MineSweeper: An In-depth Look into Drive-byCryptocurrency ...MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining CCS ’18, October 15–19, 2018, Toronto, ON, Canada

MineSweeper An In-depth Look into Drive-byCryptocurrency Mining and Its Defense

Radhesh Krishnan KonothVrije Universiteit Amsterdam

rkkonothvunl

Emanuele VinetiVrije Universiteit Amsterdamemanuelevinetigmailcom

Veelasha MoonsamyUtrecht Universityemailveelashaorg

Martina LindorferTU Wien

martinaiseclaborg

Christopher KruegelUC Santa Barbarachriscsucsbedu

Herbert BosVrije Universiteit Amsterdam

herbertbcsvunl

Giovanni VignaUC Santa Barbaravignacsucsbedu

ABSTRACTA wave of alternative coins that can be effectively mined withoutspecialized hardware and a surge in cryptocurrenciesrsquo market valuehas led to the development of cryptocurrencymining (cryptomining)services such as Coinhive which can be easily integrated intowebsites to monetize the computational power of their visitorsWhile legitimate website operators are exploring these services asan alternative to advertisements they have also drawn the attentionof cybercriminals drive-by mining (also known as cryptojacking)is a new web-based attack in which an infected website secretlyexecutes JavaScript code andor a WebAssembly module in theuserrsquos browser to mine cryptocurrencies without her consent

In this paper we perform a comprehensive analysis on AlexarsquosTop 1Million websites to shed light on the prevalence and profitabil-ity of this attack We study the websites affected by drive-by miningto understand the techniques being used to evade detection and thelatest web technologies being exploited to efficiently mine crypto-currency As a result of our study which covers 28 Coinhive-likeservices that are widely being used by drive-by mining websiteswe identified 20 active cryptomining campaigns

Motivated by our findings we investigate possible countermea-sures against this type of attackWe discuss how current blacklistingapproaches and heuristics based on CPU usage are insufficient andpresent MineSweeper a novel detection technique that is basedon the intrinsic characteristics of cryptomining code and thusis resilient to obfuscation Our approach could be integrated intobrowsers to warn users about silent cryptomining when visitingwebsites that do not ask for their consent

CCS CONCEPTSbull Security and privacyrarr Browser securityMalware and itsmitigation bull Social and professional topicsrarr Computer crime

KEYWORDScryptocurrency mining cryptojacking drive-by attacks malware

CCS rsquo18 October 15ndash19 2018 Toronto ON Canadacopy 2018 Copyright held by the ownerauthor(s) Publication rights licensed to ACMThis is the authorrsquos version of the work It is posted here for your personal use Not forredistribution The definitive Version of Record was published in CCS rsquo18 2018 ACMSIGSAC Conference on Computer amp Communications Security Oct 15ndash19 2018 TorontoON Canada httpsdoiorg10114532437343243858

ACM Reference FormatRadhesh Krishnan Konoth Emanuele Vineti Veelasha Moonsamy MartinaLindorfer Christopher Kruegel Herbert Bos and Giovanni Vigna 2018MineSweeper An In-depth Look into Drive-by Cryptocurrency Miningand Its Defense In CCS rsquo18 2018 ACM SIGSAC Conference on Computer ampCommunications Security Oct 15ndash19 2018 Toronto ON Canada ACM NewYork NY USA 18 pages httpsdoiorg10114532437343243858

1 INTRODUCTIONEver since its introduction in 2009 Bitcoin [47] has attracted theattention of cybercriminals due to the possibility to perform andreceive anonymous payments In addition the financial rewardfor using computing power for mining has incentivized criminalsto experiment with silent cryptocurrency miners (cryptominers)which gained popularity among malware authors who were afterall already in the business of compromising PCs and herding largenumbers of them in botnets However as Bitcoinmining became toodifficult for regular machines the profits of mining botnets dwin-dled and Bitcoin-mining botnets declined an analysis by McAfeein 2014 suggested that malicious miners are not profitable on PCsand certainly not on mobile devices [37]

Since then a wave of alternative coins (altcoins) has been in-troduced the market now counts over 1500 cryptocurrencies outof which more than 600 see an active trade At the time of writ-ing they represent over 50 of the cryptocurrency market [24]Unlike Bitcoin many of them are still mineable without special-ized hardware Furthermore miners can organize themselves intomining pools which allow members to distribute mining tasks andshare the rewards These new currencies and an overall surge inmarket value across cryptocurrencies at the end of 2017 [26] hasrenewed interest in cryptominers and led to the proliferation ofcryptomining services such as Coinhive [5] which can easily beintegrated into a website to mine on its visitorsrsquo devices fromwithinthe browser

For cybercriminals these services provide a low-effort way tomonetize websites as part of drive-by mining (or cryptojacking)attacks they either compromise webservers (through exploits [1539 50 62 65] or taking advantage of misconfigurations [49]) andinstall JavaScript-based miners distribute their miners throughadvertisements (including Googlersquos DoubleClick on YouTube [28]and the AOL advertising platform [41]) or compromise third-partylibraries [71] included in numerous websites Attackers also havecome up with creative tactics to conceal their attack for example

CCS rsquo18 October 15ndash19 2018 Toronto ON Canada R K Konoth E Vineti V Moonsamy M Lindorfer C Kruegel H Bos G Vigna

by using ldquopop-underrdquo windows [27] (to maximize the time a vic-tim spends on the mining website) or by abusing Coinhiversquos URLshortening service [77] Finally rogue WiFi hotspots [20] and com-promised routers [35] allow attackers to inject the mining payloadon a large scale into any website that their users visit

However in-browser mining is not malicious per-se charitiessuch as UNICEF [40] launched dedicated websites to mine for dona-tions and legitimate websites are exploring mining in an attempt tomonetize their content in the presence of ad blockers [58] Whetherusers accept cryptocurrency miners as an alternative to invasiveadvertisements which raise privacy concerns due to wide-spreadtargeting and tracking [19 43 52] remains to be seen For themin-browser mining degrades their systemrsquos performance and in-creases its power consumption [51] Therefore the key distinctionbetween these use cases and drive-by mining attacks is user con-sent and whether a website discloses its mining activity or not Forexample as a way to enforce user consent for in-browser miningCoinhive launched AuthedMine [6] which explicitly requires userinput However a related study has found that this API has not yetfound widespread adoption [60] Related work also suggested theintroduction of a ldquodo not minerdquo HTTP header [25] which howeverwebsites do not necessarily need to honor

To study the prevalence of drive-by mining attacks ie in-browser mining without requiring any user interaction or consentwe performed a comprehensive analysis of Alexarsquos Top 1 Millionwebsites [3] As a result of our study which covers 28 Coinhive-likeservices we identified 20 active cryptomining campaigns In con-trast to a previous study which found cryptomining on low-valuetargets such as parked websites and concluded that cryptomin-ing was not very profitable [25] we find that cryptomining canindeed make economic sense for an attacker We identified severalvideo players used by popular video streaming websites that in-clude cryptomining code and which maximize the time users spendon a website mining for the attackermdashpotentially earning morethan US$ 30000 a month Furthermore we found that instead ofJavaScript-based attacks drive-by mining now largely takes advan-tage of WebAssembly (Wasm) to efficiently mine cryptocurrenciesand maximize profits

As a countermeasure browsers [21 67 73] dedicated browserextensions [10 11] and ad blockers have started to use blacklistsHowever maintaining a complete blacklist is not scalable and itis prone to false negatives These blacklists are often manuallycompiled and are easily defeated by URL randomization [59] anddomain generation algorithms (DGAs) which are already activelybeing used in the wild [74] Other detection attempts look for highCPU usage as an indicator that cryptocurrency mining is takingplace This not only causes false positives for other CPU-intensiveuse cases but also causes false negatives as cryptocurrency minershave started to throttle their CPU usage to evade detection [25]

In this work we focus on Wasm-based mining the most efficientand widespread technique for drive-by mining attacks We proposeMineSweeper a drive-by mining defense that is based on identify-ing the intrinsic characteristics of the mining itself the execution ofits hashing function Our first approach is to perform static analysison the Wasm code and to identify the hashing code based on thecryptographic operations it performs Currently attackers avoidheavy obfuscation of the Wasm code as it comes with performance

penalties and hence decreases profits To deal with future evasiontechniques we present a second more obfuscation-resilient detec-tion approach by monitoring CPU cache events at run time we canidentify cryptominers based on their memory access patterns

As browsers are currently struggling to find a suitable alternativeto blacklists [29] the techniques used byMineSweeper could beadopted as a defense mechanism against drive-by mining for exam-ple by warning users and enforcing their consent before allowingmining scripts to execute or blocking mining scripts altogetherIn summary we make the following contributionsbull We perform the first in-depth assessment of drive-by miningbull We discuss why current defenses based on blacklisting andCPU usage are ineffectivebull We propose MineSweeper a novel detection approach basedon the identification of cryptographic functions through staticanalysis and monitoring of cache events during run time

In the spirit of open science we make the collected datasets and thecode we developed for this work publicly available at httpsgithubcomvusecminesweeper

2 BACKGROUNDA cryptocurrency is a medium of exchange much like the Euroor the US Dollar except that it uses cryptography and blockchaintechnology to control the creation of monetary units and to verifythe transaction of a fund Bitcoin [47] was the first such decentral-ized digital currency A cryptocurrency user can transfer money toanother user by forming a transaction record and committing it toa distributed write-only database called blockchain The blockchainis maintained by a peer-to-peer network ofminers A miner collectstransaction data from the network validates it and inserts it intothe blockchain in the form of a block When a miner successfullyadds a valid block to the blockchain the network compensates theminer with cryptocurrency (eg Bitcoins) In the case of Bitcointhis process is called Bitcoin mining and this is how new Bitcoinsenter circulation Bitcoin transactions are protected with crypto-graphic techniques that ensure only the rightful owner of a Bitcoinwallet address can transfer funds from it

To add a block (ie a collection of transaction data) to theblockchain a miner has to solve a cryptographic puzzle basedon the block This mechanism prevents malicious nodes from try-ing to add bogus blocks to the blockchain and earn the rewardillegitimately A valid block in the blockchain contains a solutionto a cryptographic puzzle that involves the hash of the previousblock the hash of the transactions in the current block and a walletaddress to credit with the reward

21 Cryptocurrency Mining PoolsThe cryptographic puzzle is designed such that the probabilityof finding a solution for a miner is proportional to the minerrsquoscomputational power Due to the nature of the mining process theinterval between mining events exhibits high variance from thepoint of view of a single miner Consequently miners typicallyorganize themselves into mining pools All members of a pool worktogether to mine each block and share the reward when one ofthem successfully mines a block

MineSweeper An In-depth Look into Drive-by Cryptocurrency Mining CCS rsquo18 October 15ndash19 2018 Toronto ON Canada

The protocol used by miners to reliably and efficiently fetch jobsfrom mining pool servers is known as Stratum [63] It is a cleartextcommunication protocol built over TCPIP using a JSON-RPC for-mat Stratum prescribes that miners who want to join the miningpool first send a subscription message describing the minerrsquos capa-bility in terms of computational resources The pool server thenresponds with a subscription response message and the miner sendsan authorization request message with its username and passwordAfter successful authorization the pool sends a difficulty notifica-tion that is proportional to the capability of the minermdashensuringthat low-end machines get easier jobs (ie puzzles) than high-endones Finally the pool server assigns these jobs by means of jobnotifications Once the miner finds a solution it sends it to the poolserver in the form of a share The pool server rewards the minerin proportion to the number of valid shares it submitted and thedifficulty of the jobs

22 In-browser CryptominingThe idea of cryptomining by simply loading a webpage usingJavaScript in a browser exists since Bitcoinrsquos early days How-ever with the advent of GPU- and ASIC-based mining browser-based Bitcoin mining which is 15x slower than native CPU min-ing [25] became unprofitable Recently the cause for the declineof JavaScript-based cryptocurrency miners has subsided due tonew CPU-mineable altcoins and increasing cryptocurrency marketvalue it is now profitable to mine cryptocurrencies with regularCPUs again In 2017 Coinhive was the first to revisit the idea ofin-browser mining They provide APIs to website developers forimplementing in-browser mining on their websites and to use theirvisitorsrsquo CPU resources to mine the altcoin Monero Monero em-ploys the CryptoNight algorithm [61] as its cryptographic puzzlewhich is optimized towards mining by regular CPUs and providesstrong anonymity hence it is ideal for in-browser cryptomining1Moreover the development of new web technologies that havebeen happening in parallel allows for more efficientmdashand thusprofitablemdashmining in the browser

23 Web TechnologiesWeb developers continuously strive to deploy performance-criticalparts of their application in the form of native code and run itinside the browser securely As such there are on-going researchand development efforts to improve the performance of native codeexecution in the web browser [32 68] Naturally the developersof JavaScript-based cryptominers started exploiting these advance-ments in web technologies to speed up drive-by mining thus takingadvantage of two web technologies asmjs andWebAssembly

In 2013 Mozilla introduced asmjs which takes CC++ codeto generate a subset of JavaScript code with annotations that theJavaScript engine can later compile to native code To improvethe performance of native code in the browser even further in2017 the World Wide Web Consortium developed WebAssembly(Wasm) Any CC++Rust-based application can be easily convertedto Wasm a binary instruction format for a stack-based virtual1Note that Monero is not the only altcoin that uses the CryptoNight algorithm mostCPU-mineable coins that exist today such as Bytecoin Bitsum Masari Stellite AEONGraft Haven Protocol Intense Coin Loki Electroneum BitTube Dero LeviarCoinSumokoin Karbo Dinastycoin and TurtleCoin are based on CryptoNight

machine and executed in the browser at native speed by takingadvantage of standard hardware capabilities available on a widerange of platforms Today all four major browsers (Firefox ChromeSafari and Edge) support Wasm

The main difference between asmjs andWasm is in the way inwhich the code is optimized In asmjs the JavaScript Just-in-Time(JIT) compiler of the browser converts the JavaScript to an AbstractSyntax Tree (AST) Then it compiles the AST to non-optimizednative code Later at run time the JavaScript JIT engine looksfor slow code paths and tries to re-optimize this code at run timeThe detection and re-optimization of slow code paths consume asubstantial amount of CPU cycles In contrast Wasm performs theoptimization of the whole module only once at compile time As aresult the JIT engine does not need to parse and analyze the Wasmmodule to re-optimize it Rather it directly compiles the module tonative code and starts executing it at native speed

24 Existing Defenses against Drive-by MiningUntil now there is no reliable mechanism to detect drive-by miningThe developers of CoinBlockerLists [4] maintain a blacklist of min-ing pools and proxy servers that they manually collect from reportson security blogs and Twitter Dr Mine [8] attempts to block drive-by mining by means of explicitly blacklisted URLs (based on forexample CoinBlockerLists) In particular it detects JavaScript codethat tries to connect to blacklisted mining pools MinerBlock [10]further combines blacklists with detecting potential mining codeinside loaded JavaScript files Both approaches suffer from highfalse negatives as we show in our analysis most of the drive-bymining websites are using obfuscated JavaScript and randomizedURLs to evade the aforementioned detection techniques

Google engineers from the Chromium project recently acknowl-edged that blacklisting does not work and that they are lookingfor alternatives [29] Specifically they considered adding an extrapermission to the browser to throttle code that runs the CPU athigh load for a certain amount of time Related studies also foundhigh CPU usage from the website as an indicator of drive-by min-ing [46] At the same time another recent study shows that manydrive-by miners are throttling their CPU usage to around 25 [25]and simply considering the CPU usage alone as the indicator ofdrive-by mining suffers from high false negatives Even withouttaking the CPU throttling to such extremes drive-by miners canblend in with other browsing activity potentially leading to falsepositives for other CPU-intensive use cases such as games [59]

Making matters worse in-browser mining service providerssuch as Coinhive have no incentives to disrupt drive-by miningattacks Coinhive keeps 30 of the cryptocurrency that is minedwith its code In reaction to abuse complaints they reportedly keepall of the profits of campaigns whose members still keep miningcryptocurrency even after their site key (ie the campaignrsquos accountidentifier with Coinhive) has been terminated [36]

3 THREAT MODELWe consider only drive-by mining rather than legitimate browser-based mining in our threat model ie we measure only the preva-lence of mining without usersrsquo consent A website may host stealthyminers for many reasons Some website owners knowingly include

User Webserver

Webserver External Server

WebSocket Proxy

Mining Pool

HTTP Request

HTTP Response(Orchestrator Code)

Fetch Mining Payload

Relay Communication

Mining Pool Communication

Figure 1 Overview of a typical drive-by mining attack

them on their sites without informing the users to monetize theirsites on the sly However it is also possible that the owners areunaware that their site is stealing CPU cycles from their visitorsFor instance silent cryptocurrency miners may ship with advertise-ments or third-party services In some cases the attackers installthe miners after they compromise a victim site In this research wemeasure analyze and detect all these cases of drive-by mining

Figure 1 illustrates a typical drive-by mining attack A crypto-currency mining script contains two components the orchestratorand the mining payload When a user visits a drive-by mining web-site the website (1) serves the orchestrator script which checksthe host environment to find out how many CPU cores are avail-able (2) downloads the highly-optimized cryptomining payload(as either Wasm or asmjs) from the website or an external server(3) instantiates a number of web workers [70] ie spawns separatethreads with the mining payload depending on how many CPUcores are available (4) sets up the connection with the mining poolserver through a WebSocket proxy server and (5) finally fetcheswork from the mining pool and submits the hashes to the miningpool through the WebSocket proxy server The protocol used forthis communication with the mining pool is usually Stratum

4 DRIVE-BY MINING IN THEWILDThe goals of our large-scale analysis of active drive-by mining cam-paigns in the wild are two-fold first we investigate the prevalenceand profitability of this threat to show that it makes economicsense for cybercriminals to invest in this type of attackmdashbeing alow effort heist with potentially high rewards Second we evaluatethe effectiveness of current drive-by mining defenses and showthat they are insufficient against attackers who are already activelyusing obfuscation to evade detection Based on our findings we pro-pose an obfuscation-resilient detection system for drive-by miningwebsites in Section 5

As part of our analysis we first crawl Alexarsquos Top 1 Millionwebsites log and analyze all code served by each website monitorside effects caused by executing the code and capture the networktraffic between the visited website and any external server Thenwe proceed to detect cryptomining code in the logged data and theuse of the Stratum protocol for communicating with mining poolservers in the network traffic of each website Finally we correlatethe results from all websites to answer the following questions

(1) How prevalent is drive-by mining in the wild(2) Howmany different drive-bymining services exist currently

Table 1 Summary of our dataset and key findings

Crawling period March 12 2018 ndash March 19 2018 of crawled websites 991513 of drive-by mining websites 1735 (018) of drive-by mining services 28 of drive-by mining campaigns 20 of websites in biggest campaign 139Estimated overall profit US$ 18887884Most profitablebiggest campaign US$ 3106080Most profitable website US$ 1716697

(3) Which evasion tactics do drive-by mining services employ(4) What is the modus operandi of different types of campaigns(5) How much profit do these campaigns make(6) Canwe find common characteristics across different drive-by

mining services that we can use for their detection

Table 1 summarizes our dataset and key findings We start by dis-cussing our data collection approach in Section 41 explain howwe identify drive-by mining websites in Section 42 explore web-sites and campaigns in-depth as well as estimate their profit inSection 43 and finally summarize characteristics that are commonacross the identified drive-by mining services in Section 44

41 Data CollectionAs the basis for our analysis we built a web crawler for visitingAlexarsquos Top 1 Million websites and collecting data related to drive-by mining During our preliminary analysis we observed that manymalicious websites serve a mining payload only when the user visitsan internal webpage Thus in contrast to related studies [45 51 57]that based their analysis only on the websitesrsquo landing pages2we configured the crawler to visit three random internal pages ofeach website The crawler stayed for four seconds on each visitedpage Moreover we configured it to passively collect data from eachvisited website without simulating any user interactions That isthe crawler did not give any consent for cryptomining

411 Cryptomining Code To identify the cryptomining payloadsthat the drive-by mining website serves to client browsers the webcrawler saves the webpage any embedded JavaScript and all therequests originating from and responses served to the webpageThen our offline analyzer parses these logs to identify knowndrive-by mining services (such as Coinhive or Mineralt) As a firstapproximation it does so using string matches similar to existingdefenses (see Section 24) However this is only the first step in ouranalysis as we show later relying on pattern matching alone todetect drive-by mining easily leads to false negatives

As explained in the previous section the mining code consistsof two components the orchestrator and the optimized hash gener-ation code (ie the mining payload) which we can both identifyindependently of each other

Identification of the orchestrator Usually websites embed theorchestrator script in the main webpage which we can detect bylooking for specific string patterns For instance Listing 1 shows2PublicWWW [12] only recently started indexing internal pages httpstwittercombad_packetsstatus1029553374897696768 (August 14 2018)

Table 2 Types of mining services in our initial dataset and their keywords

Mining Service Keywords

cdnstatic-cntbid | adg-contentbid | cdnjquery-uimdownloadrsquoMineralt ecarthtmlbdata= | amojsgt | mepirtediccomrsquo

Listing 1 Example usage of the Coinhive mining service

ltscript src= https coinhive comlib coinhive minjsgtlt script gtltscript gt

var miner = new CoinHive Anonymous (CLIENT -ID throttle 09)

miner start ()lt script gt

a website using Coinhiversquos service for drive-by mining by includ-ing the orchestrator component (coinhiveminjs) inside theltscriptgt HTML tag In this case searching for keywords such asCoinHiveAnonymous or coinhiveminjs is enough to identifywhether a website is using this particular drive-by mining serviceWemanually collected keywords for 13 well-knownmining services(see Table 2) to identify the websites that are using them

Identification of the mining payload The orchestrator first checkswhether the browser supports Wasm If not the browser loads theoptimized hash generation mining payload in the web worker usingasmjs otherwise the mining payload (Wasm module) is served tothe client in one of the following three ways (i) the code is storedin the orchestrator script in a text format which is compiled at runtime to create theWasmmodule (ii) the orchestrator script retrievesa pre-compiled Wasm module at run time from an external serveror (iii) the web worker itself directly downloads a compiled Wasmmodule from an external server and executes it For all three caseswe could have used the Chrome browser (which supports Wasm)with the --dump-wasm-module flag to dump the Wasm modulethat the JIT engine (V8) executes However this flag is not officiallydocumented [66] and at the time of our large-scale analysis we werenot aware of this feature Hence we detect the Wasm-based miningpayload in the following way First we dump all the JavaScriptcode and search for keywords such as cryptonight_hash andCryptonightWasmWrapper the existence of these keywords inthe JavaScript implies the mining payload is served in text formatWe detect the second and third way of serving the payload bylogging and analyzing all the network requests and responsensfrom and to the browserrsquos web worker

Code obfuscation Wenoticed thatmany drive-bymining servicesobfuscate both the strings used in the orchestrator script and inthe Wasm module to defeat such keyword-based detection Hencewe also look for other indicators for cryptomining and store theWasm module for further analysis In this way we can estimate thenumber of drive-by mining services that employ code obfuscationduring our in-depth analysis in Section 433

