Hackers Hijack Coinhive and Redirect Mined Monero to their Own Wallets

Hackers Hijack Coinhive and Redirect Mined Monero

…to Their Own Wallets

Core Media has reported on well-known piracy website The Pirate Bay running a JavaScript-based Monero (XMR) miner on its platform, in an attempt to use visitor CPU resources to mine the cryptocurrency and generate revenue. The move, according to the website’s admins, was meant to see if enough revenue could come of it to remove the website’s ads.

The Pirate Bay initially just tested the code, provided by Coinhive, and then decided to properly install it, letting users know that it wanted to use their CPUs to mine Monero while they were on the website.

The move helped Coinhive’s popularity surge, so much so that competitors started appearing, and that hackers were attracted to the business. These, according to a blog post, were recently successful as Coinhive’s CloudFlare account was hijacked by cybercriminals who managed to change DNS servers and replace the company’s code.

By changing Coinhive’s Monero-mining code, the hackers managed to redirect the Monero website admins were mining with their users’ CPUs to a wallet they controlled, for at least six hours. Coinhive added that, although its users lost revenue, no information was leaked. The blog post reads:

“This essentially let the attacker “steal” hashes from our users. No account information was leaked. Our web and database servers have not been accessed.”

Using Monero mining scripts on websites has gotten so popular that CloudFlare itself began cracking down on those that don’t give users control of how their CPUs are being used to mine the cryptocurrency. A recent report from Adguard claims that 0.22% percent of the top 100,000 websites on Alexa.com are using Monero-mining code, although not all ask for permission.

Hackers used a reused leaked password

Coinhive pointed out that the vulnerability that gave hackers access to its CloudFlare account was a leaked password from a Kickstarter data breach dating back to 2014. The company added that it has learned hard lessons on security and used 2FA and unique passwords for all its services. Its CloudFlare account had reportedly been neglected as it was a years old account.

To compensate users, the company is looking to reimburse them of their lost revenue by crediting everyone with an additional 12 hours of their daily average hashrate, so that the only one losing money from Coinhive’s mistakes is Coinhive itself.

Through websites such as “Have I Been Pwned” it’s possible to see whose data has been leaked online in the various data breaches that have occurred over the years. According to the website’s data, there are over 4 billion compromise accounts online.