Published for the IEEE Security & Privacy on the Blockchain workshop at University College London (UCL) by researchers Shayan Eskandari, Andreas Leoutsarakos, Troy Mursch, and Jeremy Clark, the report seeks to answer the ethical question of whether cryptojacking should be considered an “attack or business opportunity.”
The researchers write that the world has recently seen a “rejuvenation of browser-based mining.” The practice had initially been replaced by mining with ASIC chips as Bitcoin (BTC) mining became increasingly energy-intensive and thus expensive, but has made a comeback after the emergence of “ASIC-resistant” cryptocurrencies.
Coinhive, which was launched in 2017 to mine for the “ASIC-resistant” altcoin Monero, initially did not require consent before running its mining code, leading it to be used “maliciously”, and as a result it was added to malware lists.
The report considers crypto browser mining initiated by a webmaster that doesn’t ask for user consent as “invisible abuse.” Showtime exemplified this in September of last year when it was secretly running Coinhive on two of their associated websites. In the aftermath of the discovery, Coinhive promised to ask users for consent before mining with their processing power.
In response to companies blocking the Coinhive script due to its link to “malicious” use, Coinhive added a service called Authedmine, which requires a user to consent to mining via their browser.
According to the report, ethical problems remain even when a user voluntarily consents to their CPU being used for mining, as the user might not fully understand that to which they are signing. While they might benefit from a lack of ads or higher quality video streaming on the site, they could also be stuck with “higher energy bills, along with accelerated device degradation, slower system performance, and a poor web experience.”
Most recently, Coinhive was tied to Telecom Egypt, which was reportedly secretly manipulating Egyptian users’ internet traffic to redirect them to sites with crypto mining scripts.