412 CPU Load as a Side Effect A cryptominer is a CPU-intensiveprogram hence execution of the mining payload usually results ina high CPU load However websites may also intentionally throttletheir CPU usage either to evade detection or an attempt to conservea visitorrsquos resources As part of our analysis we investigate howmany websites keep the CPU usage lower than a certain thresholdTo this end we configured the web crawler to log the CPU usageof each core and aggregate the usage across cores

413 Mining Pool Communication Typically a miner talks to amining pool to fetch the blockrsquos headers to start computing hashesStratum is the most commonly used protocol to authenticate withthe mining pool or the proxy server to receive the job that needsto be solved and if the correct hash is computed to announce theresult Most drive-by mining websites use WebSockets for this typeof communication As processes running in a browser sandbox arenot permitted to open system sockets WebSockets were designedto allow full-duplex asynchronous communication between coderunning on a webpage and servers As a result of using WebSocketsthe operators of drive-by mining services need to set up WebSocketservers to listen for connections from their miners and either pro-cess this data themselves if they also operate their own mining poolor unwrap the traffic and forward it to a public pool

Consequently we log all the WebSocket frames which are sentand received by the browser as well as the AJAX requestresponsefrom the webpage Then we analyze the logged data to detectany mining pool communication by searching for command andkeywords that are used by the Stratum protocol (listed in Table 3)During this analysis we also observed that some websites are obfus-cating the communication with the mining pool to evade detectionThus if the logged data does not include any text but only binarycontent we mark the WebSocket communication as obfuscated

Table 3 Stratum protocol commands and their keywords

Command Keywords

Authentication typeauth | commandconnect |identifierhandshake | commandinfo

Authentication accepted typeauthed | commandworkFetch job identifierjob | typejob | commandwork |

commandget_job | commandset_jobSubmit solved hash typesubmit | commandshareSolution accepted commandacceptedSet CPU limits commandset_cpu_load

Extraction of pools proxies and site keys The communication be-tween a cryptominer and the proxy server contains two interestingpieces of information the proxy server address and the client iden-tifier (also known as the site key) We also found several drive-bymining services that include the public mining pool and associatedcryptocurrency wallet address that the proxy should use

Clustering miners based on the proxy to which they connectgives us insights on the number of different drive-by mining ser-vices that are currently active Additionally clustering miners basedon their site key can be used to identify campaigns Finally we canleverage information from public mining pool to estimate the prof-itability of different campaigns

We extract this information by looking for keywords in eachrequest sent from the cryptominer and its response Table 3 liststhe keywords commonly associated with each requestresponsepair in the Stratum protocol For instance if the request sent fromthe miner contains keywords related to authentication we extractthe site key from it

414 Deployment and Dataset We deployed our web crawler inDocker containers running on Kubernetes in an unfiltered networkWe ran 50 Docker containers in parallel for one week mid-March2018 to collect data from Alexarsquos Top 1 Million websites (as ofFebruary 28 2018) Around 1 of the websites were offline or notresponding and we managed to crawl 991513 of them This processresulted in a total of 46 TB raw data and a 550MB database for theextracted information on identified miners CPU load and miningpool communication

42 Data Analysis and CorrelationWe first analyze the different artifacts produced by the data collec-tion individually ie the cryptomining code itself the CPU loadas a side effect and the mining pool communication We discusshow relying on each of these artifacts alone can lead to both falsepositives and false negatives and therefore correlate our resultsacross all three dimensions

421 Cryptomining Code We identified 13 well-known crypto-mining services using the keywords listed in Table 2 and presentour results in Table 4 We detected 866 websites (009) that areusing these 13 services without obfuscating the orchestrator codein the webpage The majority of websites (5935) is using theCoinhive cryptomining service We also found 65 websites usingmultiple cryptomining services

We revisited this analysis after our data correlation (described in424) andmanually analysed part of themining payloads of websites

Table 4 Distribution of well-known cryptomining services

Mining Service Number of Websites Percentage

Coinhive 514 5935CoinImp 94 1085Mineralt 90 1039JSECoin 50 577CryptoLoot 39 450CryptoNoter 31 358Coinhave 14 162Minr 13 150Webmine 8 092DeepMiner 5 058Cpufun 4 046Monerise 2 023NF WebMiner 2 023

Total 866 100

that we detected based on other signals In this way we extendedour initial list of keywords for detecting unobfuscated payloadswithhash_cn cryptonight WASMWrapper and crytenight and wewere able to identify mining services that were not part of ourinitial dataset but that are using CryptoNight-based payloads Intotal we could identify 1627 websites based on either keywords inthe orchestrator or in the mining payload

However similar to current blacklist-based approaches keyword-based analysis alone suffers from false positives and false negativesIn terms of false positives this approach does not consider userconsent ie whether a website waits for a userrsquos consent before ex-ecuting the mining code In terms of false negatives this approachcannot detect drive-by mining websites that use code obfuscationand URL randomization which we detected being applied in someform or another by 8214 of the services in our dataset (see Sec-tion 433)

422 CPU Load as a Side Effect Even though we logged the CPUload for each website during our crawl we ultimately do not usethese measurements to detect drive-by mining websites for thefollowing reasons First since we were running the experiments inDocker containers the other processes running on the same ma-chine could affect and artificially inflate our CPU load measurementSecond the crawler spends only four seconds on each webpagethus the page loading itself might lead to higher CPU loads

We can however use these measurements to specifically lookfor drive-by mining websites with low CPU usage to give a lowerbound for the pervasiveness of CPU throttling across miners andthe false negatives that a detection approach solely relying on highCPU loads would cause

423 Mining Pool Communication Overall 59319 (539) out ofAlexarsquos Top 1 Million websites use WebSockets to communicatewith external servers Out of these we identified 1008 websitesthat are communicating with mining pool servers using the Stra-tum protocol based on the keywords shown in Table 3 We alsofound that 2377 websites are encoding the data (as Hex code orsalted Base64) that they send and receive through the WebSocketin which case we could not determine whether they are miningcryptocurrency

Even though we successfully identified 1008 drive-by miningwebsites using this method this detection method suffers fromthe following two drawbacks causing false negatives drive-bymining services may use a custom communication protocol (thatis different keywords than the ones presented in Table 3) or theymay be obfuscating their communication with the mining pool

424 Data Correlation In our preliminary analysis based on key-word search we identified 866 websites using 13 well-known cryp-tomining services To determine how many of these websites startmining without waiting for a user to give her consent for exampleby clicking a button (which our web crawler was not equippedto do) we leverage the identification of the Stratum protocol weidentify 402 websites based on both their cryptomining code andthe communication with external pool servers that initiate themining process without requiring a userrsquos input The remaining 464websites either wait for the userrsquos consent circumvent our Stratumprotocol detection or did not initiate the Stratum communicationwithin the timeframe our web crawler spent on the website

To extend our detection to miners that evade keyword-baseddetection we combine the collected information from the followingsources

bull Mining payload Websites identified based on keywords foundin the mining payloadbull Orchestrator Websites identified based on keywords found inthe orchestrator codebull Stratum Websites identified as using the Stratum communica-tion protocolbull WebSocket communication Websites that potentially use anobfuscated communication protocolbull Number of web workers All the in-browser cryptominers useweb worker threads to generate hashes while only 16 of allwebsites in our dataset use more than two web worker threads

We identify drive-by mining websites by taking the union of allwebsites for which we identified the mining payload orchestratoror the Stratum protocol We further add websites for which weidentified WebSocket communication with an external server andmore than two web worker threads

As a result we identify 1735 websites as mining cryptocurrencyout of which 1627 (9378) could be identified based on keywordsin the cryptomining code 1008 (5810) use the Stratum protocol inplaintext 174 (1003) obfuscate the communication protocol andall the websites (10000) use Wasm for the cryptomining payloadand open a WebSocket Furthermore at least 197 (1136) websitesthrottle their CPU usage to less than 50 while for only 12 (069)mining websites we observed a CPU load of less than 25 In otherwords relying on high CPU loads (eg ge50) for detection wouldresult in 1136 false negatives in this case (in addition to potentiallycausing false positives for other CPU-intensive loads such as gamesand video codecs) Similarly relying only on pattern matching onthe payload would result in 623 false negatives

Finally in addition to the 13 well-known drive-by mining ser-vices that we started our analysis with (see Table 4) we also dis-covered 15 new drive-by mining services (see Section 436) for atotal of 28 drive-by mining services in our dataset

43 In-depth Analysis and ResultsBased on the drive-by mining websites we detected during our datacorrelation we now answer the questions posed at the beginningof this section

431 User Notification and Consent We consider cryptomining asabuse unless a user explicitly consents eg by clicking a buttonWhile one of the first court cases on in-browser mining suggestsa more lenient definition of consent and only requires websitesto provide a clear notification about the mining behavior to theuser [33] we find that very few websites in our dataset do so

To locate any notifications we searched for mining-related key-words (such as CPU XMR Coinhive Crypto and Monero) in theidentified drive-by mining websitersquos HTML content In this way weidentified 67 out of 1735 (386) websites that inform their usersabout their use of cryptomining These websites include 51 proxyservers to the Pirate Bay as well as 16 unrelated websites whichin some cases justify the use of cryptomining as an alternative toadvertisements3 We acknowledge that our findings only representa lower bound of websites that notify their users as the notifica-tions could also be stored in other formats for example as imagesor be part of a websitersquos terms of service However locating andparsing these terms is out of scope for this work

We also found a number of websites that include CoinhiversquosAuthedMine [6] in addition to drive-by mining AuthedMine isnot part of our threat model as it requires user opt-in and assuch we did not include websites using it in our analysis Stillat least four websites (based on a simple string search) includethe authedmineminjs script while starting to mine right awaywith a separate mining script that does not require user input threeof these websites include the miners on the same page while thefourth (cnhvco a proxy to Coinhive) includes AuthedMine onthe landing page and a non-interactive miner on an internal page

432 Mining from Internal Pages We found 744 out of 1735 web-sites (4288) stealing the visitorrsquos computational power only whenshe visits one of their internal pages validating our decision to notonly crawl the landing page of a website but also some internalpages From the manual analysis of these websites we found thatmost of them are video streaming websites the websites start cryp-tomining when the visitor starts watching a video by clicking thelinks displayed on the landing page

433 Evasion Techniques We have identified three evasion tech-niques which are widely used by the drive-by mining services inour dataset

Code obfuscation For each of the 28 drive-by mining servicesin our dataset we manually analyzed some of the correspondingwebsites which we identified as mining but for which we couldnot find any of the keywords in their cryptomining code In thisway we identified 23 (8214) of drive-by mining services using

3Examples ldquoIf ads are blocked a low percentage of your CPUrsquos idle processing poweris used to solve complex hashes as a form of micro-payment for playing the gamerdquo(dogeminer2com) and ldquoThis website uses some of your CPU resources to minecryptocurrency in favor of the website owner This is a some [sic] sort of donationto thank the website owner for the work done as well as to reduce the amount ofadvertising on the websiterdquo (crypticrockcom)

one or more of the following obfuscation techniques in at least oneof the websites that are using thembull Packed code The compressed and encoded orchestrator scriptis decoded using a chain of decoding functions at run timebull CharCode The orchestrator script is converted to charCodeand embedded in the webpage At run time it is converted backto a string and executed using JavaScriptrsquos eval() functionbull Name obfuscation Variable names and functions names arereplaced with random stringsbull Dead code injection Random blocks of code which are neverexecuted are added to the script to make reverse engineeringmore difficultbull Filename and URL randomization The name of the JavaScriptfile is randomized or the URL it is loaded from is shortened toavoid detection based on pattern matching

