February 27, 2019

Roughly one year ago, KrebsOnSecurity published a lengthy investigation into the individuals behind Coinhive[.]com, a cryptocurrency mining service that has been heavily abused to force hacked Web sites to mine virtual currency. On Tuesday, Coinhive announced plans to pull the plug on the project early next month.

A message posted to the Coinhive blog on Tuesday, Feb. 26, 2019.

In March 2018, Coinhive was listed by many security firms as the top malicious threat to Internet users, thanks to the tendency for Coinhive’s computer code to be surreptitiously deployed on hacked Web sites to steal the computer processing power of its visitors’ devices.

Coinhive took a whopping 30 percent of the cut of all Monero currency mined by its code, and this presented something of a conflict of interest when it came to stopping the rampant abuse of its platform. At the time, Coinhive was only responding to abuse reports when contacted by a hacked site’s owner. Moreover, when it would respond, it did so by invalidating the cryptographic key tied to the abuse.

Trouble was, killing the key did nothing to stop Coinhive’s code from continuing to mine Monero on a hacked site. Once a key was invalidated, Coinhive would simply cut out the middleman and proceed to keep 100 percent of the cryptocurrency mined by sites tied to that account from then on.

In response to that investigation, Coinhive made structural changes to its platform to ensure it was no longer profiting from this shady practice.

Troy Mursch is chief research officer at Bad Packets LLC, a company that has closely chronicled a number of high-profile Web sites that were hacked and seeded with Coinhive mining code over the years. Mursch said that after those changes by Coinhive, the mining service became far less attractive to cybercriminals.

“After that, it was not exactly enticing for miscreants to use their platform,” Mursch said. “Most of those guys just took their business elsewhere to other mining pools that don’t charge anywhere near such high fees.”

As Coinhive noted in the statement about its closure, a severe and widespread drop in the value of most major crytpocurrencies weighed heavily on its decision. At the time of my March 2018 piece on Coinhive, Monero was trading at an all-time high of USD $342 per coin, according to charts maintained by coinmarketcap.com. Today, a single Monero is worth less than $50.

In the announcement about its pending closure, Coinhive said the mining service would cease to operate on March 8, 2019, but that users would still be able to access their earnings dashboards until the end of April. However, Coinhive noted that only those users who had earned above the company’s minimum payout threshold would be able to cash out their earnings.

Mursch said it is likely that a great many people using Coinhive — legitimately on their own sites or otherwise — are going to lose some money as a result. That’s because Coinhive’s minimum payout is .02 Monero, which equals roughly USD $1.00.

“That means Coinhive is going to keep all the virtually currency from user accounts that have mined something below that threshold,” he said. “Maybe that’s just a few dollars or a few pennies here or there, but that’s kind of been their business model all along. They have made a lot of money through their platform.”

KrebsOnSecurity’s March 2018 Coinhive story traced the origins of the mining service back to Dominic Szablewski, a programmer who founded the German-language image board pr0gramm[.]com (not safe for work). The story noted that Coinhive began as a money-making experiment that was first debuted on the pr0gramm Web site.

The Coinhive story prompted an unusual fundraising campaign from the pr0gramm[.]com user community, which expressed alarm over the publication of details related to the service’s founders (even though all of the details included in that piece were drawn from publicly-searchable records). In an expression of solidarity to protest that publication, the pr0gramm board members collectively donated hundreds of thousands of euros to various charities that support curing cancer (Krebs is translated in German to “cancer” or “crab.”)

After that piece ran, Coinhive added to its Web site the contact information for Badges2Go UG, a limited liability company established in 2017 and headed by a Sylvia Klein from Frankfurt who is also head of an entity called Blockchain Future. Klein did not respond to requests for comment.


14 thoughts on “Crypto Mining Service Coinhive to Call it Quits

  1. Dennis

    Wow, good news for a change!

    Maybe the internet will be just a little bit cleaner without a trash site like that.

  2. The Sunshine State

    I just read about this on bleepingcomputers(.)com

  3. Readership1

    The fact that they can’t sustain a business now that criminals have less use for it, should make it pretty obvious that Coinhive was always intended as a criminal enterprise.

    Rather than adjust their fees and try to expand their customer base, they give up a pretty simple profit stream?

    They don’t sell the company to a rival?

    This reeks of Mt. Gox and other crypto scams, where owners take the money and flee.

    I predict KOS will be writing about their indictments in a few months.

    1. Sun

      Really, why is that? There are other crypto businesses shutting down because of crypto winter. Based on your logic, any business that closes because of financial difficulty is a criminal enterprise?

      1. Readership1

        Any business that can’t survive after criminals leave its customer base is not legitimate. It was either intended to be a criminal enterprise from the start, or amazingly naive.

        And they don’t seem naive.

  4. JimV

    I’m thinking they’ll be back in a different form when they can figure out how to get past the hurdle of the major drop in recent cryptocurrency values, i.e. tweak the scam just enough to bring v2.0 to market.

    1. sun

      I don’t know why you call it a scam. It was a legitimate business model although people used the service on machines that did not opt-in. The code was already out there to use the non-opt in model.

  5. sun

    There’s a similar service called jsecoin that runs off javascript but uses very little CPU resources. jsecoin is designed better and can be used by webmasters that may want something to help cover costs. And this one, the visit has to opt-in.

  6. John

    It’s a big relief. Coinhive made the mining bit easy for the script kiddies.

  7. Mpalanyi

    Who cares about this whole talk? May be we can rise with CoinIMP.
    It’s not the end anyway! I’ll continue trying out my chances right

Comments are closed.