Cryptojacking: Abuse of JavaScript Cryptocurrency Mining and Challenges of Legitimate Use

October 30, 2017

In recent months, some websites have commandeered users’ computer processors to “mine” cryptocurrency. This new form of computer user abuse is called “Cryptojacking.” Cryptojacking is possible because of new “mining” technology that allows websites to run JavaScripts that use an individual’s computer processing power to mine cryptocurrency without the individual’s knowledge or permission. This allows the website to profit at the expense of the individual’s computer performance and power bill. The most prominent scripts for this purpose are currently Coinhive and Crypt-Loot. Coinhive was the first widely used script, but Crypt-Loot is quickly overtaking its popularity because Crypt-Loot only takes 12% of the profits compared to Coinhive’s cut of 30%.
In addition to “Cryptojacking” by website owners, there are instances where outside parties hacked websites and then “injected” the websites with the script for the outside parties’ gain. In addition to these threats there also downloads, for example browser extensions, that run the offending scripts as well.
However, the technology itself does not appear to be inherently problematic and may be a legitimate business itself. The fact that there is a market for this cryptocurrency suggests that these mining technologies may be a viable way for websites to be compensated presuming the computer user consents. This technology becomes even more appealing considering that this may be able to replace ads on the internet which have been notorious security risks themselves.

Allowing a user to consent to a website’s use of their computing power may alleviate the “hidden” aspect of the abuse but brings about a whole host of other problems.

The director of MalwareBytes Labs, specifically notes that their anti-malware company is currently blocking the script because it does not allow an op-in/op-out option. However, he also noted that they observed that the scripts put a strain on the user’s computer system resources and may degrade the user’s hardware. These observations, along with the facts that people have computers of varying efficiency and obtain electricity at different costs raises the question of whether the average user would even be able to give their informed consent because the average user would not know the value of what they would be providing. In a similar vein, it may also be possible for a user to trick the website into believing that the user is providing more value than they actually are. This would remove the benefit that the user was supposed to convey in exchange for access to the website and creating a problem that is comparable to ad blockers and online advertising.
Additionally, even if a user could give informed consent, there would also be problems ensuring that the script only uses as much processing power as the user contracted. Specifically, a user may have difficulty noticing usage that is only minimally greater than agreed to. While the additional taking is small on the individual level, when viewed on a large scale this taking could amount to significant increases in profits for website owners which, without deterrence, would encourage additional taking behavior. Moreover, beyond direct economic exploitation, there could be tangential harms related to data and productivity losses caused by computer or network crashes and slowdowns.
Overall, these new mining technologies may hold economic benefits but the average person’s consent alone (the lack of “cryptojacking”) is not enough to mitigate the technology’s dangers. In order to realize the economic and societal advantages of these technologies research into the appropriate data protection measures and economic efficiency need to be conducted, appropriate regulations may need to be enacted, and users need to be educated.