Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Who and what is Coinhive? (krebsonsecurity.com)
143 points by andimm on March 26, 2018 | hide | past | favorite | 44 comments



"But according to Troy Mursch, a security expert who spends much of his time tracking Coinhive and other instances of “cryptojacking,” killing the key doesn’t do anything to stop Coinhive’s code from continuing to mine Monero on a hacked site. Once a key is invalidated, Mursch said, Coinhive keeps 100 percent of the cryptocurrency mined by sites tied to that account from then on."

This is where I think Coinhive ethically crosses the line; perhaps legally, too. The mining scripts should stop when contacting Coinhive and determining that the specified key/ID has been disabled due to complaints or fraud.


Just to continue the quote from the article:

Reached for comment about this apparent conflict of interest, Coinhive replied with a highly technical response, claiming the organization is working on a fix to correct that conflict.

“We have developed Coinhive under the assumption that site keys are immutable,” Coinhive wrote in an email to KrebsOnSecurity. “This is evident by the fact that a site key can not be deleted by a user. This assumption greatly simplified our initial development. We can cache site keys on our WebSocket servers instead of reloading them from the database for every new client. We’re working on a mechanism [to] propagate the invalidation of a key to our WebSocket servers.”


Meaning they'll "fix" it when they're forced to, but in the meantime they'll make a nice profit off the "broken" code.


I have also tried making a coinhive clone. Sparechange. We fully investigate any complaints and ban API keys immediately after investigation. The only reason to keep mining with a known bad key is greed.

also edit - we are working on a way for site owners to validate their site via a DNS entry or something, and only allow keys to mine on validated sites. We want to make this space less scummy!


Thanks for plugging here. I researched the space for an article (featured on HN frontpage) a few months ago, but did not come across SpareChange. Back then I found coinhive to be the "only properly implemented authed" system, so I used that as an example. I'll wait how CoinHive comes out of this sh*tstorm and decide if I'll change my example to yours instead.

Also good to see there is (i) more improvement possible, (ii) ongoing investigation and (iii) competition in this space. Keep it strong, ignore the haters.


They also need to take more effective steps to allow them to claw back coins which were mined by bad actors. IIRC, they currently rake funds every few hours, allowing those bad actors to get away with most of the coins they mine before they get caught.


You could just point the miner at another pool and keep 100% of the shares. Cutting out CoinHive is trivially simple.

I really don't get the problem though. Someone's website is hacked and points to coinhive, and we want coinhive to fix it? This is why we can't have nice things.


We want Coinhive to not benefit from it.


Browser mining is basically worthless. If they're running a pool then they have to pay server usage to validate low value shares. I'm not sure CoinHive is even economically viable.

Meanwhile, Google - the multi billion dollar public company, is the one distributing this script through online ads..


When Coinhive was released I was really intrigued and imagined a lot of cool way of doing micropayments. I even built a multiplayer game where you had to mine in order to get in-game credits (you can find the URL in my comment history), which was fairly well received by the players.

It was a proof-of-concept and when I saw that it worked I started building a proper version of it. However, soon thereafter rogue actors started using Coinhive for malicious things and I'm now at a point where I don't feel like continuing on the game. I still think it's a cool concept and my game is very clearly opt-in where I explain what will happen when you press "Start mining".

It feels like "this is why we can't have nice things" is applicable here.


Agreed, I initially felt good about coinhive too. I just wanted it to allow to rate limit cpu consumption, it would have been a great alternative to advertisement.

Maybe someone will come later with a idea to make this while preventing abuses (maybe browsers could built it in as a mean of payment?).


> I just wanted it to allow to rate limit cpu consumption

Can't it already do that? The demo miner on their website has controls for "CPU Usage Percentage" and "Number of cores used".


Nice, thanks for letting me know - I haven't check it for ages. There is definitely a proper use possible of this, then :)


You may find it less palatable, but I could totally see the 'free to play' games going down the road of cryptocurrency mining.

As your project did before, you could tie the mining with in game currency. If the underlying block chain is actively traded you could even scale the game currency with real currency in some way... 0.0001 cent is a gold coin for example. Payment that way would seem fairly above board, especially if you clearly tell the player about the taxing system -- this could then be your funding.


I think most people would even prefer that to ads, I'd much rather have you utilize 30% of my CPU for a while than make me watch an ad.


On mobile that is bit more difficult. But even there: I'd rather have my battery drained by a clear, transparant miner than through spying and data-mining ads.

Though, in reality, I'd rather not have my battery drained at all; so I'd disable this when not plugged in. Or for desktop only.


This exists and is called huntercoin. The hard part for the human mining is coming up with a game that bots are worse at than humans, so it is still under development: http://huntercoin.org/

Soon (next month or so) the same team are releasing a multi-game coin as well: https://chimaera.io/


> However, soon thereafter rogue actors started using Coinhive for malicious things and I'm now at a point where I don't feel like continuing on the game.

Can you expand on this? How are they using it maliciously in your game?

Also, did you get a sense for whether it's a viable alternative to ads?


«actors started using Coinhive for malicious things»

I don't understand how this made you lose interest in your game. These malicious uses have nothing to do with you or your game...


