March 31, 2019

For the second year in a row, denizens of a large German-language online forum have donated more than USD $250,000 to cancer research organizations in protest of a story KrebsOnSecurity published in 2018 that unmasked the creators of Coinhive, a now-defunct cryptocurrency mining service that was massively abused by cybercriminals. Krebs is translated as “cancer” in German.

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted thousands of thank you receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”).

All told, thousands of Pr0gramm’s members donated more than USD $250,000 to cancer cure efforts within days of that March 2018 story. This week, the Pr0gramm administrators rallied members to commemorate that successful fundraiser with yet another.

“As announced there will be a donation marathon at anniversary day of Krebsaction,” Pr0gramm’s administrators announced. “Today, March 27th, we’re firing the starting shot for the marathon. Please tag your donation bills properly if they shall be accounted. The official tag is ‘krebsspende.’

According to a running tally on Pr0gramm’s site, this year’s campaign has raised 252,000 euros for cancer research so far, or about USD $284,000. That brings the total that Pr0gramm members have donated to cancer research to more than a half-million dollars.

As a bonus, Coinhive announced last month that it was shutting down, citing a perfect storm of negative circumstances. Coinhive had made structural changes to its systems following my 2018 story so that it would no longer profit from accounts used on hacked Web sites. Perhaps more importantly, the value of the cryptocurrency Coinhive’s code helped to mine dropped precipitously over the past year.


67 thoughts on “Annual Protest Raises $250K to Cure Krebs

  1. Dave

    So just to make sure I’ve got this straight, you exposed some scammers and in response they ran a collection for charity? Twice?

    Has anyone confirmed that these donations are actually going to charity and not to the scammers? Just wondering, because dkms.de is in Ireland, and Deutsche Krebshilfe is krebshilfe.de.

    1. Chris

      He exposed some shady stuff regarding Coinhive, e.g. them profiting from hacked websites were code was inserted that generated crypto-currency without visitors or the owners knowing.
      While the Coinhive Guys didnt hack those sites or whatever, they still got profit from it and didnt actively surpress or work against profit from hacked sites. There were some connections between the Coinhive Admins and some Admins (I think?) from the Imageboard. I am not a 100% sure what exactly the connection was, but I think some of the Coinhive Guys also ran the Imageboard.
      The Imageboard Guys were not happy to have their data exposed (although it was technically publicly available? – In Germany Privacy is valued higher/differently then in America though, the Outrage is kind of an cultural thing. In Germany you usually also do not expose the Names of accused criminals until proven guilty in a court, just to give you some insight on why those peeps react the way they do.
      Regarding if the charity actually receives the money – Yes, they do. The money isnt really collected by pr0gramm, instead every individual user donates the money directly to the charity and only posts the receipt afterwards, which is then (manually? not sure how they do it) counted and added to the total donation sum.
      The charitys themself are well known and legit, so no scam there 🙂 All in all.. I mean… if you wanna protest.. thats the way to go I think.

      1. Dragongard

        They count the sum over tags. You can up and downvote tags on that imageboard so the euro tag with the highest upvotes is probably the right one.

        If someone tries to scam with wrong tags, they will get banned. To gain access to this imageboard you have to be invited or have to pay 14 euro so its pretty safe.

        1. Trelo

          To correct you on that one:
          They let a crawler search for multiple tags of donations. This crawler then provided it to a interface where they manually reviewed it 3 times. Using the tags would be pretty short thought.

    2. Patrick

      The users donate directly to the charitys. Dkms was chosen because some members of pr0gramm shared storys on how they donated bone marrow.

    3. Kellerkind

      Yes it is genuine.
      And the protest is not because of the scammers, but because our mods were targeted!

      1. lol

        Your mods are scammers. What about the privacy of their victims? You wouldn’t care about that, of course.

    4. mistermeeseeks

      The community started the donations and the members choose to which organisation they want to donate. Then they post a screenshot of the bill and upload it.
      Its 100% legit, i’m a member of the community and i also know the diffrent organisations.
      They did’nt invented coinhive to scam people, but to implement ist on the website so some users could voluntary use it in order to get premium. It later was used as a scam and Krebs also doxxed some operators of pr0gramm who didn’t worked on coinhive, as far as i know.

      1. Mike S.

        “They did’nt invented coinhive to scam people.” — You actually expect anyone outside your little group to believe this BS.

        “Krebs also doxxed some operators of pr0gramm who didn’t worked on coinhive” — Doxxed them??? He stated their names which was already available publicly anyway. You Germans do realize that there is no other society on Earth that treats publicly available information as a matter of privacy. Your pathology has led to the EU passing some ridiculous laws that is only going to make cyber crime worse and the criminals harder to find. Maybe we should send you the bill.

