opinion

CoinHive: Advertising Alternative or Exploit

CoinHive: Advertising Alternative or Exploit

About two months ago I read about CoinHive and it sounded interesting. CoinHive provides software that will execute a mining program for the Monero crypocurrency.

It allows you to use the CPU resources of your computer to mine for this crypocurrency, just like how people have been operating Bitcoin rigs for years. The company also provides a handy “ReCAPTCHA”-style anti-hitbot script.

This solution has a long way to go before it could even come close to replacing advertising revenue for publishers.

At the time of this writing, one Monero was worth $100.60.

The controversy is that people are not using their own computers to execute this script, and it’s not their own personal CPU resources being utilized.

You see, CoinHive provides this script to be placed on your website. If it were a script that operated on your hosting server, that may pose an issue on a shared hosting environment, causing some problems for your hosting company. But that’s also not what is going on.

The controversy is that as a piece of JavaScript, CoinHive executes on the website visitor’s computer (client-side). This directly taps into the CPU of anyone visiting that website and thereby spikes CPU usage and reduces computer performance.

Ultimately this can result in a bad website experience as well.

In early November, Ultimate Fighting Championship’s website was accused of running the cryptominer. Similarly, a small handful of top-ranking websites were using the script and have been exposed for exploitation of visitors who had not been informed.

It was only a matter of time until someone would attempt to get this past our anti-malware detections here at JuicyAds.

When the domain ZettaStomp.com registered to someone in Mexico alerted us that it was running the CoinHive script, I decided it was time to find out if it really does cause a poor surfing experience and if it was truly a threat.

The ZettaStomp.com landing page, comprised of just an iTunes button (and the CoinHive code) did not set off any alerts in Avast antivirus or any firewalls. In fact, there was really no indication it was running at all on our test PC, running an Intel i5-6400 Quad-Core CPU.

The CPU load immediately shot upwards and processed consistently around 80 percent of maximum load. I found no significant impact at all in using the computer, so I got more aggressive. I started surfing the Internet, played some MP3s, and then fired up multiple YouTube videos.

The test PC started to lag and CPU usage bumped up over 90 percent, but nothing terribly annoying. It did not seem to have any issue whatsoever handling the “exploitation” of its CPU by the CoinHive Javascript.

When I ran the miner from CoinHive.com directly, it showed that with my machine mostly idle, it would process approximately 26-30 hashes per second with my CPU pegged at 90-100 percent.

When I started running more applications the hash rate dropped, bumping up the threads only lagged the computer until it was unresponsive. This coming in the age of ad blockers, which have disrupted decades of the advertising-supported internet. These users are obliviously running around the internet advertising-free and not paying for anything (but still consuming resources).

They will ultimately be responsible for the end of free internet, surely to be replaced by subscription-based monetization models. This is running free website publishers into a corner where things like CoinHive become attractive, and it represents what may very well be a solution to the problem of the “free Internet” by providing a pseudo “free pay-to-play” model.

Direct consumers could provide their CPU resources for an amount of time that equally correlates with the amount of resources or costs to use the website, and would allow the publisher to profit from each user, but it’s just not that simple.

Ironically, the response from ad-blocking companies has been to block CoinHive script, choking this source of potential cash for publishers from the growing group of freeloading leechers. Likewise, this is not something you will find on an advertising network like JuicyAds.

Even though our Test PC did not flag using Avast, our anti-malware detection alerted us immediately. JuicyAds has a history of helping to criminally prosecute illegal malware distribution, and similarly in this case, the campaign was immediately disabled and advertiser sent packing.

As you can imagine, the anti-virus and anti-malware companies has similarly labelled CoinHive as a threat. According to TheRegister.co.uk, Malwarebytes alone has received over 130 million requests from users to block CoinHive, but even the director of Malwarebytes Labs provided a moderate statement regarding the technology:

“We do not claim that Coin Hive is malicious, or even necessarily a bad idea. The concept of allowing folks to opt-in for an alternative to advertising, which has been plagued by everything from fake news to malvertising, is a noble one. The execution of it is another story.”

