Abril 19, 2018

In-browser mining: Coinhive and WebAssembly

After a few evolutionary steps via Application Specific Integrated Circuits (ASICs) mining algorithms seem to have returned to their roots: the ‘humble’ personal computer. The suitability of algorithms such as CryptoNight (which underlies the Monero currency) ultimately led to the porting of the source code to JavaScript and a departure from the more traditional approach of having standalone executables for mining, instead executing code from within browser processes. This blog looks at the development and modern realities of in-browser mining.

We covered the basic concepts of blockchain, cryptocurrencies, and coin mining in our previous blog.

As we discussed, after a few evolutionary steps via Application Specific Integrated Circuits (ASICs) mining algorithms returned to their roots: the ‘humble’ personal computer. The suitability of algorithms such as CryptoNight (which underlies the Monero currency) ultimately led to the porting of the source code to JavaScript and a departure from the more traditional approach of having standalone executables for mining, instead executing code from within browser processes.

The beginning of in-browser mining

This new approach meant that any browser supporting JavaScript could be used for coin mining, and services soon arose to use the process for the monetisation of websites. This naturally appealed to cybercriminals as there was now no need for the laborious process of deploying and keeping binaries persistent – all that was required was a simple code injection on a web page.

The downside of this solution is that, while JavaScript is platform independent, it runs in a browser sandbox, far away from the bare metal and therefore from optimal performance. Another considerable aspect is persistence: while the earlier PC- and IoT-based implementations would run practically forever (or at least until someone found and killed the corresponding process) the browser-based approach can only work for as long as the page containing the miner is kept open. 

On the other hand, for malicious actors, the web-based approach also provides extra flexibility: there is no need to store everything on the same page. Functionality and components can be split across multiple domains, and previously rented or hacked servers can be (re)used for a new purpose.

Coinhive et al.

Coinhive is a legitimate service which first surfaced in mid-2017 as a JavaScript-based miner supporting Monero (XMR) mining. Once embedded in a website it uses the visitor's CPU resources for mining, thus providing alternative revenue stream to conventional advertisements. Thanks to its relatively fast adaption – which can at least be partly attributed to the fact that The Pirate Bay was one of its early backers – over a thousand websites included its code by the end of 2017.

Fingers soon started to point at the creators, primarily as a result of sites not always being willing to provide an opt-out from running the scripts on their visitors’ PCs. Many didn’t even bother to inform their visitors about their computers being used in this way.

In response, Coinhive created a new version which would become enabled if permission was explicitly given. Unfortunately this offered no guarantee of Coinhive users adopting the new build, especially ones with clear malicious intent in mind. 

Naturally, the strong uptake of Coinhive resulted in the development of competing services in late 2017 and early 2018 along with several easy to use mining plugins for popular web platforms such as WordPress.


Key to the majority of in-browser coin miners is WebAssembly (abbreviated Wasm): a new binary instruction format using a stack-based virtual machine, designed as a portable target for high level languages like C/C++. Its main design goals include load time efficiency and close to native execution speed in a memory-safe sandboxed environment – i.e. the in-browser JavaScript sandbox. The WebAssembly Community Group is responsible for the open standard.

The first ‘Minimum Viable Product’ (MVP) release of WebAssembly was in March 2017 and the standard is currently supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge.

While it has numerous use-cases, many of which are listed within the WebAssembly design documents, it’s easy to see how the technology would appeal to coin miner developers: in-browser miners have to live with a significant performance drop compared to ‘native’ code, and WebAssembly’s focus on speed assists in closing this gap. For reference, the developers of Coinhive provide the following performance guidance:

Of course, when running through JavaScript performance still takes a bit of a toll, but it's not that bad. Our miner uses WebAssembly and runs with about 65% of the performance of a native Miner.

Is it malware?

Whether or not in-browser mining is inherently malicious is a matter of contention, with even the security industry harbouring mixed views.

Running a hashing algorithm on someone else's PC without their knowledge is a malicious action: ultimately, it is appropriating someone else’s resources without their permission. While it shouldn’t do any harm to the data or integrity of the machine, it will result in a slower-responding PC and an increased electricity bill, especially if goes unnoticed for a long period of time.

On the other hand, performing hashing with a user’s consent is not a malicious action – at least some users may be willing to run these scripts if it means no adverts on a website. In early 2018 the Salon website experimented with this approach.

From here onwards, please note that when we use the term Coinhive we are exclusively referring to abuse of the Coinhive code and service for the purposes of mining without user consent.

When good dogs do bad things

Malicious users quickly came up with multiple schemes to get miners into people’s browsers. Chrome extensions featuring Coinhive code were quickly developed, providing a much-improved return over simple web pages as the miner would run whenever the browser was open. In parallel, a number of Coinhive blocker extensions were developed to try and prevent unauthorised mining on websites.

Google's Web Store policy was initially permissive with regards to mining extensions: as long as the extension's sole purpose was mining and the user was adequately informed, it would not be banned. Still, many failed to comply with these policies and, as a result, Google recently moved to tighten the rules effectively banning any mining extensions from the Chrome Web Store.

This left the bad guys with the tried-and-true approach of website code injection.

How does all this work in the wild?

Miners get injected into unwitting websites’ code by compromising them, mostly through some vulnerability. Much as has happened for years now, this is typically done by automated software scanning for known vulnerabilities and, once a vulnerable website found, exploitation happens and the malicious JavaScript code is injected. 

As the popularity of browser-based miners is high amongst cybercriminals, a vulnerable web site can potentially be compromised by more than one actor: as an example, the web site shown below was compromised by three separate cybercriminals - all using slightly different browser miner tools. Note the lack of visible evidence of the miners on the site itself.

