including one called Blockchain Future.

“I founded Badges2Go as an incubator for promising web and mobile applications,” Klein said in a instant message chat with KrebsOnSecurity. “Coinhive is one of them. Right now we check the potential and fix the next steps to professionalize the service.”

THE BIZARRE SIDE STORY OF DR. MATTHIAS MOENCH

I have one final and disturbing anecdote to share about some of the Web site registration data in the mind map above. As mentioned earlier, readers can see that many of the domain names tied to the pr0gramm forum administrators were originally registered to an individual named “Dr. Matthias Moench.”

When I first began this research back in January 2018, I guessed that Mr. Moench was almost certainly a pseudonym used to throw off researchers. But the truth is Dr. Moench is indeed a real person — and a very scary individual at that.

According to a chilling 2014 article in the German daily newspaper Die Welt, Moench was the son of a wealthy entrepreneurial family in Germany who was convicted at age 19 of hiring a Turkish man to murder his parents a year earlier in 1988. Die Welt says the man Moench hired used a machete to hack to death Moench’s parents and the family poodle. Moench reportedly later explained his actions by saying he was upset that his parents bought him a used car for his 18th birthday instead of the Ferrari that he’d always wanted.

Matthias Moench in 1989. Image: Welt.de.

Moench was ultimately convicted and sentenced to nine years in a juvenile detention facility, but he would only serve five years of that sentence. Upon his release, Moench claimed he had found religion and wished to become a priest.

Somewhere along the way, however, Moench ditched the priest idea and decided to become a spammer instead. For years, he worked assiduously to pump out spam emails pimping erectile dysfunction medications, reportedly earning at least 21.5 million Euros from his various spamming activities.

Once again, Mr. Moench was arrested and put on trial. In 2015, he and several other co-defendants were convicted of fraud and drug-related offenses. Moench was sentenced to six years in prison. According to Lars-Marten Nagel, the author of the original Die Welt story on Moench’s murderous childhood, German prosecutors say Moench is expected to be released from prison later this year.

It may be tempting to connect the pr0gramm administrators with Mr. Moench, but it seems likely that there is little to no connection here. An incredibly detailed blog post from 2006 which sought to determine the identity of the Matthias Moench named as the original registrant of so many domains (they number in the tens of thousands) found that Moench himself stated on several Internet forums that his name and mailing addresses in Germany and the Czech Republic could be freely used or abused by any like-minded spammer or scammer who wished to hide his identity. Apparently, many people took him up on that offer.

Update, 4:14 p.m. ET: Shortly after this story went live, an update was added to phoboslab[dot]org, the personal blog of Dominic Szablewski, the founder of pr0gramm[dot]com. In it, Szablewski claims responsibility for starting Coinhive. As for who’s running it now, we’re left to wonder. The new content there reads:

“Brian Krebs recently published a story about Coinhive and I want to clarify some things.”

“In 2007 I built a simple image board – pr0gramm – for my friends and me. Over the years, this board has evolved and grown tremendously. When some trolls in 2015 found out who was behind pr0gramm, I received death threats for various moderation decisions on that board. I decided to get out of it and sold pr0gramm. I was still working on pr0gramm behind the scenes and helped with technical issues from time to time, but abstained from moderating completely.”

“Mid last year I had the idea to try and implement a Cryptocurrency miner in WebAssembly. Just as an experiment, to see if it would work. Of course I needed some users to test it. The owners of pr0gramm were generous enough to let me try but had no part in the development. I quickly built a separate page on pr0gramm.com that users could open to earn a premium account by mining. It worked tremendously well.”

“So I decided to expand this idea into its own platform. I launched Coinhive a few months later and quickly realized that I couldn’t do this alone. So I was searching for someone who would take over.”

“I found a company interested in a new venture. They have taken over Coinhive and are now working on a big overhaul.”


113 thoughts on “Who and What Is Coinhive?

  1. das boot

    am i the only one who feels like most of the butthurt here from dei kraut krowd is about lost coinhive revenue? is it so hard to imagine that we are seeing a bunch of people getting really upset over a good thing gone bust? kind of seems that way to me

    1. dew

      you dont seem to understand the concept, the only person receiving the revenue would be the administrator, so how exactly can the users worry about losing revenue, since theyre not losing anythign at all.
      Despite the fact that the revenue isnt lost anyway, what makes you think this way?

    2. BrianKrebs Post author

      Just received this email from a former pr0gramm fan:

      Hi,

      I just read your newest article about coinhive and pr0gramm.com. I wanted to say Thank You. It’s a great article and your researches are awesome.

      I have been a pr0gramm user for a few years now but I’m not very active since cha0s left. You are completely right about the community and how they became a right wing, racist and sexist group of people full of hate. All of this evolved within the last few years. Today you are excluded if you even try to think differently than “they” do. They became a bubble full of hateful people who can’t stop attacking minorities with their posts.

