Hackers Hijack Coinhive and Redirect Mined Monero to their Own Wallets

Cryptoloot | New Monero Miner in the “Cryptojacking” Scene

Crypto mining scripts are not new. Just two years ago, uTorrent, the most used BitTorrent client, was caught mining bitcoins by utilizing the processing power of users computers. With the growth of cryptocurrency use, crypto mining scripts have also seen a growth in popularity. The most recent trend in “crypto jacking” is in-browser miners, where visitors of a website are mining cryptocurrencies, usually unknowingly, for the website owners. The most popular mining script is Coinhive but there seems to be a new player on the scene.

First reported by Bleeping Computer, Cryptoloot is a new crypto miner service. Very similar to Coinhive, Cryptoloot provides a simple JavaScript file that allows website owners to mine Monero using CPU power of visitors. The main difference between the two regards revenue share. While Coin-hive keeps 30% of Monero funds and only gives 70% back to users, Coin-hive introduces a more altruist structure keeping only 12% to themselves and giving 88% to users.

Most crypto mining scripts work in the shadows without user knowledge or contentment. Seeing as Cryptoloot’s miner doesn’t have a user interface, it can easily be used silently without informing the users. However, Cryptoloot’s team strongly advises against it, stating that the “long-term goodwill of your users incentivizes to keep coming back!”. Ultimately, the choice of keeping the mining script hidden solely rests on the website owner’s hands.

While Cryptoloot is very recent, it offers a better deal to users than the competition, so it wouldn’t be surprising if it burst into the scene just like Coinhive did.

Websites caught mining Monero

Last month, it was reported that Piratebay was using the Coinhive script. Although the script only ran for 24 hours and wasn’t enabled on the whole website, it was enough for users to notice the sudden spike in CPU usage.

The trend then expanded to more than torrent websites. Showtime, a CBS owned platform for tv shows, movies, and sports events, was caught using the Coinhive script. As soon as news started reporting the hidden miner, that was using as much as 60% of users CPU, CBS quickly removed it. The script was probably introduced by a rogue agent, seeing as Showtime charges a subscription fee to users for its content and doesn’t even used ads.

These cases even got the attention of Cloudfare, the giant content delivery network and internet domain provider, who has now moved to ban torrent websites that were using the Coinhive script.

Reports from today also stated that Cristiano Ronaldo’s website was using Coinhive miner as well. Using 100% CPU usage, the script has already been taken down. It’s suspected that this all happened without the soccer superstar knowing anything about it.

How to Block Mining Scripts

There are many methods to block crypto mining. Most antivirus vendors already block or at least warn users in the eventually of the Coinhive script being detected. Using ad blockers, like Adblock Plus and AdGuard, or Chrome extensions, like AntiMiner and NoCoin (recently added support of Cryptoloot), will also get the job done. Another, less simple option, is to use a Windows hosts trick to block the Coinhive or Cryptoloot domains.


It’s possible that in the future websites will not only warn users but also share some of the profits from mining. A private torrent website already allows users to mine cryptocurrencies for upload credits, allowing users to turn the miner on and off as they please. If this happens, browser mining could be a viable and better alternative to monetizing a website than an advertisement.