Wemainly found these obfuscation techniques applied to the orches-trator code and not to the mining payload Since the performanceof the cryptomining payload is crucial to maximize the profit frombrowser-based mining the only obfuscation currently performedon the mining payload is name obfuscation

Obfuscated Stratum communication We only identified the Stra-tum protocol in plaintext (based on the keywords in Table 3) for1008 (5810) websites We manually analyzed the WebSocket com-munication for the remaining 727 (4190) websites and found thefollowing (1) A common strategy to obfuscate the mining pool com-munication found in 174 (1003) websites is to encode the requesteither as Hex code or with salted Base64 encoding (ie adding alayer of encryption with the use of a pre-shared passphrase) beforetransmitting it through the WebSocket (2) We could not identifyany pool communication for the remaining 553 websites eitherdue to other encodings or due to slow server connections ie wewere not able to observe any pool communication during the timeour web crawler spent on a website which could also be used bymalicious websites as a tactic to evade detection by automated tools

Anti-debugging tricks We found 139 websites (part of a cam-paign targeting video streamingwebsites) that employ the followinganti-debugging trick (see Listing 2) The code periodically checkswhether the user is analyzing the code served by the webpage usingdeveloper tools If the developer tools are open in the browser itstops executing any further code

434 Private vs Public Mining Pools All the drive-by mining web-sites in our dataset connect to WebSocket proxy servers that listenfor connections from their miners and either process this datathemselves (if they also operate their own mining pool) or unwrapthe traffic and forward it to a public pool That is the proxy servercould be connecting to a public mining or private mining pool Weidentified 159 different WebSocket proxy servers being used by the1735 drive-by mining websites and only six of them are sendingthe public mining pool server address and the cryptocurrency wal-let address (used by the pool administrator to reward the miner)associated with the website to the proxy server These six websitesuse the following public mining pools minexmrcom supportxmrcom monerooceanstream xmrpooleu minemoneropro andaeonsumominercom

Listing 2 Anti-debugging trick used by 139 websites

function check () before = new Date () getTime ()debugger after = new Date () getTime ()if (after - before gt minimalUserResponseInMiliseconds )

document write ( Dont open Developer Tools )self location replace ( https +

window location href substring ( window location protocol length ))

else before = null after = null delete before delete after

setTimeout (check 100)

435 Drive-by Mining Campaigns To identify drive-by miningcampaigns we rely on site keys and WebSocket proxy servers If acampaign uses a public web mining service the attacker uses thesame site key and proxy server for all websites belonging to thiscampaign If the campaign uses an attacker-controlled proxy serverthe websites do not need to embed a site key but the websites stillconnect to the same proxy Hence we use two approaches to finddrive-by campaigns First we cluster websites that are using thesame site key and proxy We discovered 11 campaigns using thismethod (see Table 5) Second we cluster the websites only based onthe proxy and then manually verified websites from each cluster tosee which mining code they are using and how they are includingit We identified nine campaigns using this method (see Table 6) Intotal we identified 20 drive-by mining campaigns in our datasetThese campaigns include 566 websites (3262) for the remaining1169 (6738) websites we could not identify any connection

We manually analyzed websites from each campaign to studytheir modus operandi Based on this analysis we classify the cam-paigns into the following categories based on their infection vec-tor miners injected through third-party services miner injectedthrough advertisement networks and miners injected by compro-mising vulnerable websites We also captured proxy servers tothe Pirate Bay which does not ask for usersrsquo explicit consent formining cryptocurrency but openly discusses this practice on itsblog [54] For each campaign we estimate the number of visitorsper month and their monthly profit (details on how we performthese estimations can be found in Section 437)

Third-party campaigns The biggest campaigns we found targetvideo streaming websites we identified nine third-party servicesthat provide media players that are embedded in other websitesand which include a cryptomining script in their media player

Video streaming websites usually present more than one link toa video also known as mirrors A click on such a link either loadsthe video in an embedded video player provided by the websiteif it is hosting the video directly or redirects the user to anotherwebsite We spotted suspicious requests originating from manysuch embedded video players which lead us to the discovery ofeight third-party campaigns Hqqtv Estreamto Streamplayto Watchersto bitvidsx Speedvidnet FlashXtv andVidzitv are the streaming websites that embed cryptomining

Table 5 Identified campaigns based on site keys number of participating websites () and estimated profit per month

Site Key Main Pool Type Profit (US$)

ldquo428347349263284rdquo 139 welineinfo Third party (video) $3106080OT1CIcpkIOCO7yVMxcJiqmSWoDWOri06 53 coinhivecom Torrent portals $834318ricewithchicken 32 datasecudownload Advertisement-based $107827jscustomkey2 27 20724688253 Third party (counter12com) $8698CryptoNoter 27 minercrypt Advertisement-based $2035489djE22mdZ3[]y4PBWLb4tc1X8ADsu 24 datasecudownload Compromised websites $14240first 23 cloudflanecom Compromised websites $12002vBaNYz4tVYKV9Q9tZlL0BPGq8rnZEl00 20 hemneswin Third party (video) $3031445CQjsiBr46U[]o2C5uo3u23p5SkMN 17 randcomru Compromised websites $30660Tumblr 14 countim Third party $1131ClmAXQqOiKXawAMBVzuc51G31uDYdJ8F 12 coinhivecom Third party (night-skincom) $1436

Table 6 Identified campaigns based on proxies number ofparticipating websites () and estimated profit per month

WebSocket Proxy Type Profit (US$)advisorstatspace 63 Advertisement-based $32171zenoviaexchangecom 37 Advertisement-based $151608statibid 20 Compromised websites $3494staticsfshost 20 Compromised websites $38491webmetricloan 17 Compromised websites $18132insdrbotcom 7 Third party (video) $1689261q2w3website 5 Third party (video) $201290streamplayto 5 Third party (video) $23971estreamto 4 Third party (video) $87272

scripts through embedded video players The biggest campaign inour dataset is Hqq player which we found on 139 websites throughthe proxy welineinfo We estimate that around 2500 streamingwebsites are including the embedded video players from these eightservices attracting more than 250 million viewers per month Anindependent study from AdGuard also reported similar campaignsin December 2017 [44] however we could not find any indicationthat the video streaming websites they identified were still miningat the time of our analysis

As part of third-party campaigns unrelated to video streamingwe found 14 pages on Tumblr under the domain tumblr[]commining cryptocurrency The mining payload was introduced inthe main page by the domain fontapis[]com We also found 39websites were infected by using libraries provided by counter12com and night-skincom

Advertisement-based campaigns We found four advertisement-based campaign in our dataset In this case attackers publish ad-vertisements that include cryptomining scripts through legitimateadvertisement networks If a user visits the infected website and amalicious advertisement is displayed the browser starts cryptomin-ing The ricewithchicken campaign was spreading through the AOLadvertising platform which was recently also reported in an inde-pendent study by TrendMicro [41] We also identified three cam-paigns spreading through the oxcdncom zenoviaexchangecomand moraducom advertisement networks

Compromised websites We also identified five campaigns that ex-ploited web application vulnerabilities to inject miner code into thecompromised website For all of these campaigns the same orches-trator code was embedded at the bottom of the main HTML page

Table 7 Additional cryptomining services we discoverednumber of websites () using them and whether they pro-vide a private proxy and private mining pool ()

Mining Service Main Pool Private

CoinPot 43 coinpotcoNeroHut 10 gnrdomimplementationcom Webminerpool 13 metamediahostCoinNebula 6 1q2w3website BatMine 6 whysoseriusclub Adless 5 adlessio Moneromining 5 monerominingonline Afminer 3 afminercom AJcryptominer 4 ajpluginscom Crypto Webminer 4 anisearchruGrindcash 2 ulnawoyyzbljcruMiningBest 1 miningbest WebXMR 1 webxmrcom CortaCoin 1 cortacoincom JSminer 1 jsminernet

(and not loaded from any external libraries) in a similar fashionMoreover we could not find any relationship between the web-sites within the campaigns they are hosted in different geographiclocations and registered to different organizations One of the cam-paigns was using the public mining pool server minexmrcom4 Wechecked the status of the wallet address on the mining poolrsquos web-site and found that the wallet address had already been blacklistedfor malicious activity

Torrent portals We found a campaign targeting 53 torrent portalsall but two of which are proxies to the Pirate Bay We estimate thatall together these websites attract 177 million users a month

436 Drive-by Mining Services We started our analysis with 13drive-by mining services By analyzing the clusters based on Web-Socket proxy servers we discovered 15 more Coinhive-like services(see Table 7) We classify these services into two categories thefirst category only provides a private proxy however the client canspecify the mining pool address that the proxy server should use asthe mining pool Grindcash Crypto Webminer andWebminerpoolbelong to this category The second category provides a private

4site key 489djE22mdZ3j34vhES98tCzfVn57Wq4fA8JR6uzgHqYCfYE2nmaZxmjepwr3-GQAZd3qc3imFyGPHBy4PBWLb4tc1X8ADsu

it (US

f Visi

Figure 2 Profit estimation and visitor numbers for the 142 drive-by mining websites earning more than US$ 250 a month

Table 8 Hash rate (Hs) on various mobile devices and lap-topsdesktops using Coinhiversquos in-browser miner

Device Type Hash Rate (Hs)

ileDev

Nokia 3 5iPhone 5s 5iPhone 6 7Wiko View 2 8Motorola Moto G6 10Google Pixel 10OnePlus 3 12Huawei P20 13Huawei Mate 10 Lite 13iPhone 6s 13iPhone SE 14iPhone 7 19OnePlus 5 21Sony Xperia 24Samsung Galaxy S9 Plus 28iPhone 8 31Mean 1456

Laptop

Desktop Intel Core i3-5010U 16

Intel Core i7-6700K 65Mean 4050

proxy and a private mining pool The remaining services listed inTable 7 belong to this category except for CoinPot which providesa private proxy but uses Coinhiversquos private mining pool

437 Profit Estimation All of the 1735 drive-by mining websitesin our dataset mine the CryptoNight-based Monero (XMR) crypto-currency using mining pools Almost all of them (1729) use a sitekey and a WebSocket proxy server to connect to the mining poolhence we cannot determine their profit based on their wallet ad-dress and public mining pools

Instead we estimate the profit per month for all 1735 drive-bymining websites in the following way we first collect statisticson monthly visitors the type of the device the visitor uses (lap-topdesktop or mobile) and the time each visitor spends on eachwebsite on average from SimilarWeb [13] We retrieved the averageof these statistics for the time period from March 1 2018 to May31 2018 SimilarWeb did not provide data for 30 websites in ourdataset hence we consider only the remaining 1705 websites

We further need to estimate the average computing power iethe hash rate per second (Hs) of each visitor Since existing hash

rate measurements [2] only consider native executables and arethus higher than the hash rates of in-browser minersmdashCoinhivestates their Wasm-based miner achieves 65 of the performanceof their native miner [5]mdashwe performed our own measurementsTable 8 shows our results According to our experiments an IntelCore i3 machine (laptop) is capable of at least 16Hs while an IntelCore i7 machine (desktop) is capable of at least 65Hs using theCryptoNight-based in-browser miner from Coinhive We use theirhash rates (4050Hs) as the representative hash rate for laptops anddesktops For the mobile devices we calculated themean of the hashrates (1456Hs) that we observed on 16 different devices Finallywe use the API provided by MineCryptoNight [9] to calculate themining reward in US$ for these hash rates and estimate the profitbased on SimilarWebrsquos visitor statistics

