The name says it all: WannaMine. Panda, a Bilbao, Spain-based cybersecurity company, wrote in the beginning of February that "a new malware variant has been taking over computers around the world, hijacking them to mine a cryptocurrency called Monero."
The virus recalls WannaCry, a worm that swept the globe in May 2017, encrypting infected systems' data and demanding bitcoin ransom payments in order to decrypt it. But WannaMine takes a different approach to wringing cryptocurrency out of its victims: it uses their machines' processing power to run an algorithm called CryptoNight over and over again, hoping to find a hash meeting certain criteria before any other miners do. When that happens, a new block is mined, creating a chunk of new monero – worth about $1,500 at the time of writing – and depositing the windfall to the attacker's wallet.
The chances that any given miner will find the next block first and receive the reward is tiny, but infect enough CPUs, and you can hack together a decent revenue stream. Since the victim pays the electricity bills and provides the hardware, the costs to the attacker are negligible. (See also, How Does Bitcoin Mining Work?)
On Feb. 11, a similar but rather more spectacular attack was uncovered. Cybersecurity researchers Scott Helme and Ian Thornton-Trump (phat_hobbit) noticed that sites from the UK's National Health Service to the U.S. Courts were hijacking visitors' browsers to mine monero.
Ummm, so yeah, this is *bad*. I just had @phat_hobbit point out that @ICOnews has a cryptominer installed on their site... pic.twitter.com/xQhspR7A2f
— Scott Helme (@Scott_Helme) February 11, 2018
The culprit was a text-to-speech plugin popular with Anglophone governments called Browsealoud, which had been infected with Coinhive, an in-browser monero miner that is not necessarily malware per se: Its providers present it as a legitimate way to monetize traffic, but ask their users far too few questions, according to Motherboard.
So far, so 2018. But something's off. The attackers made nothing: about $24, which wasn't even paid out, Coinhive told Motherboard. And as Helme pointed out, the attack could have been much worse: "Attackers had arbitrary script injection on thousands of sites including many NHS websites here in England." They could have stolen boatloads of extremely valuable personal data. But they didn't.
What's more, given their chosen method of attack, the attackers should have chosen higher-traffic, less-scrutinized, lower-security targets: porn sites are popular with cryptominers because they fit these criteria.
It seems the hijackers' goal wasn't to make money. Perhaps, as Wired UK's Matt Burgess put it – paraphrasing Malwarebytes analyst Chris Boyd – they were "creating a proof-of-concept instead."
Crypto Disrupts the Ad Model?
What concept that might be, Boyd didn't specify. "Let's see what sort of crazy thing can be done with these scripts," he imagined the hackers saying.
But Lucas Nuzzi, senior analyst at Digital Asset Research, has an idea. "Browser-based miners like Coinhive are the best implementation of useful PoW [proof of work] in existence," he tweeted. "For the first time in internet's history, websites have a way of monetizing content without having to bombard users with ads."
The potential isn't limited to ad-based models, either:
2\ These miners can be implemented with less than 20 lines of code. Wikipedia wouldn't need to ask for donations if they implemented a browser-based miner.
— Lucas Nuzzi (@LucasNuzzi) February 15, 2018
Browser mining has the potential to disrupt current monetization models for web content providers. Internet ads – which are annoying, often carry malicious code, and support a data brokerage industry that compromises users' privacy and and security – could be relegated to a supporting role. Donations – which, judging by the tenor of Wikipedia's pleas, don't cut it – could also fade in importance. (See also, Blockchain Could Make You – Not Equifax – the Owner of Your Data.)
Unfortunately, Nuzzi continues, hackers beat reputable sites to the punch, which links browser mining with malware in the public imagination and "crushes the hope of adoption by reputable websites like Wikipedia."
Salon Takes the Plunge
Perhaps, but at least one reputable, if struggling, site has taken the plunge. Salon has partnered with Coinhive, and on Feb. 11 – the day of the Browsealoud debacle – it began asking visitors using ad blockers if they'd like to "block ads by allowing Salon to use your unused computing power." The FAQ page explains that this means mining monero, though it doesn't mention its now-infamous partner by name. (See also, Salon Wants to Use Your Computer for Cyrptocurrency Mining.)
To assess the user experience, I turned on a couple of ad blockers, visited Salon and agreed to "suppress ads." It didn't work. The homepage became semi-opaque and unclickable, as sometimes happens when a mandatory pop-up is obscured by an ad-blocker (having an adblocker being a necessary pre-requisite to opting into the cryptominer). After some fiddling – the kind that would have led me to browse elsewhere under normal circumstances – I was mining monero in exchange for cutting liberal commentary.