It's the association risk. As much as we like to say there shouldn't be any guilt in association, humans aren't really wired that way.


”For roughly a week in January, Coinhive was found hidden inside of YouTube advertisements (via Google’s DoubleClick platform)”.

I’m shocked, and very surprised to hear that malware code is disseminated through innocent ads put out there by a user-loving, “do no evil” company. /s

Now, can we please finally conclude that an ad blocker in your browser is mandatory?



Has anyone found attempts to deobfuscate the coinhive source code? Maybe my google-fu needs improvement...

I found a github page that provides a proxy to the coinhive allowing the user to keep 100% of the profit, but it doesn't even link to the coinhive code that I could see. (https://github.com/cazala/coin-hive-stratum)

Also found this, https://jonathanmh.com/testing-coin-hive-crowd-source-monero.... Interesting but no source code.


I have a branch of https://github.com/tpruvot/cpuminer-multi, which I am working on tidying up and pushing to Github. It has a bash script that instead of GCC / Clang, compiles to WASM. Any Clang compilable software can compile to WASM theoretically. Only supports cryptonight hashing at the moment.


The actual miner is using WebAssembly so I don't know if it's even possible to deobfuscate in a sensible manner.


I've tried to reverse engineer it, but failed. The best place to start, IMO, is the communication between client-server over a websocket. It is binary, but shows some interesting data and keys as in key-names, from key-value, not crypto-keys).

My idea was to make an API-rate limiter, where a client has to submit a list of calculated hashes (PoW) with each request and so protect the API against bots, scrapers and other (D)DoS attacks. Bad idea, because the data that has to be transfered (in Headers) is going to huge, megabytes, if you want to make even a few cents on a million-hits-per-day API.


Found Dr. Matthias Moench to be the real gem in this story. Here is the translated version of the Die Welt article:

https://translate.googleusercontent.com/translate_c?depth=1&...


It's unfortunate that Coinhive has given this type of monetization a bad reputation; at least their shady practices make it that much easier for a competitor to enter this space. I hope that someone can come along with a transparent mining script that has an expidient abuse resolution process, and no tracking. Hopefully that's enough to overcome the stigma now associated with this type of monetization. I would certainly prefer that to regular ads.


You'd prefer lower battery life and worsened browser performance?


That's also a description of ads.


I think solving hashes ad nauseum while the page is loaded (and beyond due to service workers) is well beyond a typical ad in terms of resource consumption.


Ads are also visually intrusive and incentivize tracking.


Shamelessly plugging sparechange.io we take abuse seriously. Just create a ticket on our site, we require proof of site ownership (place file / DNS txt record) and abusive API key is banned (all websocket traffic becomes HTTP Unauthorized so no mining).


The pr0gramm.com-admins spend the whole day banning users that upload screenshots of this article to the platform.


I mean, doxxing Gamb wasn't really necessary, he was always very paranoid about being doxxed, and users of the site know what happened to cha0s when he was doxxed. So i understand that they want to think a bit about how to handle this situation.

I've complained about krebs being an asshole before on HN and this pretty much confirms it.

What exactly did doxxing people contribute to this story?

Edit: This might actually be the final straw that breaks the camels back and pr0gramm will go down.

So thanks for that, Krebs. I wonder if Brian knows that Krebs means cancer in german. It's somehow fitting.


Can't edit anymore, but:

Yup, I pretty much predicted Gambs official statement.

They really don't like the doxxing. They posted an official statement and asked nicely to not post their private info on the website as everyone can google it now. And if shit get's out of hand with their private data in the public now they'll shut down the website.

Edit: Oh, they also said they've never banned anyone for posting the screenshot but asked them nicely to wait for the statement.


Private information? If it was so private, how was Krabs able to get it all off of domains they registered? Answer: It was never private, and just nobody bothered to connect the dots before now.


Just because Denic doesn't allow private domain registrations doesn't mean you're supposed to go after people and dump their personal info into your popular blog. Large parts of the information was historical data persisted by third parties that'd be hard to expunge. There's a good reason for pr0gramm admins to want to remain anonymous - cha0s initially quit the site because he received an 80kg steel oven as sort of a threat. The post includes names and contact information of volunteer moderators that weren't even part of their company.

But Brian Krebs' private information - which is definitely out there - is to be kept out of public view? I'm sure he'd pursue legal action if I put that on my blog with some half-baked accusations

It's wrong, plain and simple, which is why pr0gramm moderators have been removing posts with both their own private information and krebs'.


I posted a screen but was not banned, I get an PM from admin nicly asked to not publish a screen again before the site and coin-hive will give out their own statements.


Gamb now responded with an official statement (german): http://pr0gramm.com/new/2445432


Why is Coinhive seemingly the sole option for this tool? If it's just code, what is to stop a different group of devs to replicate the process?


People are lazy.


Just a heads up - we, Hashcash.io, working on V2 of our product which will incorporate some bits discussed here: mining and currency and micropayments with new blockchain and PoW approach. We applied to YC18 summer batch, but either way we are going to launch it, it will just depend how soon.

If you are interested - leave an email on website :)


Here is a followup post to the article. https://news.ycombinator.com/item?id=16696865




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: