Coinhive shutdown imminent after troubled cryptomining past

Troubled cryptomining software Coinhive announced it was shutting down service, but experts don't believe the company is telling the whole story.

The Coinhive shutdown is scheduled for March 8 and, according to the development team, the decision to discontinue was due to the crash of the cryptocurrency market and the pending hard fork of Coinhive's cryptocurrency of choice, Monero.

The idea behind Coinhive was to embed cryptomining code into websites and use the processing power of the users who visit the site to mine Monero. Coinhive took 30% of the Monero mined and the websites kept the rest with the idea that the website could then move to ad-free content models or add rewards for users.

However, poor implementation and malware of the same name and using the same code led to problems for Coinhive, including cybersecurity companies such as Malwarebytes and Check Point Software Technologies labeling the code as malicious, just like other cryptojacking code. Check Point listed Coinhive as No. 1 in its Most Wanted Malware list for December.

Jérôme Segura, head of threat intelligence at Malwarebytes, said the problem with Coinhive was that it ran "without user consent from the very beginning" and threat actors were abusing the service, something not mentioned in the Coinhive shutdown blog post.

"There was a great business opportunity that was missed. If AuthedMine [user consent] had been introduced right from the beginning, with the explicit notification and consent, this could have been an entirely different story today," Segura said. "Our rationale is to protect our users from malware and other risks to their computers, especially when it is running without their knowledge."

Mounir Hahad, head of the Juniper Threat Labs at Juniper Networks, believed there was "some truth" to the argument presented in Coinhive's announcement.

"I believe Coinhive's model has some opportunities of success, but it highly depends on the cryptocurrency valuation. Monero, having dropped considerably in value in the past 12 months, made it an insecure source of revenue for legitimate mining websites," Hahad said. "But, in my mind, the main reason is that most security products block Coinhive. This has been driven by the fact that cyberthreat actors took advantage of the platform to illegally hijack browsers for mining Monero cryptocurrency. The malware label was well-deserved after that and an alternative implementation was never proposed that would only allow legitimate mining to occur on the platform."

Segura added that Coinhive's shutdown might have been inevitable given the reputational damage the company suffered.

"There is no doubt that the fork and the decrease in value of cryptocurrencies had an impact on the Coinhive shutdown. From a threat landscape perspective, we noted that website compromises where a miner was injected became far less common in the second half of 2018 and really died down in late 2018. In addition, I believe Coinhive never recovered from the negative image it quickly earned and was blocked by the majority of security products and many browser extensions," Segura said. "Coinhive did appear to respond to abuse, but too late in the game. The 'cryptojacking' phenomenon was born and criminals essentially replicated the same formula elsewhere."