With the massive upsurge in the value of bitcoin and other cryptocurrencies, cybercriminals are turning their prime focus to cryptocurrency. One of the fastest growing forms of malware are those mining cryptocurrencies on victim machines. Specifically, using the browsers of visitors as CPU cryptocurrency miners. Even news sites are utilizing this to monetize their websites and blogs. As bitcoin often takes specialized hardware to effectively mine, criminals are turning to Monero as the mining currency of choice for victim machines.

With the popularity of these attacks skyrocketing, it’s essential for enterprise and small-to-medium businesses to protect themselves. Typically, security companies focus on purely malicious behavior. As this action, per-se, is not malicious (it may just be news and blog sites trying to monetize), we don’t want to completely block these services. However, we do want to give our customers the option of choosing their own approach to combat these attacks.


Browser based mining isn’t a new concept. Actually, it might be older than you’d think. Back in 2011 (when Bitcoin was still rather new to the world, netting at 7$ per coin), mining it was much easier and less complicated. Back in those days, BitcoinPlus already offered means to mining currency using browser-based scripts. Alas, following the success of Bitcoin and rise of ASICs (Application-Specific Integrated Circuit) specifically built for Bitcoin, the days of browser-based bitcoin mining were short. With hundreds of other cryptocurrencies, all having cash value, there’s more options for attackers to choose.

Learning from their past mistakes, services like Coinhive don’t even try to mine Bitcoin. Instead, they focus on Monero. (Which, by design, is simpler to mine using your home owned CPU) As you’d expect, Monero is growing in popularity within dark web marketplaces because of its transaction privacy. With most cryptocurrency, all transactions are stored in the blockchain and can be viewed (by anyone) as long as that blockchain still exists. Monero hides transactions so effectively that exchanges between Monero wallets are private and anonymous.

Smart criminals have learned that subtle infections work best. Instead of bombarding users with ads, the script utilizes CPU resources to mine Monero and create revenue for the site owner. The solution itself does sounds remarkable: The user gets a cleaner experience in exchange for minimal usage of their CPU that doesn’t noticeably affect them.

The first big site to adopt this new method was The Pirate Bay, a torrent streaming site with considerable traffic. The site owners didn’t heed Coinhive’s advice and weren’t transparent to users while monetizing their CPUs. (One must appreciate the irony, as the site is called the Pirate Bay) Needless to say, users were not amused. Following The Pirate Bay, other sites joined, with hackers using the LiveHelpNow widget to jump start mining of their own.

Organizations need to look into stopping threats like this, and it is possible to use DNS or conventional firewalls to block the ability of cryptocurrency miners to work. Almost all use some form of mining pools and need to reach out “somewhere” to get data for the mining. If those locations are blocked in RPZ and in the DNS resolver, victim machines would never perform the mining. (Or continue to operate like business as usual) Conventional end-point tools will have difficulty stopping this, as there’s no malware to detect. Some will detect mining behavior, but most focus on network techniques.

Organizations may want to limit their power usage (mining is energy-intensive work) or limit the “wear” on the machines. Hey, it could simply be a matter of not wanting limited bandwidth consumed by mining traffic. Either way, developing network techniques to stop attacks like these has become a priority for organizations.

It seems, for the time being, browser-based mining is here to stay. With this, ThreatSTOP has specifically created a new target to block these services. The new lists are built with the help of ZeroDot1, who is doing great work on GitLab, collecting and maintaining lists of crypto mining services domains and IPs, And also by using the great work done by the ISC.

Here are our new lists:

  • Browser-Based Crypto Mining Services - Domains
  • Browser-Based Crypto Mining Services - IPs

Both are available both in simple and expert mode. (Domains list is available on DNS Defense only)

If you don’t have a ThreatSTOP account and are interested in seeing what we do, sign up for a quick demo here.

If you’re a current customer, instructions to add targets to DNS or IP Defense policies are available on ThreatSTOP’s Documentation Hub. Our Support Team is always available to help if you have any questions.