When looking at the profit of individual websites (see Figure 2 forthe most profitable ones) we estimate that the two most profitablewebsites are earning US$ 1716697 and US$ 1066782 a month from2913 million visitors (tumangaonlinecom average visit of 1812minutes) and 4791 million visitors (xx1me average visit of 745minutes) respectively However there is a long tail of websiteswith very low profits on average each of the 1705 websites earnedUS$ 11077 a month and 900 around half of the websites in ourdataset earned less than US$ 10

Still drive-by mining can provide a steady income stream forcybercriminals especially when considering that many of thesewebsites are part of campaigns We present the results aggregatedper campaign in Table 5 and Table 6 the most profitable campaignspread over 139 websites potentially earned US$ 3106080 a monthIn total we estimate the profit of all 20 campaigns at US$ 4874112However almost 70 of websites in our dataset were not part ofany campaign and we estimate the total profit across all websitesand campaigns at US$ 18887885

Note that we only estimated the profit based on the websites andcampaigns captured by crawling Alexarsquos Top 1Millionwebsites andthe same campaigns could make additional profit through websitesnot part of this list As a point of reference concurrent work [57]calculated the total monthly profit of only the Coinhive serviceand including legitimate mining ie user-approved mining throughfor example AuthedMine at US$ 25420000 (at a market value ofUS$ 200) in May 2018 We base our estimations on Monerorsquos marketvalues on May 3 2018 (1 XMR = US$ 253) [9] The market value ofMonero as for any cryptocurrency is highly volatile and fluctuatedbetween US$ 48880 and US$ 4530 in the last year [7] and thusprofits may vary widely based on the current value of the currency

44 Common Drive-by Mining CharacteristicsBased on our analysis we found the following common charac-teristics among all the identified drive-by mining services (1) Allservices use CryptoNight-based cryptomining implementations (2)All identified websites use a highly-optimized Wasm implementa-tion of the CryptoNight algorithm to execute the mining code inthe browser at native speed5 Moreover our manual analysis of theWasm implementation showed that the only obfuscation performedon Wasm modules is name obfuscation (all strings are stripped)any further code obfuscation applied to the Wasm module woulddegrade the performance (and hence negatively impact the profit)(3) All drive-by mining websites use WebSockets to communicatewith the mining pool through a WebSocket proxy server

We use our findings as the basis forMineSweeper a detectionsystem for Wasm-based drive-by mining websites which we de-scribe in the next section

5 DRIVE-BY MINING DETECTIONBuilding on the findings of our large-scale analysis we proposeMineSweeper a novel technique for drive-by mining detectionwhich relies neither on blacklists nor on heuristics based on CPUusage In the arms race between defenses trying to detect the minersand miners trying to evade the defenses one of the few gainfulways forward for the defenders is to target properties of the miningcode that would be impossible or very painful for the miners toremove The more fundamental the properties the better

To this end we characterize the key properties of the hashingalgorithms used by miners for specific types of cryptocurrenciesFor instance some hashing algorithms such as CryptoNight arefundamentally memory-hard Distilling the measurable propertiesfrom these algorithms allows us to detect not just one specificvariant but all variants obfuscated or not The idea is that the onlyway to bypass the detector is to cripple the algorithm

MineSweeper takes the URL of a website as the input It thenemploys three approaches for the detection of Wasm-based cryp-tominers one for miners using mild variations or obfuscations ofCryptoNight (Section 531) one for detecting cryptographic func-tions in a generic way (Section 532) and one for more heavilyobfuscated (and performance-crippled) code (Section 533) For thefirst two approachesMineSweeper statically analyses the Wasmmodule used by the website for the third one it monitors the CPUcache events during the execution of the Wasm module Duringthe Wasm-based analysisMineSweeper analyses the module forthe core characteristics of specific classes of the algorithm We usea coarse but effective measure to identify cryptographic functionsin general by measuring the number of cryptographic operations(as reflected by XOR shift and rotate operations) We focus on theCryptoNight algorithm and its variants since it is used by all ofthe cryptominers we observed so far but it is trivial to add otheralgorithms

5We also identified JSEminer in our dataset which only supports asmjs howeverunlike the other services the orchestrator code provided by this service always asksfor a userrsquos consent For this reason we do not classify the 50 websites using JSEmineras drive-by mining websites

Scratchpad Initialization

Memory-hardloop

Final result calculation

Keccak 1600-512

Key expansion + 10 AES rounds

Keccak-f 1600

Loop preparation

524288 Iterations

8bt_ADD

8bt_MUL

S c r a t c h p a d

BLAKE-Groestl-Skein hash-select

S c r a t c h p a d

8 rounds

AES Write

8 roundsAES

XORRead

Figure 3 Components of the CryptoNight algorithm [61]

51 Cryptomining Hashing CodeThe core component of drive-by miners ie the hashing algorithmis instantiated within the web workers responsible for solving thecryptographic puzzle The corresponding Wasm module containsall the corresponding computationally-intensive hashing and cryp-tographic functions As mentioned all of the miners we observedmine CryptoNight-based cryptocurrencies In this section we dis-cuss the key properties of this algorithm

The original CryptoNight algorithm [61] was released in 2013and represents at heart a memory-hard hashing function The algo-rithm is explicitly amenable to cryptomining on ordinary CPUs butinefficient on todayrsquos special purpose devices (ASICs) Figure 3 sum-marizes the three main components of the CryptoNight algorithmwhich we describe below

Scratchpad initialization First CryptoNight hashes the initialdata with the Keccak algorithm (ie SHA-3) with the parametersb = 1600 and c = 512 Bytes 0ndash31 of the final state serve as an AES-256 key and expand to 10 round keys Bytes 64ndash191 are split into8 blocks of 16 bytes each of which is encrypted in 10 AES roundswith the expanded keys The result a 128-byte block is used toinitialize a scratchpad placed in the L3 cache through several AESrounds of encryption

Memory-hard loop Before the main loop two variables are cre-ated from the XORed bytes 0ndash31 and 32ndash63 of Keccakrsquos final stateThe main loop is repeated 524288 times and consists of a sequenceof cryptographic and read and write operations from and to thescratchpad

Final result calculation The last step begins with the expansionof bytes 32ndash63 from the initial Keccakrsquos final state into an AES-256key Bytes 64-191 are used in a sequence of operations that consistsof an XOR with 128 scratchpad bytes and an AES encryption withthe expanded key The result is hashed with Keccak-f (which standsfor Keccak permutation) with b = 1600 The lower 2 bits of the finalstate are then used to select a final hashing algorithm to be appliedfrom the following BLAKE-256 Groestl-256 and Skein-256

There exist two CryptoNight variants made by Sumokoin andAEON cryptonight-heavy and cryptonight-light respectively Themain difference between these variants and the original design isthe dimension of the scratchpad the light version uses a scratchpadsize of 1MB and the heavy version a scratchpad size of 4MB

52 Wasm AnalysisTo prepare a Wasm module for analysis we use the WebAssemblyBinary Toolkit (WABT) debugger [14] to translate it into linearassembly bytecode We then perform the following static analysissteps on the bytecode

Function identification We first identify functions and create aninternal representation of the code for each function If the namesof the functions are stripped as part of common name obfuscationwe assign them an identifier with an increasing index

Cryptographic operation count In the second step we inspectthe identified functions one by one in order to track the appearanceof each relevant Wasm operation More precisely we first deter-mine the structure of the control flow by identifying the controlconstructs and instructions We then look for the presence of op-erations commonly used in cryptographic operations (XOR shiftand rotate instructions) In many cryptographic algorithms theseoperations take place in loops so we specifically use the knowledgeof the control flow to track such operations in loops Howeverdoing so is not always enough For instance at compile time theWasm compiler unrolls some of the loops to increase the perfor-mance Since we aim to detect all loops including the unrolled oneswe identify repeated flexible-length sequences of code containingcryptographic operations and mark them as a loop if a sequence isrepeated for more than five times

53 Cryptographic Function DetectionBased on our static analysis of the Wasm modules we now de-tect the CryptoNightrsquos hashing algorithm We describe three ap-proaches one for mild variations or obfuscations of CryptoNightone for detecting any generic cryptographic function and one formore heavily obfuscated code

531 Detection Based on Primitive Identification The CryptoNightalgorithm uses five cryptographic primitives which are all neces-sary for correctness Keccak (Keccak 1600-512 and Keccak-f 1600)AES BLAKE-256 Groestl-256 and Skein-256 MineSweeper iden-tifies whether any of these primitives are present in the Wasmmodule by means of fingerprinting It is important to note that theCryptoNight algorithm and its two variants must use all of theseprimitives in order to compute a correct hash by detecting the useof any of them our approach can also detect payload implementa-tion split across modules

We create fingerprints of the primitives based on their specifica-tion as well as the manual analysis of 13 different mining services(as presented in Table 2) The fingerprints essentially consist of thecount of cryptographic operations in functions and more specifi-cally within regular and unrolled loops We then look for the closestmatch of a candidate function in the bytecode to each of the primi-tive fingerprints based on the cryptographic operation count Tothis end we compare every function in the Wasm module one by

one with the fingerprints and compute a ldquosimilarity scorerdquo of howmany types of cryptographic instructions that are present in thefingerprint are also present in the function and a ldquodifference scorerdquoof discrepancies between the number of each of those instructionsin the function and in the fingerprint As an example assume thefingerprint for BLAKE-256 has 80 XOR 85 left shift and 32 rightshift instructions Further assume the function foo() which isan implementation of BLAKE-256 that we want to match againstthis fingerprint contains 86 XOR 85 left shift and 33 right shiftinstructions In this case the similarity score is 3 as all three typesof instructions are present in foo() and the difference score is 2because foo() contains an extra XOR and an extra shift instruction

Together these scores tell us how close the function is to thefingerprint Specifically for a match we select the functions withthe highest similarity score If two candidates have the same simi-larity score we pick the one with the lowest difference score Basedon the similarity score and difference score we calculated for eachidentified functions we classify them in three categories full matchgood match or no match For a full match all types of instructionsfrom the fingerprint are also present in the function and the dif-ference score is 0 For a good match we require at least 70 ofthe instruction types in the fingerprint to be contained in the func-tion and a difference score of less than three times the number ofinstruction types

We then calculate the likelihood that the Wasm module containsa CryptoNight hashing function based on the number of primi-tives that successfully matched (either as a full or a good match)The presence of even one of these primitives can be used as anindicator for detecting potential mining payloads but we can alsoset more conservative thresholds such as flagging a Wasm mod-ule as a CryptoNight miner if only two or three out of the fivecryptographic primitives are fully matched We evaluate the num-ber of primitives that we can match across different Wasm-basedcryptominer implementations in Section 6

532 Generic Cryptographic Function Detection In addition to de-tecting the cryptographic primitives specific to the CryptoNightalgorithm our approach also detects the presence of cryptographicfunctions in a Wasm module in a more generic way This is use-ful for detecting potential new CryptoNight variants as well asother hashing algorithms To this end we count the number ofcryptographic operations (XOR shift and rotate operations) insideloops in each function of the Wasm module and flag a function as acryptographic function if this number exceeds a certain threshold

533 Detection Based on CPU Cache Events While not yet an issuein practice in the future cybercriminals may well decide to sacrificeprofits and highly obfuscate their cryptomining Wasm modules inorder to evade detection In that case the previous algorithm is notsufficient Therefore as a last detection step MineSweeper alsoattempts to detect cryptomining code by monitoring CPU cacheevents during the execution of a Wasm modulemdasha fundamentalproperty for any reasonably efficient hashing algorithm