        1. US-SUX

          It might help you to understand the European mindset. We value among other things honesty, compassion and privacy, values you Ameriturds lacks an understanding of. Just look at your president, the Orange Emperor.

          1. Just an Average Ameriturd

            “We value among other things honesty, compassion and privacy, values you Ameriturds” — From your comment and your username, it seems you’re very compassionate… great job, 10/10, would hypocrisy again.

          2. Stu Padasso

            “Compassion” is something you value? Hmm, I don’t see where calling people names and having a username like that is compassionate. Seems to me like you’re inexcusable to judge others for the same things you’re judging them for.

          3. LOL

            Oh the irony in your comment. You sure are showing lots of compassion in your comment and username.

          4. Jon

            Yes, Europe values honesty, compassion, and privacy. Just read a little European history.

          5. Gergio

            I think there is a misunderstanding here. What these users had was not privacy, but lack of publicity. Those are not the same thing. I think everyone cares about lack of publicity. But most don’t care about privacy.

            Think of it this way: no one expects to have any privacy while they are shopping in public. If some one sees them and recognizes them, they haven’t had their privacy violated. However, if there are a crowd of photographers and videographers shouting questions at them and live streaming the whole thing to an audience of millions, well that is publicity. Most people don’t want that.

          6. Anya

            US-SUX said: “ We value among other things honesty, compassion and privacy, values you Ameriturds lacks an understanding of. Just look at your president, the Orange Emperor.”
            First of all, what a laugh for someone going by the name US-SUX to preach that they’re a culture of compassion and honesty while in the same breath namecalling Americans. You cannot get more hypocritical than that!

            Slandering an entire populace of over 320 million people because of said Orange Emporer is absolutely childlisb and speaks more about you being a close-minded numpt. If going by your extremely skewed big0ted, blanket statement of logic, then we should define all elderly and deceased Germans as loving a crazy Moustached Diktat and all their German offspring living today are simple little diktats in the making? I suppose I should think all Russians are nihilists, Venezuelans helpless fools, Somalians are all ruthless pirates, and every French and Italian man is either a wimp with a Napoleon-complex or an over-coddled mama’s boy. (I know none of it is true but, hey, you’re the one choosing to perpetuate ignorant stereotypes of individuals based solely on a nations current leadership).
            Your alleged “altruism” is not pure but rather a convoluted German arrogance, herd mentality spiked with absurditude and wilful misunderstanding of anyone or thing you view as different than you. Perhaps the German stereotype isn’t so far off after all.

            BTW, I loathe the Orange One, so do not for one second think this is in defence of that idjit.

        2. Steve G.

          You are as ignorant as you are pathetic. A masterpiece.

        3. peter

          It’s not so hard to find the criminals. They crossed the Atlantic a few hundred years ago. We know where they are

      2. Mrs. Emma Jean Sporkens

        To me, if the inventors of this programm allowed it to be used for harm, then there motive is clear.

        What is a doxx?

        Emma Jean

        1. TimH

          Doxx is plural of dox. As in, get your doxx in a row. In this case, row is pronounced raauw, because it all cause a bit of a stink.

  2. Felix

    You can be sure that the money will reach the organizations. The money is not transferred to the website, but directly from the people to a desired organization. Only the Paypal confirmation or similar will be published as proof that the person has donated money.

    There are also Facebook entries about the massive donations from the German krebshilfe. Last year there were so many people that the website went offline.

    At the first action the responsible person did not know what was going on. With every donation he receives an SMS on one day he has received several thousand SMS.

    https://m.facebook.com/story.php?story_fbid=2556348221059689&id=1405929412768248

  3. jo

    It’s true. The organisations published statements about it

  4. Answear to Dave

    lol Dave, serious question… are you dumb?
    There was never „a bunch of scammers“

    1. Dave

      Here’s my “answear”… yes, I’m equally as dumb as someone that can’t spell “answer” correctly.

  5. The Sunshine State

    Krebs is a disease on cyber criminals

    1. Rube Goldberg's Razor

      Giving cyberthieves a nasty case of the Krebs, eh? No, wait – a digital-age remake of the Stallone vehicle Cobra: “You’re the malware (aims keyboard, hits enter) . . . I’m the patch!” (Fade to blue screen of death)

      1. bofo

        “Giving cyber thieves a nasty case of the Krebs”
        Brilliant 😀 Brian has to use this

  6. C/od

    Change it to Mr. WOLFMAN.
    yuk, he he.
    No confusion.