      Just to give you an example, hours after you released your article they started posting hate videos about you and are discussing about how to “punish” you for “what you have done”.
      Just look through the posts tagged with your name:

      hxxp://pr0gramm.com/top/brian%20krebs

      I am really happy that someone finally wrote something about them. But it should also start spreading through german media.

      1. dew

        It is true that parts the community drifted to the far right, but calling it a far right / fascist /sexist / etc. Imageboard would imply that the majority of the users would share these views, which is clearly not the case, as polls voted by the users have shown. Additionally, since the Administrators and Moderators consists of the same people before the mentioned resignation of former admin cha0s (and every new moderator was already registered at least 3 years before cha0s’ resignation in 2015), so it is very unlikely that this political drift was provoked by the Team behind programm.

        You are hosting a space for a large community which grows over 8 years and suddenly, the amount of new users joining is skyrocketing, but after a while, it seems like some (or most) of those users share some questionable political views.
        What are you going to do? Ban every single one? By Hand? Shut it down after you ran it for years? Obviously not and i dont think the admins could nor should be held responsible for their users opinions.

        Fact is, overly extreme posts (such as cp, nazi content etc) will get the OP punished with a ban, so you cannot really say this kind of content would get tolerated. And thats really all you can do as a mod/admin

      2. arnonym

        but you have to consider that a today far-right german is like an amercian liberal, and a german liberal equates an american communist.

        BR

        1. Ben

          What nonsense, espacially if stated so broadly. A person or political movement can be economically liberal (as in promoting every individual’s freedom to choose, contract etc. with low state intervention) while being a social conservative (believing that the state should impose certain “moral” norms that severely restrict individuals’ freedoms). Or vice versa. Or…

    1. dew

      The german law only applies to german companies or servers being hosted in germany. When a foreign company hosts a german website on another foreign countries server, the foreign countries laws apply.

      1. Jean Pierre

        German law applies if German users are targeted. Even if the page isn’t available in German language.

        If the German state is willing and able to enforce that law is another issue, but much more likely if the operator is German or resides in Germany.

        1. boben

          Keep thinking. If you were right, almost 99,9% of the pages available on the internet would be about to receive lawsuits from germany because of their incomplete legal information according to german law?

      2. Chris

        @dew: The legal page claims that the legal entity behind Coinhive is a German company. So, my point was that a German company claiming responsibility comes with certain requirements as to what information they have to disclose in doing so.

  2. Canuck

    It’s clear your article has pissed of the far-right you allude to. You can see it in their standard feces flinging posts filled with anger and nonsense; predictable lot they are.

    1. deception

      Whats funny about this is that for all the butthurt being shown by the programm community, their beloved Herr Gamb probably could have saved everyone a lot of heartache by simply saying up front what he already knew to be true — that Szablewsi/cha0s was int13h — the creator of Coinhive. The fact is that it took this story to be printed for Szablewski to admit this publicly.

      Actually, Szablewski himself could have said this up front when Krebs asked him before running the story. Either way, Coinhive is now taking steps to clean up the abuse of its platform, and has become more transparent as a result. Hard to see how any of this is a bad outcome.

  3. Sam

    Many commenters here seem to be missing a crucial point. If Gamb is the current administrator of programm(dot)com — which he is — there is no way that the former admin (cha0s) could have run his early Coinhive experiments (pr0miner) without the knowledge and permission of Gamb and any others running pr0gramm.

    Thus, Gamb. et. al. 1) knew exactly who the Coinhive founder was way back when this started in July 2017 and 2) lied to Krebs when he said they didn’t know who was involved in Coinhive, and tried to say they had no part in it.

    It’s obvious from this story that the pr0gramm admins were deeply involved in Coinhive to start, and any sort of statements to the contrary is just after-the-fact bitching about poor past decisions and a not-very-well-thought-out execution.

    1. Bran

      Yea, they knew. But why would I tell a guy like Krebs the truth about people I know or don’t know? It’s non of his business. The people of coinhive never did anything illegal, why would I give their identity to some shady onlice “journalist” whose only journalistic work seems to use a Maltego-Account to doxx people…

      1. Jeroen

        > The people of coinhive never did anything illegal

        Debatable. A revoked key instead of 30% of Monero, yields 100% of the profit.

        1. Klonk

          I agree to some extend. But this was basically a startup, so their first priority was to getting it stable/usable. They didn’t implement canceling of accounts yet. I think that’s a plausible answer for a startup. You just want to grow first / add important new features. Cancelling/Deactivating accounts isn’t a top priority in this, especially when there’s a high demand for the service and you can barely keep up with installing new servers. They basically just provided a workaround in order to limit the damage by reallocating the funds. It could have been realized in a better way for sure and they did that later on as far as i understood. In the end you can’t solve all issues at once (growth, development of platform) with a limited amount of people and have to prioritize. They decided to grow instead of implementing the deactivation feature. In hindsight this was the wrong choice. I guess that’s just a different point of view, when you’re assuming they didn’t want to cheat people.