In particular we make use of how CryptoNight explicitly targetsmining on ordinary CPUs rather than on ASICs To achieve this itrelies on random accesses to slow memory and emphasizes latencydependence For efficient mining the algorithm requires about 2MBof fast memory per instance

This is favorable for ordinary CPUs for the following reasons [61](1) Evidently 2MB do not fit in the L1 or L2 cache of modern

processors However they fit in the L3 cache(2) 1MB of internal memory is unacceptable for todayrsquos ASICs(3) Moreover even GPUs do not help While they may run hun-

dreds of code instances concurrently they are limited in theirmemory speeds Specifically their GDDR5 memory is muchslower than the CPU L3 cache Additionally it optimizespure bandwidth but not random access speed

MineSweeper uses this fundamental property of the CryptoNightalgorithm to identify it based on its CPU cache usage MonitoringL1 and L3 cache events using the Linux perf [1] tool during theexecution of aWasmmoduleMineSweeper looks for load and storeevents caused by random memory accesses As our experimentsin Section 6 demonstrate we can observe a significantly higherloadstore frequency during the execution of a cryptominer payloadcompared to other use cases including video players and gamesand thus detect cryptominers with high probability

54 Deployment ConsiderationsWhile MineSweeper can be used for the profiling of websites aspart of large-scale studies such as ours we envision it as a toolthat notifies users about a potential drive-by mining attack whilebrowsing and gives them the option to opt-out eg by not loadingWasm modules that trigger the detection of cryptographic primi-tives or by suspending the execution of the Wasm module as soonas suspicious cache events are detected

Our defense based on the identification of cryptographic primi-tives could be easily integrated into browsers which so far mainlyrely on blacklists and CPU throttling of background scripts as a lastline of defense [21 22 29] As our approach is based on static anal-ysis browsers could use our techniques to profile Wasm modulesas they are loaded and ask the user for permission before executingthem As an alternative and browser-agnostic deployment strategySEISMIC [69] instruments Wasm modules to profile their use ofcryptographic operations during execution although this approachcomes with considerable run-time overhead

Integrating our defense based on monitoring cache events unfor-tunately is not so straightforward access to performance countersrequires root privileges and would need to be implemented by theoperating system itself

6 EVALUATIONIn this section we evaluate the effectiveness of MineSweeperrsquoscomponents based on static analysis of the Wasm code and CPUcache event monitoring for the detection of the cryptomining codecurrently used by drive-by mining websites in the wild We furthercompare MineSweeper to a state-of-the-art detection approachbased on blacklisting Finally we discuss the penalty in terms of per-formance and thus profits evasion attempts againstMineSweeperwould incur

Dataset To test our Wasm-based analysis we crawled AlexarsquosTop 1 Million websites a second time over the period of one weekin the beginning of April 2018 with the sole purpose of collectingWasm-based mining payloads This time we configured the crawler

Table 9 Results of our cryptographic primitive identifica-tion MineSweeper detected at least two of CryptoNightrsquosprimitives in all mining samples with no false positives

Detected Number of Number of MissingPrimitives Wasm Samples Cryptominers Primitives

5 30 30 -4 3 3 AES3 - - -2 3 3 Skein Keccak AES1 - - -0 4 0 All

to visit only the landing page of each website for a period of fourseconds The crawl successfully captured 748Wasmmodules servedby 776 websites For the remaining 28 modules the crawler waskilled before it was able to dump the Wasm module completely

Evaluation of cryptographic primitive identification Even thoughwe were able to collect 748 valid Wasm modules only 40 amongthem are in fact unique This is because many websites use thesame cryptomining services We also found that some of thesecryptomining services are providing different versions of theirmining payload Table 9 shows our results for the CryptoNightfunction detection on these 40 unique Wasm samples We wereable to identify all five cryptographic primitives of CryptoNight in30 samples four primitives in three samples and two primitives inanother three samples In these last three samples we could onlydetect the Groestl and BLAKE primitives which suggests that theseare the most reliable primitives for this detection As part of anin-depth analysis we identified these samples as being part of themining services BatMine andWebminerpool (two of the samples area different version of the latter) which were not part of our datasetof mining services that we used for the fingerprint generation butrather services we discovered during our large-scale analysis

However our approach did not produce any false positives andthe four samples in whichMineSweeper did not detect any crypto-graphic primitive were in fact benign an online magazine reader avideoplayer a node library to represent a 64-bit tworsquos-complementinteger value and a library for hyphenation Furthermore thegeneric cryptographic function detection successfully flagged all 36mining samples as positives and all four benign cases as negatives

Evaluation of CPU cache event monitoring For this evaluationwe used perf to capture L1 and L3 cache events when executingvarious types of web applications We conducted all experiments onan Intel Core i7-930 machine running Ubuntu 1604 (baseline) Wecaptured the number of L1 data cache loads L1 data cache storesL3 cache stores and L3 cache loads within 10 seconds when visitingfour categories of web applications cryptominers (Coinhive andNFWebMiner both with 100 CPU usage) video players Wasm-based games and JavaScript (JS) games We visited seven websitesfrom each category and calculated the mean and standard deviation(stdev) of all the measurements for each category

As Figure 4 (left) and Figure 5 (left) show that L1 and L3 cacheevents are very high for the web applications that are mining crypto-currency but considerably lower for the other types of web appli-cations Compared to the second most cache-intensive applications

WasmMiners

VideoPlayers

WasmGames

JSGames

Baseline0

20000M

40000M

60000M

80000M

100000M L1 Loads (Dcache)L1 Stores (Dcache)Stdev

WasmMiner

WasmMiner(20)

WasmGame

L1 LoadsL1 StoresStdev

Figure 4 Performance counter measurements for the L1data cache forminers and other web applications on two dif-ferentmachines ( of operations per 10 secondsM=million)

Wasm-based games the Wasm-based miners perform on average1505x as many L1 data cache loads and 655x as many L1 datacache stores The difference for the L3 cache is less severe but stillnoticeable here on average the miners perform 550x and 293x asmany cache loads and stores respectively compared to the games

We performed a second round of experiments on a differentmachine (Intel Core i7-6700K) which has a slightly different cachearchitecture to verify the reliability of the CPU cache events Wealso used these experiments to investigate the effect of CPU throt-tling on the number of cache events Coinhiversquos Wasm-based minerallows throttling in increments of 10 intervals We configured itto use 100 CPU and 20 CPU and compared it against a Wasm-based game We executed the experiments 20 times and calculatedthe mean and standard deviation (stdev) As Figure 4 (right) andFigure 5 (right) show on this machine L3 cache store events cannotbe used for the detection of miners we observed only a low numberof L3 cache stores overall and on average more stores for the gamethan for the miners However L3 cache loads as well as L1 datacache loads and stores are a reliable indicator for mining Whenusing only 20 of the CPU we still observed 3725 3805 and3771 of the average number of events compared to 100 CPUusage for L1 data cache loads L1 data cache stores and L3 cacheloads respectively Compared to the game the miner performed1396x and 629x as many L1 data cache loads and stores and 246xas many L3 cache loads even when utilizing only 20 of the CPU

Comparison to blacklisting approaches To compare our approachagainst existing blacklisting-based defenses we evaluate Mine-Sweeper against Dr Mine [8] Dr Mine uses CoinBlockerLists [4]as the basis to detect mining websites For the comparison we vis-ited the 1735 websites that were mining during our first crawl forthe large-scale analysis in mid-March 2018 (see Section 4) with bothtools We made sure to use updated CoinBlockerLists and executedDr Mine andMineSweeper in parallel to maximize the chance thatthe same drive-by mining websites would be active During thisevaluation on May 9 2018 Dr Mine could only find 272 websiteswhile MineSweeper found 785 websites that were still activelymining cryptocurrency Furthermore all the 272 websites identifiedby Dr Mine are also identified byMineSweeper

WasmMiners

VideoPlayers

WasmGames

JSGames

Baseline0

1000M L3 LoadsL3 StoresStdev

WasmMiner

WasmMiner(20)

WasmGame

Figure 5 Performance counter measurements for the L3cache for miners and other web applications on two differ-ent machines ( of operations per 10 seconds M=million)

Impact of evasion techniques In order to evade our identificationof cryptographic primitives attackers could heavily obfuscate theircode or implement the CryptoNight functions completely in asmjsor JavaScript In both cases MineSweeper would still be able todetect the cryptomining based on the CPU cache event monitoringTo evade this type of defense and since we are only monitoring un-usually high cache load and stores that are typical for cryptominingpayloads attackers would need to slow down their hash rate forexample by interleaving their code with additional computationsthat have no effect on the monitored performance counters

In the following we discuss the performance hit (and thus lossof profit) that alternative implementations of the mining code inasmjs and an intentional sacrifice of the hash rate in this case bythrottling the CPU usage would incur Table 10 show our estimationfor the potential performance and profit losses on a high-end (IntelCore i7-6700K) and a low-end (Intel Core i3-5010U) machine Asan illustrative example we assume that in the best case an attackeris able to make a profit of US$ 100 with the maximum hash rate of65Hs on the i7 machine Just falling back to asmjs would cost anattacker 4000ndash4375 of her profits (with a CPU usage of 100)Moreover throttling the CPU speed to 25 on top of falling back toasmjs would cost her 8500ndash8594 of her profits leaving her withonly US$ 1500 on a high-end and US$ 346 on a low-end machineIn more concrete numbers from our large-scale analysis of drive-bymining campaigns in the wild (see Section 43) the most profitablecampaign which is potentially earning US$ 3106080 a month (seeTable 5) would only earn US$ 436715 a month

7 LIMITATIONS AND FUTUREWORKOur large-scale analysis of drive-by mining in the wild likely missedactive cryptomining websites due to limitations of our crawler Weonly spend four seconds on each webpage hence we could havemissed websites that wait for a certain amount of time before serv-ing the mining payload Similarly we are not able to capture themining pool communication for websites that implement miningdelays and in some cases due to slow server connections whichexceed the timeout of our crawler Moreover we only visit eachwebpage once but some cryptomining payloads especially the

Table 10 Decrease in the hash rate (Hs) and thus profit compared to the best-case scenario (lowast) using Wasm with 100 CPUutilization if asmjs is being used and the CPU is throttled on an Intel Core i7-6700K and an Intel Core i3-5010U machine

Baseline 100 CPU 75 CPU 50 CPU 25 CPUHs Profit Hs Hs Profit Hs Profit Hs Hs Profit Hs Profit Hs Hs Profit Hs Profit Hs Hs Profit

Wasm US$ asmjs Loss US$ Wasm US$ asmjs Loss US$ Wasm US$ asmjs Loss US$ Wasm US$ asmjs Loss US$

i7 65lowast $10000 39 4000 $6000 4875 $7500 2925 5500 $4500 325 $5000 195 7000 $3000 1625 $2500 975 8500 $1500i3 16lowast $2462 9 4375 $1385 12 $1846 675 5781 $1038 8 $1231 45 7188 $692 4 $615 225 8594 $346

ones that spread through advertisement networks are not servedon every visit Our crawler also did not capture the cases in whichcryptominers are loaded as part of ldquopop-underrdquo windows Further-more the crawler visited each website with the User Agent Stringof the Chrome browser on a standard desktop PC We leave thestudy of campaigns specifically targeting other devices such asAndroid phones for future work Another avenue for future workis studying the longevity of the identified campaigns We based ourprofit estimations on the assumption that they stayed active for atleast a month but they might have been disrupted earlier

Our defense based on static analysis is similarly prone to obfus-cation as any related static analysis approach However even ifattackers decide to sacrifice performance (and profits) for evadingour defense through obfuscation of the cryptomining payload wewould still be able to detect themining based onmonitoring the CPUcache Trying to evade this detection technique by adding additionalcomputations would severely degrade the mining performancemdashtoa point that it is not profitable anymore