  7. larry morgan

    Fabulous humerous twist on a story. Even cypercrooks have a sense of humor and use it to try to twist around who is the villain.

    1. hmmm

      Selling guns doesn’t make you an accessory to murder.

      Selling software doesn’t make you an accessory to fraud.

    2. Steve G.

      Are you serious? You have no grasp on the whole story it seems.

  8. William

    To maybe give some insight into what happened from a pr0gramm-user’s point of view.

    Krebs published the name of the creater of CoinHive. That’d be illegal in Germany, and rightly so, but fine, I guess he deserves it.

    The CoinHive creator was the former administrator of pr0gramm.com. The current administrators of the site know him, but were not involved in the creation of CoinHive. They did allow him to test CoinHive on their platform, however the users were not scammed – they had to open a dedicated link and thereby consent to the utilisation of their resources. It was actually framed as a game, where you could deliberatly dedicate your computing resources to “feed admins”, as it were, and earn “pr0mium” time. All of this contributed greatly to the view among us pr0grammers that Krebs had done the current administrators injustice. Hence the protests.

    Make of this what you will, but given that CoinHive itself is not the problem, but its abuse by actual scammers, I find it unjustified to publish the names of the current administrators. Doxxing is generally a shady tactic, but it’s detestable when done to people who have done nothing wrong.

    1. Anon404

      CoinHive itself WAS the problem. The owners relied on scammers and they knew damn well that that was where a majority of their income came from. And, to top it off, when someone reported an account of a scammer, CoinHive then disabled that accounts token, so the scammer no longer got paid, but instead started pocketing that scammer ill gotten gains themselves. Once exposed and once the scammers left the site, they were forced to shut down. Their entire success was built upon facilitating cybercrime.

      1. Blubb

        What he meant by coinhive wasn’t the problem is, that it wasn’t the problem that caused outrage by the community. It was caused because Brian had published information that was simply wrong e.g. saying that the community got overrun by far-right people.

        The community is very diverse with every point of view represented on it. If the mayority of members would have thought that the accusation Brian made were right or at least nececarry for the article, there would’ve been no such protest against him.

    2. Robert.Walter

      I’ll not convinced there wasn’t some kind of kickback going to the board owners from Coinhive dude. Nobody allows something like that without an incentive or vested interest.

  9. Measure for Measure

    From Krebs’ original article:

    “What does Coinhive get out of all this? Coinhive keeps 30 percent of whatever amount of Monero cryptocurrency that is mined using its code, whether or not a Web site has given consent to run it. The code is tied to a special cryptographic key that identifies which user account is to receive the other 70 percent.”

    So Coinhive took a commission off of any activity, legal or otherwise. ISTM that they were definitely part of the problem.

    Also from the article:

    “Let me be crystal clear on this point: All of the data I gathered (and presented in the detailed ‘mind map’ below) was derived from either public Web site WHOIS domain name registration records or from information posted to various social media networks by the pr0gramm administrators themselves. In other words, there is nothing in this research that was not put online by the pr0gramm administrators themselves.”

    That doesn’t look like a Dox to me.

    1. Benson

      Coinhive was a company. And companies have to make money. So it’s not wrong to charge a fee for a service that you provide.
      It’s no difference to ad-placements on hacked sites. These agencies can’t prevent misuse either. There isn’t really a good way to validate rightful ownership of thousands of websites…

      1. BrianKrebs Post author

        Nobody knew Coinhive was a German “company” until my story, after which it was forced to obey German law and list contact information on its site.

        As I stated in previous stories on this subject, pr0gramm’s co-founders were given an opportunity to respond to my questions, and they lied to me, and then proceeded to get upset when I printed what they told me. You can’t have it both ways.

        Also, if Coinhive really was a company, it should have no problems with a reporter naming its owner(s).

        1. Falcon

          You’re inside these guys heads so much they want to charge you rent. It’s pretty hilarious. Keep it up!

          1. Measure for Measure

            LOL.

            Dude. Krebs is a journalist. Reporting on various malware providers is how he makes his living. Coinhive isn’t the only bad actor, or even the most interesting one. The only thing mildly diverting are their hapless and ill-informed followers.

        2. nobody

          just because you think its ok to go about publicly naming them and dropping info in regards to them does not necessarily mean that you were right, or legally backed by doing so

          1. NickDanger

            @markus – and what makes you think that Krebs is bound by German laws, given that he doesn’t actually live in Germany, and in fact lives in an entirely different country on a completely different continent? I know it must be hard for you to grasp, but there ARE actually parts of the world that are NOT Germany, and which actually have their own laws which don’t necessarily match up with German laws (particularly the more excessive, idiotic “privacy” laws that you seem to be fond of). Shocking, I know!!!

