The creator of the Have I Been Pwned service, Troy Hunt, posted warnings on domains associated with the Coinhive browser mining service that they had been hacked.
Hunt said that the domains coinhive.com and cnhv.co moved to it in May 2020. After analyzing incoming traffic through Cloudflare, he found out that the service still receives over 3 million requests from more than 100 thousand unique visitors every day.
The main traffic comes from China, Russia, the USA, Georgia and Vietnam.
“Most of the traffic can go through hacked MikroTik routers, which continue to implement Coinhive scripts when users visit various websites,” the security researcher wrote.
Troy Hunt has set up traffic forwarding from the domain coinhive.com to your new post about the hidden miner on TroyHunt.com . Sites with embedded Coinhive scripts now display a dialog box with the text: “This website tried to launch a cryptominer in your browser.”
The expert warned that attackers could use abandoned domains to inject scripts into users’ browsers.
Recall that the Coinhive script exploits the computing power of users through the browser to mine the Monero cryptocurrency. The service stopped working in March 2019.
The developers explained their decision by a drop in the hashrate of the network due to the Monero hard fork and a decrease in the price of the cryptocurrency by more than 85% during the year.
In 2018, Monero mining brought the creators of the Coinhive script about $250,000 per month.
After the closure of Coinhive, the popularity of cryptojacking declined. However, already in the second quarter of 2020, the number of cases of hidden browser mining of cryptocurrencies increased by 163% compared to the previous quarter.