Web-based Cryptojacking in the Wild
This addresses the problem of covert resource abuse for web users and security practitioners, providing empirical data on a growing threat.
The paper systematically studied the prevalence of cryptojacking, a parasitic computing form where websites abuse visitors' resources to mine cryptocurrencies, finding that 1 out of 500 sites hosts a mining script. It also analyzed code characteristics, estimated revenue, and evaluated countermeasures.
With the introduction of memory-bound cryptocurrencies, such as Monero, the implementation of mining code in browser-based JavaScript has become a worthwhile alternative to dedicated mining rigs. Based on this technology, a new form of parasitic computing, widely called cryptojacking or drive-by mining, has gained momentum in the web. A cryptojacking site abuses the computing resources of its visitors to covertly mine for cryptocurrencies. In this paper, we systematically explore this phenomenon. For this, we propose a 3-phase analysis approach, which enables us to identify mining scripts and conduct a large-scale study on the prevalence of cryptojacking in the Alexa 1 million websites. We find that cryptojacking is common, with currently 1 out of 500 sites hosting a mining script. Moreover, we perform several secondary analyses to gain insight into the cryptojacking landscape, including a measurement of code characteristics, an estimate of expected mining revenue, and an evaluation of current blacklist-based countermeasures.