Search analytics firm Ahrefs recently conducted a sweeping examination of 175 million websites to quantify the prevalence of unwanted cryptocurrency mining occurring on web pages. The practice, known
Search analytics firm Ahrefs recently conducted a sweeping examination of 175 million websites to quantify the prevalence of unwanted cryptocurrency mining occurring on web pages. The practice, known as cryptojacking, represents a persistent threat to both site operators and visitors, as malicious actors inject mining code into pages to siphon computational resources for profit without consent.
These mining scripts leverage visitor CPU and GPU capacity alongside their electricity consumption, funneling generated coins to anonymous wallet addresses controlled by attackers. However, site proprietors may also deliberately embed such scripts—again, without visitor notification—to monetize their traffic through computational processing power. In either scenario, browsing users typically remain ignorant unless they observe sluggish system performance or notice elevated processor demand.
Ahrefs deployed Wappalyzer, a technology identification tool, to scan its entire database and detect 14 known cryptocurrency mining implementations. The investigation turned up 23,872 distinct domains harboring such scripts. Remarkably, 93.82% utilized Coinhive, a single dominant mining provider. By cross-referencing organic search traffic data, Ahrefs determined that roughly 91% of compromised sites attracted fewer than 50 monthly visitors from Google—audiences largely unaware their machines were generating cryptocurrency.
Several factors explain this minimal traffic footprint. Attackers frequently target defunct or poorly maintained properties with security gaps. Major platforms, by contrast, face higher protection standards and avoid the reputational damage such schemes invite. Additionally, established websites command superior advertising rates, diminishing incentives to pursue mining revenue. Most affected domains fell outside Ahrefs' 100,000-site ranking threshold, as measured by their Domain Rating metric, which weights incoming link authority and quantity.
Subdomains comprised 1,308 of the 23,872 infected sites, with 1,257 hosted on Blogspot. Security researcher Troy Mursch's Bad Packets Report identified 43,000 mining-enabled websites using the PublicWWW database—a 17.5% larger sample—though it screened for only five mining scripts. The discrepancy partly reflects PublicWWW's historical architecture, which includes inactive properties. Extrapolating from Ahrefs' findings suggests roughly one website per 7,353 worldwide operates mining code, often older properties with minimal visitor bases.
Affected users endure wear on hardware and elevated power consumption. Standard antivirus and operating system defenses typically fail to flag browser-based mining. Detecting the practice requires manual observation of resource spikes through tools like Chrome Task Manager. Protection exists through browser extensions including minerBlock and No Coin, both capable of filtering out mining implementations.
