UFC in Hot Water as Monero Miner found on Official Website

A cryptocurrency miner was discovered running on the ufc.tv website, UFC’s official pay-per-view service, which affected both paying and non-paying customers of the website. Visitors to the site would be victim to malicious code that would secretly use up all of their processor resources in the background. It later turned out that this code mined Monero, the privacy-focused cryptocurrency, for the duration of the victim’s stay on the UFC website.

These days, Bitcoin mining is usually reserved for specific hardware running in server farms. Mining Bitcoin alone using ordinary computers has become unprofitable for several years now. This problem does not affect all cryptocurrencies though, much like the one used in this case.

Some cryptocurrencies are specifically designed to not require specialized hardware to mine, in a bid to achieve true decentralization. Monero being one them is exactly what Coinhive, a JavaScript-based miner, has been taking advantage of. The miner runs in a web browser and doesn’t make itself visible. It just invisibly sits in the background while consuming precious CPU resources. By leveraging the power of tens of thousands of computers visiting that particular website at any given time, the payout for the website owner would be massive.

A Reddit user “gambledub” noticed his anti-virus notifying him of the Coinhive script and posted the incident online. He reached out to UFC soon after via email for a comment on the topic.

One day after gambledub’s Reddit post gained popularity, UFC replied to his email stating that they found no evidence of Coinhive’s JavaScript within their site’s code. This, however, seems unlikely since there have been multiple reports of similar behavior on the ufc.tv website. The code responsible for the mining seems to be gone at least.

Browser-based JavaScript miners have only recently gained popularity, especially after the notorious torrent website The Pirate Bay secretly implemented it in September 2017. Since then, a number of websites added and experimented with the miners. Most websites got rid of them almost immediately due to poor user experience or complaints. Some continue to stand by this move, however, justifying it as an additional source of revenue when advertisements prove to be insufficient.

One thing of note though, is that most websites implementing these background miners tend to be linked to piracy or other dubious activity. This incident is one of the few to be found on a commercial website, which further points to possible nefarious activity.

Secretive cryptocurrency miners are only new to web browsers though. Desktop applications have been used to run Bitcoin miners for several years now, as this story from PC Gamer from 2013 demonstrates. The legal complications that come with bundling Bitcoin miners are also massive. The above incident caused this company to be sued by users who claimed that prolonged mining left their computers damaged permanently.

At the end of the day, the UFC incident has only further underscored the need for antivirus and content blockers that block JavaScript code such as that of Coinhive’s from running at all.