One of the biggest campaign operators using Coinhive—an in-browser cryptocurrency mining service—made a measly $7.69 USD after running Coinhive’s script on 11,000 websites for three months, according to a new report published to arXiv last week.
In fairness, all of these sites were parked domains—website addresses that are bought but usually not used for anything except serving ads to accidental visitors—meaning that the 105,000 visitors that landed on these pages during the three-month period didn’t spend that much time on them. (The report says the average time spent on a page was was 24 seconds.) It’s yet more evidence that tricking unsuspecting people into mining cryptocurrency is not guaranteed to be profitable.
Videos by VICE
For example, in February a hacker compromised a browser plug-in that forced visitors to thousands of websites (including government sites) to mine Monero; in four hours, the attacker made off with just $24.
Coinhive and similar mining services capture a portion of a website visitor’s CPU power. This can cause computers to crash, hardware to wear out more quickly, or the user’s electricity bills to spike, depending on the situation.
The report, published to arXiv last week by three researchers from Concordia University and independent researcher Troy Mursch (the guy behind Bad Packets), offers one of the most comprehensive analyses of the rise of in-browser cryptocurrency mining to date. Although media coverage of Coinhive has mostly focused on scammy uses—such as how websites like The Pirate Bay used the service to hijack visitors’ CPU power to mine cryptocurrency without their consent—this new report also considers the value of in-browser mining as a legitimate alternative to advertising.
Read More: Is The Pirate Bay’s Cryptocurrency Miner Better Than Its Crappy Ads?
For example, a project called Bail Bloc allows users to donate their CPU power to mine cryptocurrency in order to raise bail for non-violent offenders. More recently, Salon offered its readership the opportunity to mine cryptocurrency instead of seeing ads. These legitimate uses may be more profitable than short-lived criminal ventures; after just one month of pool mining, Bail Bloc reported generating $3,000 worth of Monero.
Although the researchers recognize these legitimate uses, they argue that it is “unclear if users understand what they are consenting to, what they receive in return, and whether it is a fair exchange.” The researchers acknowledge that the same could be said of advertisements, which often use cookies to track users around the web, whether those users are aware of it or not.
In-browser mining scripts date back to at least 2011 when Bitcoin could still mined with a normal CPU, a part that every computer contains. But CPU mining became unprofitable as Bitcoin miners began to adopt powerful, specialized mining chips known as ASICs. In the last few years, however, cryptocurrencies such as Monero have kept the proud tradition of CPU mining alive. This also sparked a resurgence of interest in in-browser mining for coins.
Last year, Mursch found that over 30,000 websites were running Coinhive’s service (Coinhive accounts for over 90 percent of deployed in-browser miners, according to the researchers). Although Coinhive offers clients the ability to ask users to opt in, last year Mursch tweeted that the vast majority of Coinhive’s clients were not using the opt-in feature. Coinhive disputes this claim and said approximately a third of its clients require consent from users.
There’s a good chance that both malicious and legitimate in-browser mining schemes will be with us for the foreseeable future, and may even come to replace advertising revenue for certain websites. If the practice continues to spread, it’ll be necessary to start discussing regulation schemes for in-browser mining. (There’s some precedent here: In 2015 New Jersey ruled that using browsers to mine for cryptocurrency without user consent is tantamount to fraud.)
Until then, however, it’s up to website visitors to stay vigilant about how their computer is being used.