I did not see any ads, but of course I was running ad blockers. The page constantly reloaded certain elements, causing the text to skip around every few seconds. It was difficult to read. A bit suspiciously, my ad-blockers' counters ticked up to 11 and 29, indicating requests blocked, with every reload.
I was undoubtedly mining. Prior to visiting the page, my Macbook's activity monitor showed no application using more than 10% of CPU. During my visit, Chrome Helper ranged from 50% or so up to – at one point – 320%. Chrome's energy impact also spiked to triple digits; the 12-hour average is 46.
An email to Salon's PR firm asking about the outlet's experience with browser mining did not receive an immediate reply. This article will be updated to reflect Salon's responses.
Can Browser Mining Work?
My brief encounter with browser mining revealed the kind of hiccups that are typical of beta versions. But power consumption is an obstacle that minor improvements won't solve. Bitcoin miners are flocking to Quebec because the electricity is cheap. Hijackers are mining using visitors' browsers for the same reason. While it's difficult to estimate the monetary impact of mining on Salon's behalf, the increase in electricity consumption was obvious. If a significant chunk of the web adopted browser mining, using the internet could get expensive.
The same goes for hardware usage. WannaMine presented such a problem because, as Panda put it, "the way in which it tries to make maximum use of the processor and RAM places the computer under great strain." Unless sites limit the demands they make on visitors' computers, processes will slow to a crawl and hardware will wear out considerably faster.
Nuzzi doesn't discount these problems. "If browser-based mining becomes a thing, there will definitely be abuse when it comes to the number of mining threads the website consumes," he said via email. On the other hand, "like ads, there will be ways of blocking that scrypt, so websites have to figure out what the fair balance should be, otherwise users will stop visiting the website or block the miner."
As for electricity usage, monero's hash function CryptoNight has a lighter touch than, say, bitcoin's SHA-256. Monero mining "isn't a big problem for laptop users," says Nuzzi, but "it most certainly curbs some of the use cases for smart-phones" with their more limited battery capacity.
Then there's the risk that the hash rate arms race, which has rendered CPU and even GPU mining of bitcoin and litecoin unprofitable, will stall the browser mining push. The reason that Coinhive and WannaMine use monero is that it is one of the only cryptocurrencies that can be profitably mined using a CPU. Given the right economic incentives, couldn't monero also fall victim to ASICs, specialized hardware designed solely to run through hash functions as fast as possible?
Nuzzi doesn't think so. He calls CryptoNight "brilliantly designed," adding that it "allows Monero to be mined using a variety of devices, including smartphones, as the majority of them have at least 2GB of RAM, while only 2MB is required to initiate a CryptoNight instance. Relative to Scrypt (Litecoin's consensus algorithm), CryptoNight is much more resilient to circuit integration, which allows ASICs to be built."
Monero's developers have also promised to change the algorithm if an ASIC is developed. "Manufacturers like Bitmain would never allocate the R&D budget to develop a Monero ASIC given this risk," says Nuzzi. (See also, Bitcoin vs. Litecoin: What's the Difference?)
If cryptomining does displace ads as the primary way to monetize online content, it would be the fulfillment of one of cryptocurrency's earliest promises.
The argument that bitcoin micropayments to sites could disrupt the current model fell victim to rising transaction fees, but other attempts have been made using other tokens, such as the ad-blocking Brave browser's Basic Attention Token. But as long as funding a wallet and compensating sites whose ads you block remains optional – as it is in Brave – the model appears unlikely to provide sites with the revenues they need. (Brave, it should be said, does envision a place for advertisers on its platform.)
There is no guarantee that browser mining will catch on, or that the effect on users' equipment and electricity bills won't be a deal-breaker. There's a chance, though, that annoying, intrusive, occasionally harmful ads – or the programs you use to block them – are on their way out.
Investing in cryptocurrencies and other Initial Coin Offerings ("ICOs") is highly risky and speculative, and this article is not a recommendation by Investopedia or the writer to invest in cryptocurrencies or other ICOs. Since each individual's situation is unique, a qualified professional should always be consulted before making any financial decisions. Investopedia makes no representations or warranties as to the accuracy or timeliness of the information contained herein. As of the date this article was written, the author does not have a position in any cryptocurrencies.