Coin Hive’s response appeared equally genuine and understanding regarding the ban-hammer coming down on them, reportedly saying, “We can’t blame them.”

In fact, CoinHive has already announced the alternative “AuthedMine” which requires implicit user consent for the coin miner to operate. Their website requests the support of ad-blocking and antivirus companies to allow the software to operate uninhibited. When I tested this solution, the CPU usage increased to approximately 40 percent.

Even if we assume that it’s both ethical and moral to basically hijack someone’s CPU for profit without their knowledge or consent, is it legal? I had no idea, so I enlisted the help of Corey Silverstein from Silverstein Legal to answer that:

“Mining cryptocurrency isn’t per se illegal. Things to consider here in terms of legal issues will involve the terms of service and privacy policy on the website where the mining operations are taking place. ‘Browser wrapped’ agreements (where the terms are just at the bottom of the page) have been deemed unbinding by different courts, because the user does not know they are there or what they include. Websites should be implementing a methodology for its users to agree to their legal documents via a check-box or some other type of e-signature,” Silverstein said.

“This practice could ultimately be something the FTC may look at; the FTC is no stranger to utilizing its powers to go after those who engage in fraudulent or deceptive trade practices and this type of hijacking could fit right into the FTC’s jurisdiction. Additionally, failure to inform website visitors or get consent to use their computing resources could start a chain of individual or class action lawsuits. Regardless, of when and how these type of website operators get in legal trouble, the idea of utilizing someone’s CPU resources without warning or consent is a recipe for disaster and eventually there will be consequences.”

According to an article from Pixalate, nearly 62 percent of the websites it found running CoinHive did not have a posted Terms and Conditions at all, and even more did not have a Privacy Policy (although, its unclear whether privacy is a relevant issue here).

So all of the legality aside, is the juice worth the squeeze? Probably not.

Simply running the miner on your computer with an average 30 per second hashrate, for a total of 10 hours per day, with the CoinHive miner would earn you approximately $0.49 per month. That isn’t even worth the amount of power the computer uses while its operating.

If you set up the miner on your website and say you had 1 million visitors per month to your website, with a 30-per-second hash rate, an average time on website of five minutes, with the CoinHive miner that pays out0.00015 Monero (XMR) per million hashes, you would expect to earn (drumroll) 1.35 Monero, or approximately $135 per month.

But what if Monero was worth as much as Bitcoin, surging recently to $10,000? Then it would make sense, right? Yes and no. While its true this math is a whole lot more attractive at $10,000 rather than the $100 current value of Monero, crypocurrencies work in a closed system with a finite amount of coin. This controls the value by how much of it is in circulation, and how much is available to be mined. The problem is strictly mathematics.

As the popularity of Monero grows and more and more websites mine the cryptocurrency, the number of available coins (and payments to the miners or publishers) will drop over time. Therefore, the cryptocurrency advertising solution for publishers has a limited lifespan built in, and over time will yield less and less revenue for the same amount of CPU work. That does not take into account any change in trading price of the Monero (speculators cause bubbles, and bubbles always burst). Things rarely (if ever) go up indefinitely.

After over a month of testing, my account is up to a whopping 0.00349 Monero, or $0.35.

CoinHive has suggested this technology is meant to replace advertising but with the rampant abuse, the auto-mining solution blocked by the same ad blocker and an opt-in model likely to produce significantly less revenue, this solution has a long way to go before it could even come close to replacing advertising revenue for publishers.

Juicy Jay is CEO and founder of JuicyAds. Readers can follow Jay on Twitter, @juicyads, visit JuicyAds.com, or like on Facebook.com/juicyads.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Why Cyber Insurance Is Crucial for Adult Businesses

From streaming services and interactive platforms to ecommerce and virtual reality experiences, the adult industry has long stood at the forefront of online innovation. However, the same technology-forward approach that has enabled adult businesses to deliver unique and personalized content to consumers worldwide also exposes them to myriad risks.

Corey D. Silverstein ·
opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
Show More