Troy Hunt takes over domain name from Coinhive and shows warning on websites
Security researcher Troy Hunt has taken over the domain of cryptojacker Coinhive. The creator of Have I Been Pwned uses the domain to warn tens of thousands of websites that they still have the cryptominer online.
Troy Hunt, the founder of password database Have I Been Pwned, says in a blog post that he was offered Coinhive.com for free by an anonymous person in May 2020. That was on the condition that he would do something useful with it. Hunt says there are still a lot of people coming to the domain; at its peak, there were 3.63 million per day. Coinhive has been down for more than two years.
It was the main propagator of cryptojacking malware several years ago. The tool was often distributed as malware and sometimes deliberately implemented on crypto mining websites. Coinhive used a piece of JavaScript that monero generated for an address from Coinhive. The service said at its peak it earned $250,000 a month.
The service stopped in 2018. In the meantime, the cryptominer remained on thousands of websites. The miner did nothing there, because Coinhive no longer existed. Despite this, after the domain takeover, Hunt was able to intercept how many sites were still trying to connect to the original server. “Of course they don’t mine crypto anymore, but this site still contains JavaScript from a domain I control,” he writes.
Hunt has therefore set that websites that still contain the cryptojacker will show a pop-up with a warning. It states that the site “tried to run a cryptominer in the browser,” which includes a link to its blog post. Hunt says he thought long and hard about whether he wanted to do that. “Did I really want to modify other people’s websites? I wanted to let website administrators know that there is a high probability that they have been compromised, but how else do you do that when you are talking about tens of thousands of sites?” Hunt says that in theory he could have done other things with the JavaScript, such as installing keyloggers or other malware.