          1. Mahhn

            You got most of it right, but you forgot about the people that the mining software is running on without their permission. This is the crime/problem.
            Hopefully they will make changes, and can make money without problems.

  4. Shreez

    Great article Brian.

    Your fined honed skills at sniffing out information and piecing them together never ceases to amaze me.

  5. Exo

    *ironic clapping*
    Well done…

    Your are destroying the life of people for publicity.
    Blaming developers for creating a technology, which hackers or web developers use without consent of their users. This is just disgusting.

    This is doxxing at its finest, threatening people on the internet to get your information and peacing it loosely together. Most of your article is very questionable beacause it depends on statements made my Murat, which you contacted on Twitter. Murat was trolling you, which you knew, but you didn’t care. You just threatened him afterwards and included his information anyways.

    What we have here is a ruthless wanna be journalist seeking for fame.

    1. Klonk

      My favorite part is the membership in the foot fetish site. This is really adding a lot of value to this investigation. A nice side effect is that it could damage the reputation of the person as well (e.g. if the employer/colleagues are seeing that). Although we don’t even know if it’s the same person, as the account names just do match.

  6. Dan Tranmere

    I notice that the trolls have now taken to vandalising Krebs’ Wikipedia page. Obviously the main butthurt customers of Coinhive here are 14-year-old boys.

    1. JustTrolls

      We are not customers of Coinhive, we are an online community that posts memes…

    2. Jerry Mueller

      Wikipedia could have been the main source of this “investigation”. Everything worth mentioning is public on the german wikipedia coinhive article since Nov. 2017.

  7. IFuckYourBusiness

    The internet will kill your business, stupid dumbfuck. bye bye shield.

    1. Agent Phil Coulson

      “bye bye shield”???

      must be hydra. thought we got rid of you guys.

  8. Mahhn

    Glad to see Dominic’s post as an update to the story. Sucks he got bullied out of his own forum.

  9. vb

    Using permission-based mining as a micropayment system might be a workable business model. I might use such a system for an ad-free website provided the mining process was transparent and under my control.

  10. Gabe Mouris

    Great tech, this miner. I wondered how to implement it on my own site for quite some time…

    Is there any formal contact information of the authors of coinhive? How usable is it in its current state?
    Thanks for bringing this to my attention.

    Well researched article, btw, although I’d like to see a distinction between software that is a) intended for malicious use = malware (which is what I’m getting from this article) and b) software that can but doesn’t necessarily need to be used for malicious use. This sounds a bit like a rant about a wood chopper’s axe because it was used for killing people.

  11. thewhistleblower

    Today the owner and administrator of pr0gramm.com confirmed that int13h is cha0s.
    He also confirmed that Coinhave was started and developed by him (cha0s). (It sounds for me that it is an confirmation)
    First of all he presented you there quite negatively and triggered a small indirect rush on your person.
    The users started to report you on various platforms.
    There are now at least 100 posts on the imageboard where you are insulted, which Gamb likes to be patient because the pictures are not deleted.
    But Gamb has no problem with that, he triggered it.
    Various plans are being made to silence you, ddos and other ways are being considered.
    I’m honest, I don’t like the pr0gramm, it’s all mischief.
    After Gamb noticed what he triggered today, he wrote to the users to stop insulting you etc. although he knows exactly what he was doing (The triggering of the chase against you).
    In my opinion, with Gamb/Cha0s you have found exactly the right ones who are responsible for coinhive. But I’m not sure, you should have a look at Gamb’s concession today.

    Personally, I want to thank you for your work. I was also very interested in who is behind coinhive.
    I can’t prove it, but Gamb’s text today sounds like a concession to me.
    hxxp://img.pr0gramm.com/2018/03/26/6300254f309e8f69.png

  12. Anonymous

    For full disclosure, I am a pr0gramm user going by another name (not as “Anonymous”). From what I know, after the Coinhive project was set up on pr0gramm, it was taken WITHOUT PERMISSION by cybercriminals who put the code on their website without either any text about that there is any mining nor from where it was taken. This is likely a violation of German criminal law (“Computersabotage”, §303b StGB), as it runs without asking in the background.

    The original use on pr0gramm was done only on a specific pr0miner link, meaning that the users who clicked that link knew this code was running.

