While a research paper stated that CoinHive was generating $250,000 a month from its service, security companies increasingly began detecting and blocking it, making it less profitable as time went on.
Due to this loss of profitability and increasing difficulty in mining Monero, CoinHive shut down its operation on March 8th, 2019.
Two years later, CoinHive is still injected on sites
In a new blog post released today, Have I Been Pwned’s Troy Hunt revealed that he was given coinhive.com and other related domains for free as long as he would do something useful with them.
“In May 2020, I obtained both the primary coinhive.com domain and a few other ancillary ones related to the service, for example cnhv.co which was used for their link shortener (which also caused browsers to mine Monero).”
“I’m not sure how much the person who made these available to me wants to share so the only thing I’ll say for now is that they were provided to me for free to do something useful with,” Hunt explains in a blog post published today.
The top five countries pushing traffic to the CoinHive domains are China, Russia, United States, Georgia, and Vietnam.
From the analysis of the sites referring traffic to the Coinhive domains, Hunt stated that CoinHive scripts are still injected mostly from China and Russia websites.
It is also believed that a lot of this traffic could be caused by compromised MikroTik routers that continue to inject CoinHive scripts when users visit websites.
Putting the domains to good use
When Hunt originally received the domains, he was asked to put them to good use.
Today, Hunt revealed that he is now redirecting the coinhive.com domain to his new blog post about Coinhive at TroyHunt.com.
The alert is a link where users can click to learn more about the CoinHive injected on the website, as shown below.
While Hunt uses the Coinhive domains for good purposes, such as warning a site’s visitors of the injected scripts, his use of the Coinhive domains illustrates how bad actors could use abandoned domains to inject scripts into unsuspecting visitor’s browsers.
“That’s the power you hand over when you embed someone else’s JS in your own site and that’s precisely why we have subresource integrity,” warns Hunt.