            1. YankeeGoHome

              Seeing the behaviour of all you Yankees, we know you think you’re not bound by any law. Policeman of the world, the indispensible nation… Makes me sick

          2. andhol

            >Don’t you think to breakt the german law, §186 to §187 StGB is a little unlawful?

            In germany it would be lol

  10. Jeff G

    Funny to think that in under 2 years, the EU will be partitioned from the rest of the Internet due to Article 13 legislation.

    The EU will be placing themselves behind a new Cyber Iron Copyright Curtain.

    1. nobody

      even funnier to think that if in a few years, the us adopts something similar to article 13, krebs wont be able to publish stories like this where-in he doxxes individuals over mere speculation with no technical evidence, because he will be in violation of the law by doing so.

      1. MattyJ

        Clearly, “article 13” is a European dog whistle. It has absolutely zero to do with aggregating publicly available information on people. Which is not and has never been doxxing.

        1. nobody

          when a good amount of the information was obtained from attempting to contact them, yet there were no requests in regards to wether or not the information could be published, let alone credibly verified, he’s basically just given them the leverage they would need to come after him under article 13

          1. NickDanger

            @nobody – oh look, another pr0gram defender who apparently doesn’t understand “little” things… like how countries, laws, and legal jurisdictions work.

      2. bofo

        “the us adopts something similar to article 13, krebs wont be able to publish stories like this where-in he doxxes individuals over mere speculation with no technical evidence, because he will be in violation of the law by doing so.”

        wenn Krebse pfeifen 🙂

        1. nobody

          Article 13
          EU GDPR
          “Information to be provided where personal data are collected from the data subject”

          => Article: 30
          => Recital: 60, 61, 62
          => administrative fine: Art. 83 (5) lit b
          => Dossier: Obligation, Transparency
          1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
          (a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
          => Dossier: Representatives
          (b) the contact details of the data protection officer, where applicable;
          => Dossier: Data Protection Officer
          (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
          => Dossier: Purpose (Binding)
          (d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
          => Dossier: Legitimate Interests (Controller)
          (e) the recipients or categories of recipients of the personal data, if any;
          (f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

          under article13, in this scenario since krebs is the responsible party whom sought out the data, that makes him the controller in this situation, so he can be held liable for violation of article13 now for not following the appropriate outlined policies.

          1. Zeno

            The solution will be easy: for users connecting from EU, Brian will have to show a banner: “Sorry, because of legislation in your country, you are not allowed to access this page”. Like it is already happening with US websites. It’s great to have mammy EU who protects me from the dangers of internet.
            As someone above wrote, eu is step by step, placing itself behind a cyber iron copyright curtain.

      3. Anya

        Kerbs didn’t “doxx” anyone. The information was already publicly available on the internet, which by definition is not doxxing but called doing a little digging aka as research!

      4. Anya

        Kerbs didn’t “doxx” anyone.
        The so-called private information was already publicly available on the internet, which by definition is not doxxing but called digging AKA research!

  11. Clive

    Off-Topic. This morning I got another in a long line of “Apple App Store” invoices. Nothing unusual. Traced the domain to web hosting company.

    Contacted them via a web form and received an acknowledgement email to my account at 09:13 local time. At 09:18 local time I received a second email, which reads, “Thank you for contacting {hosting company}. The domain was disabled.”

    My question is: does that seem a bit suspicious? Would a typical ISP be able to carry out sufficient checks [i.e. examine outbound email volumes], speak with the domain client and render a decision in 5 minutes? Or does that maybe look like the hosting company could be part of the problem?

    Brian – if you’re reading this and interested – the email address I recorded with this post is valid; you’re welcome to contact me and I can forward the emails in question [along with scrapes of headers] for your reference.

  12. VIRGIL D HOFF

    thank you again for your diligence in a more than confusing world

  13. gigi

    Coinhive shutting down, cash flow dried up. huh?

  14. Harry Stoner

    These shady guys donating money to charity makes me think of them in the same light as Al Capone sponsoring a soup kitchen for homeless folks.

  15. John Blue

    I made use of coinhive. In and of itself it was a good service for me. I gave processor time for rewards. Sad that bad hombres gave it a bad name. Fortunately the Germans, like the French, have had about enough of losing their autonomy. Keep fighting the good fight Brian, you are making a difference.

  16. JOHN CRUZ

    If I ever have an online community protest me, I hope it manifests in charity donations, it is about as good of result as you can hope for.

Comments are closed.