The image below shows the full infection chain visible in the packet capture when visiting this site:

By the time we analysed the site the first of the three miners had been removed, however the other two were still working. The injected code for this inactive miner is shown below.

Active Infection #1: ‘Basic’ Miner

The first active miner is a widely available browser miner tool (‘Basic Miner’ in the diagrams). 

It is less sophisticated and easier to block with a web security gateway than the second active miner as it uses minimal obfuscation and static domains for relaying mining traffic to mining pools through WebSocket-based intermediary proxy servers. The image below shows the injection for the ‘basic miner’.

Upon loading, it first downloads the CryptoNight WASM binary and then immediately begins mining, routing its traffic through publicly known coinhive.com WebSocket proxies (see below).

Active Infection #2: ‘Advanced’ Miner

Many publicly available ‘grey/black’ miners also have private versions for subscribers which are generally intended to be much harder to detect. The second active sample (‘Advanced Miner’ in the diagrams) is potentially one of these. Its injection code is shown below.

It uses a URL shortening service to retrieve the main mining script and uses a slightly more advanced obfuscation technique than the ‘basic miner’ – although it should be noted that this is still only simple base64 obfuscation, something which would be considered very basic amongst more advanced threats such as exploit kits. 

Interestingly, this miner uses at least one dynamic-DNS proxy server (see code snippet below) for relaying mining data through WebSocket connections making detection and blocking much more difficult.


Comparing the Two Active Miners

It is worth noting that the underlying code in the ‘basic’ and ‘advanced’ miners is very similar – this broadly appears to be the case with a large number of in-the-wild WebAssembly-based miner, many of which appear to be minor variants of codebases available on GitHub. These ‘copycats’ are mostly tweaked only slightly in order to avoid detection, usually by altering function names in a ‘creative way’ (batmanrobin, darkshadow, krypt0n1ght) or by completely removing references to the original C source.

The table below compares the functionality of the two miners.

  'Basic' Miner 'Advanced' Miner
Injection Easily detectable, contains in-browser mining related keywords. More innocuous looking, the main miner script is hidden behind a URL shortener.
Miner Script Obfuscation Almost non-existent, only the most critical keywords are obfuscated using hex values. Base64 encoding for the whole script, critical keywords are hex encoded, plus some dynamic obfuscation.
WebSocket Proxy Infrastructure Publicly known and static, uses coinhive.com WebSocket servers. Private and dynamically updated, making takedown much more difficult.



Web Sockets

A peculiarity of in-browser miners is their reliance on WebSockets for communication. As processes running in a browser sandbox are not permitted to open system sockets, WebSockets were designed to allow full-duplex, asynchronous communications between code running on a webpage and servers – for example, chat applications such as Slack make heavy use of WebSockets.

As the standard for WebSockets calls for sessions to be opened as HTTP and then ‘Upgraded’ to a WebSocket (see the example below), this does not allow for direct communication with the majority of coin mining ‘pools’ which generally use a protocol called Stratum.

As a result, the operators of in-browser mining operations need to set up WebSocket servers to listen for connections from their miners and either process this data themselves if they also operate their own mining pool or ‘unwrap’ the traffic and forward it to a public pool if they don’t.

While a coin mining script may appear on dozens or even hundreds of websites, there are likely to be significantly fewer of these WebSocket servers involved in any deployment, thus dramatically simplifying blocking using web proxies: no ability to communicate with the mining pool generally means no mining activity.

Disabling WebAssembly and/or JavaScript

Note: The following actions are undertaken at your own risk.

Something of a nuclear option, only Firefox and Chrome support disabling Wasm as of April 2018. To do this, follow the instructions below. Before doing this, consider that this approach is likely to prevent the normal operation of an increasing number of sites as the technology is further adopted.

In Firefox: navigate to about:config and set javascript.options.wasm to false

In Chrome: navigate to chrome://flags/#enable-webassembly and change it to disabled

If disabling Wasm is the nuclear option, then disabling JavaScript all together is the thermonuclear option. Security advice frequently includes recommendations for plugins such as NoScript for this purpose. While this dramatically improves security, it will once again have an impact on the functionality of websites and you should consider whether it is appropriate for your organisation and browsing habits.

Conclusions & protection statement

With the ever-increasing popularity of cryptocurrencies (despite the unstable value of Bitcoin in 2018) the ongoing interest in coin mining is no surprise. The question for the security industry is the one posed above: is it malware?

Reduced to its simplest, the mining process is nothing more than arithmetic instructions executed in order to solve a pre-defined piece of a puzzle. This can hardly be considered malicious on its own.

The key question is whether this activity occurs with the explicit understanding and approval of the user. As such, blanket blocking all mining scripts without examining their context is not necessarily the best approach.

Forcepoint take a combinatory approach to detection and blocking of coin miners associated with compromised websites, blocking the instances of the scripts which we identify but – more critically – blocking the WebSocket command/relay servers which entire campaigns depend on.

Thus, Forcepoint customers are protected against this threat at the following stages of attack:

Stage 5 (Dropper File) - Malicious files are prevented from being downloaded.
Stage 6 (Call Home) - Attempts to contact the C2 server are blocked.

Indicators of Compromise

Note: The following list of IOCs is non-exhaustive and focuses primarily on the Wasm samples and campaigns discussed in this article.

WebSocket Relay Servers


Hashes (WebAssembly Files)


Sobre a Forcepoint

A Forcepoint é líder em cibersegurança para proteção de usuários e dados, com a missão de proteger as organizações ao impulsionar o crescimento e a transformação digital. Nossas soluções adaptam-se em tempo real à forma como as pessoas interagem com dados, fornecendo acesso seguro e habilitando os funcionários a criar valor.