Furthermore currently all drive-by mining services use Wasm-based cryptomining code and hence we implemented our defenseonly for this type of payload Nevertheless we could implement ourapproach also for the analysis of asmjs in future work Finally ourdefense is tailored for detecting cryptocurrencies using the Crypto-Night algorithm as these are currently the only cryptocurrenciesthat can profitably be mined using regular CPUs [9] Even thoughour generic cryptographic function detection did not produce anyfalse positives in our evaluation we still can imagine many benignWasm modules using cryptographic functions for other purposesHowever Wasm is not widely adopted yet for other use cases be-sides drive-by mining and we therefore could not evaluate ourapproach on a larger dataset of benign applications

8 RELATEDWORKRelated work has extensively studied how and why attackers com-promise websites through the exploitation of software vulnera-bilities [16 18] misconfigurations [23] inclusion of third-partyscripts [48] and advertisements [75] Traditionally the attackersrsquogoals ranged from website defacements [17 42] over enlistingthe websitersquos visitors into distributed denial-of-service (DDoS) at-tacks [53] to the installation of exploit kits for drive-by downloadattacks [30 55 56] which infect visitors with malicious executablesIn comparison the abuse of the visitorsrsquo resources for cryptominingis a relatively new trend

Previous work on cryptomining focused on botnets that wereused to mine Bitcoin during the year 2011ndash2013 [34] The authorsfound that while mining is less profitable than other maliciousactivities such as spamming or click fraud it is attractive as asecondary monetizing scheme as it does not interfere with other

revenue-generating activities In contrast we focused our analysison drive-by mining attacks which serve the cryptomining pay-load as part of infected websites and not malicious executablesThe first other study in this direction was recently performed byEskandari et al [25] However they based their analysis solelyon looking for the coinhiveminjs script within the body ofeach website indexed by Zmap and PublicWWW [45] In this waythey were only able to identify the Coinhive service Furthermorecontrary to the observations made in their study we found thatattackers have found valuable targets such as online video stream-ing to maximize the time users spend online and consequentlythe revenue earned from drive-by mining Concurrently to ourwork Papadopoulos et al [51] compared the potential profits fromdrive-by mining to advertisement revenue by checking websitesindexed by PublicWWW against blacklists from popular browserextensions They concluded that mining is only more profitablethan advertisements when users stay on a website for longer peri-ods of time In another concurrent work Ruumlth et al [57] studiedthe prevalence of drive-by miners in Alexarsquos Top 1 Million web-sites based on JavaScript code patterns from a blacklist as well asbased on signatures generated from SHA-255 hashes of the Wasmcodersquos functions They further calculated the Coinhiversquos overallmonthly profit which includes legitimate mining as well In con-trast we focus on the profit of individual campaigns that performmining without their userrsquos explicit consent Furthermore withMineSweeper we also present a defense against drive-by miningthat could replace current blacklisting-based approaches

The first part of our defense which is based on the identificationof cryptographic primitives is inspired by related work on identi-fying cryptographic functionality in desktop malware which fre-quently uses encryption to evade detection and secure the commu-nication with its command-and-control servers Groumlbert et al [31]attempt to identify cryptographic code and extract keys based on dy-namic analysis Aligot [38] identifies cryptographic functions basedon their input-output (IO) characteristics Most recently Crypto-Hunt [72] proposed to use symbolic execution to find cryptographicfunctions in obfuscated binaries In contrast to the heavy use ofobfuscation in binary malware obfuscation of the cryptographicfunctions in drive-by miners is much less favorable for attackersShould they start to sacrifice profits in favor of evading defenses inthe future we can explore the aforementioned more sophisticateddetection techniques for detecting cryptomining code For the timebeing relatively simple fingerprints of instructions that are com-monly used by cryptographic operations are enough to reliablydetect cryptomining payloads as also observed by Wang et al [69]in concurrent work Their approach SEISMIC generates signaturesbased on counting the execution of five arithmetic instructions thatare commonly used by Wasm-based miners In contrast to profiling

whole Wasm modules we detect the individual cryptographic prim-itives of the cryptominersrsquo hashing algorithms and also supplementour approach by looking for suspicious memory access patterns

This second part of our defense which is based on monitor-ing CPU cache events is related to CloudRadar [76] which usesperformance counters to detect the execution of cryptographic ap-plications and to defend against cache-based side-channel attacksin the cloud Finally the most closely related work in this regardis MineGuard [64] also a hypervisor tool which uses signaturesbases on performance counters to detect both CPU- and GPU-basedmining executables on cloud platforms Similar to our work theauthors argue that the evasion of this type of detection would makemining unprofitablemdashor at least less of a nuisance to cloud operatorsand users by consuming fewer resources

9 CONCLUSIONIn this paper we examined the phenomenon of drive-bymining Therise of mineable alternative coins (altcoins) and the performanceboost provided to in-browser scripting code by WebAssembly havemade such activities quite profitable to cybercriminals rather thanbeing a one-time heist this type of attack provides continuousincome to an attacker

Detecting miners by means of blacklists string patterns or CPUutilization alone is an ineffective strategy because of both falsepositives and false negatives Already drive-by mining solutionsare actively using obfuscation to evade detection Instead of thecurrent inadequate measures we proposedMineSweeper a newdetection technique tailored to the algorithms that are fundamentalto the drive-by mining operationsmdashthe cryptographic computationsrequired to produce valid hashes for transactions

ACKNOWLEDGMENTSWe thank the anonymous reviewers for their valuable commentsand input to improve the paper We also thank Kevin BorgolteAravind Machiry and Dipanjan Das for supporting the cloud in-frastructure for our experiments

This research was supported by the MALPAY consortium con-sisting of the Dutch national police ING ABN AMRO RabobankFox-IT and TNO This paper represents the position of the au-thors and not that of the aforementioned consortium partners Thisproject further received funding from the European Unionrsquos MarieSklodowska-Curie grant agreement 690972 (PROTASIS) and the Eu-ropean Unionrsquos Horizon 2020 research and innovation programmeunder grant agreement No 786669 Any dissemination of resultsmust indicate that it reflects only the authorsrsquo view and that theAgency is not responsible for any use that may be made of theinformation it contains

This material is also based upon research sponsored by DARPAunder agreement number FA8750-15-2-0084 by the ONR underAward No N00014-17-1-2897 by the NSF under Award No CNS-1704253 SBA Research and a Security Privacy and Anti-Abuseaward from Google The US Government is authorized to repro-duce and distribute reprints for Governmental purposes notwith-standing any copyright notation thereon Any opinions findingsand conclusions or recommendations expressed in this publicationare those of the authors and should not be interpreted as necessarily

representing the official policies or endorsements either expressedor implied by our sponsors

REFERENCES[1] perf Linux profilingwith performance counters httpsperfwikikernel

orgindexphpMain_Page (2015)[2] CPU for Monero httpscryptomining24netcpu-for-monero (2017)

(Last accessed 2018-08-17)[3] Alexa httpswwwalexacom (2018) (Last accessed 2018-02-28)[4] CoinBlockerLists httpszerodot1gitlabioCoinBlockerListsWeb

(2018) (Last accessed 2018-05-09)[5] Coinhive httpscoinhivecom (2018)[6] Coinhive AuthedMine - A Non-Adblocked Miner httpscoinhivecom

documentationauthedmine (2018)[7] CryptoCompare httpswwwcryptocomparecomcoinsxmr (2018)

(Last accessed 2018-08-17)[8] Dr Mine httpsgithubcom1lastBr3athdrmine (2018)[9] MineCryptoNight httpsminecryptonightnet (2018) (Last accessed

2018-05-03)[10] MinerBlock httpsgithubcomxd4rkerMinerBlock (2018)[11] No Coin httpsgithubcomkerafNoCoin (2018)[12] PublicWWW httpspublicwwwcom (2018)[13] SimilarWeb httpswwwsimilarwebcom (2018)[14] WABT The WebAssembly Binary Toolkit httpsgithubcom

WebAssemblywabt (2018)[15] Nadav Avital Matan Lion and RonMasas CryptoMe0wing Attacks Kitty Cashes

in on Monero httpswwwincapsulacomblogcrypto-me0wing-attacks-kitty-cashes-in-on-monerohtml (May 2018)

[16] Kevin Borgolte Christopher Kruegel and Giovanni Vigna Delta AutomaticIdentification of Unknown Web-based Infection Campaigns In Proc of the ACMConference on Computer and Communications Security (CCS) (2013)

[17] Kevin Borgolte Christopher Kruegel and Giovanni Vigna Meerkat DetectingWebsite Defacements through Image-based Object Recognition In Proc of theUSENIX Security Symposium (2015)

[18] Davide Canali and Davide Balzarotti Behind the Scenes of Online Attacksan Analysis of Exploitation Behaviors on the Web In Proc of the Network andDistributed System Security Symposium (NDSS) (2013)

[19] Juan Miguel Carrascosa Jakub Mikians Ruben Cuevas Vijay Erramilli andNikolaos Laoutaris I Always Feel Like Somebodyrsquos Watching Me MeasuringOnline Behavioural Advertising In Proc of the ACM Conference on EmergingNetworking Experiments and Technologies (CoNEXT) (2015)

[20] Catalin Cimpanu Cryptojackers Found on Starbucks WiFi NetworkGitHub Pirate Streaming Sites httpswwwbleepingcomputercomnewssecuritycryptojackers-found-on-starbucks-wifi-network-github-pirate-streaming-sites (December 2017)

[21] Catalin Cimpanu Firefox Working on Protection Against In-BrowserCryptojacking Scripts httpswwwbleepingcomputercomnewssoftwarefirefox-working-on-protection-against-in-browser-cryptojacking-scripts (March 2018)

[22] Catalin Cimpanu Tweak to Chrome Performance Will Indirectly StifleCryptojacking Scripts httpswwwbleepingcomputercomnewssecuritytweak-to-chrome-performance-will-indirectly-stifle-cryptojacking-scripts (February 2018)

[23] Constanze Dietrich Katharina Krombholz Kevin Borgolte and Tobias FiebigInvestigating Operatorsrsquo Perspective on Security Misconfigurations In Proc ofthe ACM Conference on Computer and Communications Security (CCS) (2018)

[24] Abeer ElBahrawy Laura Alessandretti Anne Kandler Romualdo Pastor-Satorrasand Andrea Baronchelli Bitcoin ecology Quantifying and modelling the long-term dynamics of the cryptocurrency market arXiv170505334v3 [physicssoc-ph] (November 2017)

[25] Shayan Eskandari Andreas Leoutsarakos Troy Mursch and Jeremy Clark AFirst Look at Browser-based Cryptojacking In Proc of the IEEE Privacy andSecurity on the Blockchain Workshop (IEEE SampB) (2018)

[26] Amir Feder Neil Gandal JT Hamrick Tyler Moore andMarie Vasek The Rise andFall of Cryptocurrencies In Proc of the Workshop on the Economics of InformationSecurity (WEIS) (2018)

[27] DanGoodin Websites use your CPU tomine cryptocurrency evenwhen you closeyour browser httpsarstechnicacominformation-technology201711sneakier-more-persistent-drive-by-cryptomining-comes-to-a-browser-near-you (November 2017)

[28] Dan Goodin Now even YouTube serves ads with CPU-draining crypto-currency miners httpsarstechnicacominformation-technology201801now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners (January 2018)

[29] Google Chromium Issue 766068 Please consider intervention for high cpu us-age js httpsbugschromiumorgpchromiumissuesdetailid=

