Organizations worldwide are grappling with a surging threat landscape dominated by illicit cryptocurrency-mining software. Research from Check Point reveals that during the month of January, roughly o
Organizations worldwide are grappling with a surging threat landscape dominated by illicit cryptocurrency-mining software. Research from Check Point reveals that during the month of January, roughly one in every five enterprises encountered Coinhive—the leading variant of this malicious code—representing approximately 23% of the global business sector.
The security intelligence firm identified three separate strains of coin-mining threats occupying positions within its compilation of the ten most damaging attack vectors. Beyond Coinhive's top ranking, JSEcoin secured fifth place while Cryptoloot landed in eighth position. These programs function by conscripting a victim's processing capabilities to generate digital currencies without authorization, exploiting both CPU and GPU resources for criminal profit.
The Coinhive implementation operates through embedded JavaScript code that consumes substantial computational capacity, degrading system performance considerably. In some scenarios, the software can monopolize up to 65 percent of a machine's processing power. A particularly troubling development involves deliberate placement of these programs onto high-traffic destinations—especially platforms focused on video streaming and data exchange.
Last week marked a notable case when the news publication Salon introduced a system targeting users running advertisement-blocking software. Visitors encounter a choice: either disable their protective tools or activate a "suppress ads" feature that ostensibly grants Salon access to idle computational cycles. Behind the scenes, the outlet deploys Coinhive technology to harvest the cryptocurrency Monero.
"The resource drain resembles a perfect storm for network defense," explained Maya Horowitz, heading threat analysis operations at Check Point. "Because these programs often hide within legitimate web properties, attackers gain access to enormous processing pools already present throughout corporate infrastructure. The trend has intensified sharply in recent months as criminal syndicates recognize the financial potential."
Recent incidents underscore the expanding scope of the threat. Kaspersky researchers disclosed that the Windows iteration of Telegram contained a weakness allowing threat actors to force installations of mining applications alongside surveillance code. The exploitation window extended back to spring 2017, targeting users of Monero and Zcash. This month, attackers also successfully compromised numerous online properties operated by American and British governmental bodies through manipulation of Browsealoud, a widely-deployed accessibility platform created by Texthelp, a technology company based in the United Kingdom. Security expert Scott Helme identified the campaign, which inserted mining instructions enabling visitor computers to generate Monero.
