Cryptojacking (and how to prevent it)

#PSA time
I had a large writeup for this explaining things in-depth but I didn’t feel like working on that, so this re-write is a concatenated form of what I was intending to convey.

###Not your average Cracker Jack
Normally when we open a page of the Internet we expect three basic things;

  • Body content
  • Interactive content
  • Non-intrusive advertising

But should we expect cryptomining to be in the same box as well? With the crazy popularity of alternative cryptographic currencies, it was bound to happen; somebody found a way to source all active visitor’s processors to mine these “Altcoins”, with Coinhive’s mining of Monero being wide-spread news as of late due to various websites playing popcorn with people’s processors.

So why exactly is cryptojacking so bad?

  • For those with weak processors, it can compromise their experience with their machine further than the Internet at large already does
  • For those with restrictive data caps, the amount of data being exchanged can lead to users going over their cap
  • The act of cryptofunding can be done in secret and without your consent

Since the act of cryptojacking had affected users of websites regardless of previous reputation, I figured a short write-up about this would be helpful for people who want their crunchy. salty and sweet experience to not have actual jacks in the box.

###How to prevent being a victim
So far, it’s pretty straight-forward; install a blocker app and don’t let coinhive.js (or similar) run.

  • Adblock Plus users can add the NoCoin filter by clicking here.
  • It appears the previous link is not working; go here instead and add the NoCoin filter there.
  • Users of other, similar software can import into their filters the NoCoin blocking rules.
  • May also work for firewalls which support regular expressions.
  • Firefox users can utilize NoScript, as mentioned previously.
  • Google Chrome users can install the No Coin extension, or similar anti-mining extensions.
  • Various stories kept sharing this particular addon, though with any Chrome addon, as SafeBrowse demonstrated you can’t trust anything these days.

###Personal thoughts about this subject
Coinhive isn’t the big bad here. The media has been presenting it with a negative bias, but that is because its capabilities have been embraced by scum-sucking bottom-feeders who don’t care about your privacy or consent. As Coinhive demonstrates on their website, users can turn it on and off at a whim so long the option is provided, but implementations which hit the media don’t allow for it to be turned off.

It’s a novel approach for web developers to make money, but the cloak-and-dagger approach performed by web admins because the common user doesn’t know any better is frustrating, and will put it in the same place as BitTorrent for most people who don’t see any good in the protocol due to the multimedia piracy scene embracing it with open arms.

In the end, crowdmining, cryptofunding, cryptosourcing, whatever the legal equivalent is considered “Proper” terminology (such as a lot of things using the HTTP protocol in some way) had great intentions, and is stellar at its task when done legally, but finds itself home to thieves and freeloaders who want to do nothing more than see the world burn comfortably. Due to this, as a community we must be careful who we trust with use of this technology, and be vigilant when we see such technology used inappropriately, or otherwise exploited in some fashion to work against public interest and common good.


I had a lot more to write about this, but I felt like some of the stuff was getting above my head so I figured I would cut my losses and be more direct about the subject, rather than doing an extra-long writeup detailing each and every single little thing.

Hopefully what I posted is sufficient enough to understand the concept of cryptojacking and why it’s not entirely the fault of ad-hoc botnet-style mining services. Collective cryptofunding in this case is a good intention with the side-effect of lacking consent.


This is how I block it:

1 Like