766068 (September 2017)[30] Chris Grier Lucas Ballard Juan Caballero Neha Chachra Christian J Dietrich

Kirill Levchenko Panayiotis Mavrommatis Damon McCoy Antonio NappaAndreas Pitsillidis Niels Provos M Zubair Rafique Moheeb Abu Rajab ChristianRossow Kurt Thomas Vern Paxson Stefan Savage and Geoffrey M VoelkerManufacturing Compromise The Emergence of Exploit-as-a-service In Proc ofthe ACM Conference on Computer and Communications Security (CCS) (2012)

[31] Felix Groumlbert Carsten Willems and Thorsten Holz Automated Identificationof Cryptographic Primitives in Binary Programs In Proc of the InternationalSymposium on Recent Advances in Intrusion Detection (RAID) (2011)

[32] Andreas Haas Andreas Rossberg Derek L Schuff Ben L Titzer Michael HolmanDan Gohman Luke Wagner Alon Zakai and JF Bastien Bringing the WebUp to Speed with WebAssembly In Proc of the ACM SIGPLAN Conference onProgramming Language Design and Implementation (PLDI) (2017)

[33] John J Hoffman Steve C Lee and Jeffrey S Jacobson New Jersey Division ofConsumer Affairs Obtains Settlement with Developer of Bitcoin-Mining SoftwareFound to Have Accessed New Jersey Computers Without Usersrsquo Knowledgeor Consent httpsnjgovoagnewsreleases15pr20150526bhtml(May 2015)

[34] Danny Yuxing Huang Hitesh Dharmdasani Sarah Meiklejohn Vacha DaveChris Grier Damon Mccoy Stefan Savage Nicholas Weaver Alex C Snoerenand Kirill Levchenko Botcoin Monetizing Stolen Cycles In Proc of the Networkand Distributed System Security Symposium (NDSS) (2014)

[35] Simon Kenin Mass MikroTik Router Infection ndash First we cryptojack Brazilthen we take the World httpswwwtrustwavecomResourcesSpiderLabs-BlogMass-MikroTik-Router-Infection---First-we-cryptojack-Brazil-then-we-take-the-World- (August 2018)

[36] Brian Krebs Who and What Is CoinHive httpskrebsonsecuritycom201803who-and-what-is-coinhive (March 2018)

[37] McAfee Labs McAfee Labs Threats Report httpswwwmcafeecomusresourcesreportsrp-quarterly-threat-q1-2014pdf (June 2014)

[38] Pierre Lestringant Freacutedeacuteric Guiheacutery and Pierre-Alain Fouque Aligot Cryp-tographic Function Identification in Obfuscated Binary Programs In Proc ofthe ACM Symposium on Information Computer and Communications Security(ASIACCS) (2015)

[39] Shannon Liao Showtime websites secretly mined user CPU for crypto-currency httpswwwthevergecom201792616367620showtime-cpu-cryptocurrency-monero-coinhive (September 2017)

[40] Shannon Liao UNICEF wants you to mine cryptocurrency for char-ity httpswwwthevergecom201843017303624unicef-mining-cryptocurrency-charity-monero (April 2018)

[41] Chaoying Liu and Joseph C Chen Cryptocurrency Web Miner ScriptInjected into AOL Advertising Platform httpsblogtrendmicrocomtrendlabs-security-intelligencecryptocurrency-web-miner-script-injected-into-aol-advertising-platform (April 2018)

[42] Federico Maggi Marco Balduzzi Ryan Flores Lion Gu and Vincenzo CiancagliniInvestigating Web Defacement Campaigns at Large In Proc of the ACM AsiaConference on Computer and Communications Security (ASIACCS) (2018)

[43] Aleecia M McDonald and Lorrie Faith Cranor Americansrsquo Attitudes AboutInternet Behavioral Advertising Practices In Proc of the ACM Workshop onPrivacy in the Electronic Society (WPES) (2010)

[44] Andrey Meshkov Crypto-Streaming Strikes Back httpsblogadguardcomencrypto-streaming-strikes-back (December 2017)

[45] Troy Mursch Cryptojacking malware Coinhive found on 30000+ web-sites httpsbadpacketsnetcryptojacking-malware-coinhive-found-on-30000-websites (November 2017)

[46] TroyMursch How to find cryptojacking malware httpsbadpacketsnethow-to-find-cryptojacking-malware (February 2018)

[47] Satoshi Nakamoto Bitcoin A Peer-to-Peer Electronic Cash System httpswwwbitcoinorgbitcoinpdf (2009)

[48] Nick Nikiforakis Luca Invernizzi Alexandros Kapravelos Steven Van AckerWouter Joosen Christopher Kruegel Frank Piessens and Giovanni Vigna YouAre What You Include Large-scale Evaluation of Remote Javascript InclusionsIn Proc of the ACM Conference on Computer and Communications Security (CCS)(2012)

[49] Lindsey OrsquoDonnell Cryptojacking Attack Found on Los Angeles Times Web-site httpsthreatpostcomcryptojacking-attack-found-on-los-angeles-times-website130041 (February 2018)

[50] Lindsey OrsquoDonnell Cryptojacking Campaign Exploits Drupal Bug Over 400Websites Attacked httpsthreatpostcomcryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked131733 (May2018)

[51] Panagiotis Papadopoulos Panagiotis Ilia and Evangelos P Markatos Truth inWeb Mining Measuring the Profitability and Cost of Cryptominers as a WebMonetization Model arXiv180601994v1 [csCR] (June 2018)

[52] Panagiotis Papadopoulos Nicolas Kourtellis and Evangelos P Markatos TheCost of Digital Advertisement Comparing User and Advertiser Views In Proc ofthe World Wide Web Conference (WWW) (2018)

[53] Giancarlo Pellegrino Christian Rossow Fabrice J Ryba Thomas C Schmidt andMatthias Waumlhlisch Cashing Out the Great Cannon On Browser-Based DDoSAttacks and Economics In Proc of the USENIXWorkshop on Offensive Technologies(WOOT) (2015)

[54] Pirate Bay Miner httpsthepiratebayorgblog242 (September 2017)[55] Niels Provos Panayiotis Mavrommatis Moheeb Abu Rajab and Fabian Monrose

All Your iFRAMEs Point to Us In Proc of the USENIX Security Symposium (2008)[56] Niels Provos Dean McNamee Panayiotis Mavrommatis Ke Wang and Nagendra

Modadugu The Ghost in the Browser Analysis of Web-based Malware In Procof the Workshop on Hot Topics in Understanding Botnets (HotBots) (2007)

[57] Jan Ruumlth Torsten Zimmermann Konrad Wolsing and Oliver Hohlfeld Digginginto Browser-based CryptoMining In Proc of the ACM Internet Measurement Con-ference (IMC) (2018) (Preprint httpsarxivorgabs180800811v1)

[58] Salon FAQ What happens when I choose to ldquoSuppress Adsrdquo onSalon httpswwwsaloncomaboutfaq-what-happens-when-i-choose-to-suppress-ads-on-salon (2018)

[59] Jeacuterocircme Segura Malicious cryptomining and the blacklist conundrumhttpsblogmalwarebytescomthreat-analysis201803malicious-cryptomining-and-the-blacklist-conundrum (March2018)

[60] Jeacuterocircme Segura The state of malicious cryptomining httpsblogmalwarebytescomcybercrime201802state-malicious-cryptomining (March 2018)

[61] Seigen Max Jameson Tuomo Nieminen Neocortex and Antonio M JuarezCryptoNight Hash Function httpscryptonoteorgcnscns008txt(March 2013)

[62] Denis Sinegubko Hacked Websites Mine Cryptocurrencies httpsblogsucurinet201709hacked-websites-mine-crypocurrencieshtml(September 2017)

[63] Slushpool Stratum Mining Protocol httpsslushpoolcomhelpmanualstratum-protocol (2016)

[64] Rashid Tahir Muhammad Huzaifa Anupam Das Mohammad Ahmad CarlGunter Fareed Zaffar Matthew Caesar and Nikita Borisov Mining on SomeoneElsersquos Dime Mitigating Covert Mining Operations in Clouds and Enterprises InProc of the International Symposium on Recent Advances in Intrusion Detection(RAID) (2017)

[65] Iain Thomson Pulitzer-winning website Politifact hacked to mine crypto-coins inbrowsers httpswwwtheregistercouk20171013politifact_mining_cryptocurrency (October 2017)

[66] Mircea Trofin Chromium Code Reviews Issue 2656103003 [wasm] flag for asm-wasm investigations httpscodereviewchromiumorg2656103003(January 2017)

[67] Alejandro Viquez Opera introduces bitcoin mining protection in all mobilebrowsers ndash herersquos how we did it httpsblogsoperacommobile201801opera-introduces-bitcoin-mining-protection-mobile-browsers (January 2018)

[68] Luke Wagner Turbocharging the Web IEEE Spectrum (December 2017)(Online version httpsspectrumieeeorgcomputingsoftwarewebassembly-will-finally-let-you-run-highperformance-applications-in-your-browser)

[69] Wenhao Wang Benjamin Ferrell Xiaoyang Xu Kevin W Hamlen and ShuangHao SEISMIC SEcure In-lined Script Monitors for Interrupting CryptojacksIn Proc of the European Symposium on Research in Computer Security (ESORICS)(2018)

[70] Web Hypertext Application Technology Working Group HTML LivingStandard Web workers httpshtmlspecwhatwgorgmultipageworkershtml (2018)

[71] Chris Williams UK ICO USCourtsgov Thousands of websites hi-jacked by hidden crypto-mining code after popular plugin pwnedhttpwwwtheregistercouk20180211browsealoud_compromised_coinhive (February 2018)

[72] Dongpeng Xu Jiang Ming and Dinghao Wu Cryptographic Function Detectionin Obfuscated Binaries via Bit-Precise Symbolic Loop Mapping In Proc of theIEEE Symposium on Security and Privacy (SampP) (2017)

[73] Yandex Yandex Browser Strengthens Cryptocurrency Mining Protectionhttpsyandexcomcompanyblogyandex-browser-strengthens-cryptocurrency-mining-protection (March 2018)

[74] Zhang Zaifeng Who is Stealing My Power III An Adnetwork Company CaseStudy httpsblognetlab360comwho-is-stealing-my-power-iii-an-adnetwork-company-case-study-en (February 2018)

[75] Apostolis Zarras Alexandros Kapravelos Gianluca Stringhini Thorsten HolzChristopher Kruegel and Giovanni Vigna The Dark Alleys of Madison Av-enue Understanding Malicious Advertisements In Proc of the ACM InternetMeasurement Conference (IMC) (2014)

[76] Tianwei Zhang Yinqian Zhang and Ruby B Lee CloudRadar A Real-TimeSide-Channel Attack Detection System in Clouds In Proc of the InternationalSymposium on Recent Advances in Intrusion Detection (RAID) (2016)

[77] Zeljka Zorz How a URL shortener allows malicious actors to hijack visi-torsrsquo CPU power httpswwwhelpnetsecuritycom20180523url-shortener-cryptojacking (May 2018)

Abstract

1 Introduction

2 Background

21 Cryptocurrency Mining Pools

22 In-browser Cryptomining

23 Web Technologies

24 Existing Defenses against Drive-by Mining

3 Threat Model

4 Drive-by Mining in the Wild

41 Data Collection

42 Data Analysis and Correlation

43 In-depth Analysis and Results

44 Common Drive-by Mining Characteristics

5 Drive-by Mining Detection

51 Cryptomining Hashing Code

52 Wasm Analysis

53 Cryptographic Function Detection

54 Deployment Considerations

6 Evaluation

7 Limitations and Future Work

8 Related Work

9 Conclusion

References