    From the criminal activity, Coinhive’s reputation was damaged to where it is now. However, it never was the intent of any pr0gramm or Coinhive people that the code is used for criminal purposes. German law allows such mining operations only with permission of the user or owner of the computer (the user might not legally be able to permit it, such as when he works in a company and the company computers would be used, so the user of the computer might face repercussions for allowing it to be used to mine cryptocurrency – but this is not of relevance to the topic at hand).

    The thing is, Coinhive blew up beyond what was intended, it was abused by criminals, but it is not criminal in itself. That, at least, is my honest impression as an user of the pr0gramm.

    I also want to distance myself from all the comments that – I have seen one, but not searched for it – ask for any “punishment” that is in violation of German law, this includes any kind of physical threats. I believe that, if a violation of laws occured, it should be settled by the use of the legal system, not by use of criminal activity which indeed would remind of gang violence at this point.

    I have seen you were once victim of SWATting, and I can understand your fears, but I also believe that the pr0gramm staff has reason to fear terroristic attacks by left-extremists. So I want you to understand their situation also. This, of course, does not excuse the behavior of anyone who calls for violence and should not be misinterpreted as such. Rather I want to say that by exposing their real identities you might have caused them harm beyond what is necessary for the “exposure” of Coinhive.

    1. Canuck

      fear terroristic attacks by left-extremists

      If you are going to lie at least try to make it believable. Statistics for Europe and N. America show that the far-right commits many magnitudes more attacks that your boogeyman.

      1. Operator_Bob

        Not true at all for Europe’s German-speaking area which has a tradition of alt-left violence since the 70’s.

  13. Jeff

    Incredible content Brian. I enjoy your articles as I feel like I’m gaining weeks or even months of work in just reading one article. Keep up the great work, I learned a lot from this one.

    1. Not Sure

      Doesn’t it work on Linux?
      I just visited the site with Firefox and Intel graphics and don’t see anything. Neither raising cpu temp or load nor increased power consumption

  14. new

    I don’t understand.
    What is illegal about Coinhive?
    I’m a CS student and maybe I’m overlooking something but why is it malware if the browser is mining with the consent of the site visitor.
    Of course if it’s without the consent of the user that might be problematic, but with consent this might even be a great technology for an adfree internet.
    For example instead of beeing annoyed by ads your browser could mine at 10% of your cpu power.

    Or am I overlooking something..?

    1. CrashMan

      You are overlooking something. If you read the article you will find information such as:

      “But according to a report published in February by security firm Malwarebytes, the AuthedMine code is “barely used” compared to the use of Coinhive’s mining code that does not seek permission from Web site visitors.”

      1. new

        Yes I’ve read the text again, now I understand.

      2. Matt

        Yes, exactly. they are over exaggerating the situation, it night be possible in future but surely not now or in near future.

  15. Hans Müller

    Maybe they forgot to put a dot between 3 and 5. Cause 3.5 percent would fit.

  16. x

    It might be worth noting that Mr. Fuerstberger also probably maintains connections to Hells Angels. His (former?) Facebook profile picture was made by a member.

  17. someoneiknow

    Lots of Russian government trolling goings on here. We can see the future. Russian ogliarchs and government etc, like the little child crying wolf.

  18. Zuschauer

    Everything you invastigated is correct. Keep going on

  19. Sleeper

    As my comment from a moment ago seems to be awaiting moderation, please just delete it (and this one as well). I hadn’t seen that there is already a complete article covering that topic. 🙂

  20. rewardedessays

    I have long been interested in crypto currency and everything connected with it. I have almost all my savings in Bitcoin. I think it’s reliable.

  21. Vulcano

    I have a lot of interest in the encrypted currency and everything related to it. I really enjoyed reading.

  22. Tim McGuinness

    Can you please contact us? Would like to discuss collaboration?

  23. lold

    This is why WHOIS is so important, without it all cyber criminals and spammers get a free pass.

    GDPR should not influence WHOIS regulation but it is and with ICANN taking away the strict requirement to publish WHOIS data many registries have already blocked WHOIS (.pk for example).

    Looks like pr0gramm has tightened its forum even more after this article. You can’t view comments now without being registered; and for registration you need invites which also have been restricted; earlier you could pay for registration that’s also not available now.

    Also, the reason why Coinhive became so popular is because The Pirate Bay used it and TPB only got to know about it from a post by pr0gramm on Hackernews: https://news.ycombinator.com/item?id=15246145

    >both incorporated more than a decade ago in Las Vegas, Nevada: Eroxell Limited, and Dustweb Inc.

    From Nevada’s SOS I could see that only Dustweb Inc. was registered in 1999 and dissolved in 2003. I cannot see a record for Eroxell in Nevada nor in any other country.

    Even the domain eroxell.com is now owned by a Chinese guy. (Since Eroxell.com is still in the current WHOIS for pr0gramm, it is in violation of the WHOIS policy).

    PS: Some goo.gl links in the mind map are not working.

Comments are closed.