Web-based Cryptojacking in the Wild

TL;DR

This paper investigates the widespread presence of cryptojacking on popular websites, analyzing its characteristics, revenue potential, and effectiveness of countermeasures through a large-scale systematic study.

Contribution

It introduces a three-phase analysis method to detect mining scripts and provides the first large-scale measurement of cryptojacking prevalence on top websites.

Findings

Cryptojacking is present on 1 in 500 popular websites.

Mining scripts exhibit specific code characteristics.

Current blacklist-based defenses are only partially effective.

Abstract

With the introduction of memory-bound cryptocurrencies, such as Monero, the implementation of mining code in browser-based JavaScript has become a worthwhile alternative to dedicated mining rigs. Based on this technology, a new form of parasitic computing, widely called cryptojacking or drive-by mining, has gained momentum in the web. A cryptojacking site abuses the computing resources of its visitors to covertly mine for cryptocurrencies. In this paper, we systematically explore this phenomenon. For this, we propose a 3-phase analysis approach, which enables us to identify mining scripts and conduct a large-scale study on the prevalence of cryptojacking in the Alexa 1 million websites. We find that cryptojacking is common, with currently 1 out of 500 sites hosting a mining script. Moreover, we perform several secondary analyses to gain insight into the cryptojacking landscape, including a measurement of code characteristics, an estimate of expected mining revenue, and an evaluation of current blacklist-based countermeasures.