New academic research has discovered that embedded cryptocurrecy miner CoinHive is generating $250,000 worth of Monero every month – most of it going to just 10 individuals.

The research, released by RWTH Aachen University in Germany, provides an extensive overview of browser-mining activity across the internet. Among other things, it reveals that Monero accounts for 75 percent of all browser-based cryptocurrency mining.

Typically, CoinHive is doing the mining. It’s a script that mines Monero directly from your browser, and it’s become quite controversial. Charities have been using it to raise money for good causes, while crypto-jackers and hackers have been using it for evil.

Academics Jan Rüth, Torsten Zimmermann, Konrad Wolsing, and Oliver Hohlfeld have dissected internet traffic to determine just how prevalent in-browser cryptocurrency mining really is. The paper cites previous research conducted by S. Eskandari, A. Leoutsarakos, T. Mursch, and J. Clark, who are described as being the “first to academically investigate browser-based mining.”

CoinHive is raking it in

Not only is CoinHive profitable, but its ad-hoc browser-mining botnet is responsible for 1.18 percent of the entire Monero network. An analysis of the overall hash rate and network statistics suggests that CoinHive generates over 300 XMR (approximately $24,000) each week.

If we sum up the block rewards of the actually mined blocks over the observation period of [four] weeks, we find that Coinhive [sic] earned 1,271 XMR. Similar to other cryptocurrencies, Monero’s exchange-rate fluctuates heavily, at time of writing one XMR is worth 200 USD, having peaked at 400 USD at the beginning of the year. Thus, given the current exchange-rate, Coinhive [sic] mines Moneros worth around $250,000 per month […].

Keep in mind, that CoinHive keeps 30 percent of all mined XMR for themselves… that’s a whopping $75,000 every month, almost a million dollars in annual income.

Most of the XMR is going to a small group

CoinHive runs through ‘short’ links which work pretty much the same as a regular link – except that in order to reach the destination, the users machine must first perform some hashes (mine some Monero). It should be pointed out that the number of hashes required to resolve a link is set manually by its creator, meaning it varies depending on the link.

Through an extensive scrape of the CoinHive’s link database, they found almost two million active short links currently forcing Monero mining. Most link to video streams or dodgy filesharing sites, indicating just how sneaky crypto-jackers can be.

What’s even more alarming is that all the Monero seems to be going to less than a dozen individuals.

Coinhive’s [sic] link forwarding service is dominated by links from only 10 users. They mostly redirect to streaming videos and filesharing sites. We find that most short links can be resolved within minutes, however, some links require millions of hashes to be computed which is infeasible.

The fact that certain links are set to never resolve is certainly noteworthy. It suggests that users may not be aware that their browser is actively mining Monero. We already know that 200,000 routers have been injected with modified CoinHive code to mine cryptocurrency in the background of literally every page visited.

Oh – and the research found that “most crypto miners are present on adult websites,” so no matter what, it’s probably best to quickly protect yourself against crypto-jacking.

Security researcher Troy Mursch recommends browser extension minerBlock, which uses both a blacklist and JavaScript detection to ensure you’re not mining any cryptocurrency unawares.

And if you click on a short link that doesn’t take you anywhere – don’t wait for it to load like a sucker, you’re probably making a small group of people very rich.

(Edit: This piece has been updated to ensure proper credit has been given to security researchers S. Eskandari, A. Leoutsarakos, T. Mursch, and J. Clark.)