Cryptojacking, which exploded in popularity this fall, has an ostensibly worthy goal: Use an untapped resource to create an alternative revenue stream for games or media sites, and reduce reliance on ads. It works by embedding a JavaScript component in a website that can leverage a visiting device's processing power to mine a cryptocurrency (usually Monero). Each visitor might only do a tiny bit of mining while they're there, but every user lending some hash power over time can generate real money. And users might not even notice what's happening. In theory, it can be a win-win. In practice, not so much.

As cryptojacking has spread around the web—largely thanks to the original "in-browser miner," Coinhive, and its copycats—implementations have generally not lived up to those lofty aims. Instead, the technique is used to exploit unknowing people's resources, both their hardware and electric bills, and it is increasingly blocked as malware by scanners and ad-blockers. So far, efforts to keep cryptojacking on the straight and narrow have largely fizzled.

Easy Money

Cryptojacking doesn't require a download, starts instantly, and works efficiently. Making it even more insidious, hackers can sneak a mining component onto unsuspecting websites and pilfer cryptocurrency off of the legitimate site's traffic. Illicit cryptojacking software has plagued unsuspecting sites like Politifact and Showtime. In one especially glaring incident from early December, a customer using the public Wi-Fi at a Buenos Aires Starbucks discovered that someone had manipulated the Wi-Fi system, delaying the connection in order to mine Monero with shoppers' devices.

Despite those high-profile sneak attacks, researchers say that most cryptojacking is intentional, and that the practice is evolving in concerning ways.

"There was a steady increase in CoinHive usage through late November and early December, presumably driven by the surge in cryptocurrency valuations," says Paul Ducklin, senior technologist at the security firm Sophos. "It's hard to guess the motivation of an unknown website operator, but based on an analysis of our detection data for the month of November, most coinmining sites were doing it on purpose, and a significant majority were taking all the CPU they could get."

Those elevated processing demands can do real damage to victim devices over time. One type of Android malware, called Loapi, mines cryptocurrency so intensely that it can cause physical harm to the devices it runs on.

'Most coinmining sites were doing it on purpose, and a significant majority were taking all the CPU they could get.' Paul Ducklin, Sophos

And since cryptojacking is so new, hackers still constantly develop innovations to maximize their intake. For example, Coinhive charges fees to website operators who use its mining script. So hackers have been avoiding those and dodging detection by malware scanners and ad blockers by hosting their own mining intermediary for JavaScript components to call back to. Scanners and blockers can easily blacklist anything talking to Coinhive, but it's much more difficult to keep up with an endless list of independent hosts.

In another innovation from November, security researchers at Malwarebytes Labs discovered that some cryptojackers had found a way to persist even after users closed the mining tab. To do so, the cryptojacker opens a stealthy browser window called a "pop-under" that hides behind the Windows taskbar clock.

No Remedy

Coinhive responded to criticisms about lack of transparency by releasing a new version of its JavaScript miner called AuthedMine. Instead of running automatically and invisibly, AuthedMine takes the novel step of actually asking permission to run. But while that type of disclosure mechanism could legitimize cryptojacking, researchers say that it hasn't gained much ground—and that it will be difficult, if not impossible, to completely rein more aggressive models in.

Coinhive concedes that its attempt to close Pandora's box with the AuthedMine version hasn't quite worked so far, in part because adblockers and antivirus treat it the same way it does any other cryptojacker.

"At this point we have to consider AuthedMine to only be a partial success," the company said in a statement to WIRED. "Most adblockers have now blocked AuthedMine, despite our best intentions. Even some antiviruses (like Norton) consider AuthedMine as a threat now—which entirely defeats the purpose of using AuthedMine instead of our original implementation. We're looking for other ways to make this work."