Malware that covertly mines cryptocurrency while you browse the web is big news right now, literally in the case of news outlet Salon, which has enabled it as an opt-in feature. One thing that it surely isn’t, though, is big business. Every other day, media outlets seem to be running stories about the latest cryptojacking scams. Whereas these tales are mostly true, the degree of the problem has been vastly exaggerated. Smart criminals aren’t covertly crypto mining in-browser, not because they’re incapable of doing so, but because even at scale it simply isn’t profitable.
Last weekend, it arose that the Browse Aloud web browser plugin had been nicked, causing it to surreptitiously mine cryptocurrency on around 5,000 computers. Among those affected were systems used by a number of British government bodies including the National Health Service and a student loans company. At the time, a spokesperson for the UK’s National Cyber Security Centre said: “NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency…Government websites will continue to operate securely. At this stage there is nothing to suggest that members of the public are at risk.”
Obviously members of the public weren’t at risk – in any sense of the word. The only real side effects of having your browsing session cryptojacked are perhaps a slowdown in computing performance and the device heating up. The majority of web users wouldn’t even be aware that anything was amiss. While relatively benign, as cyber-attacks go, mining malware is still an inconvenience that no web user would reasonably be expected to tolerate…except for instances where that was the price of access. Salon sparked headlines this week after unveiling plans to do just that as a means of monetizing its news site.
Media organizations are continuously seeking new ways of monetizing their sites. In an era of ad blockers and diminishing attention spans, generating any sort of payment per click is an achievement. The notion of web users mining monero – an unidentified cryptocurrency identical with the deep web and its wares – in order to fund a mainstream news site is an amusing one. It’s also an illogical one, on many levels. According to estimates provided by Coinhive, the software used by Salon as well as by the criminals in last weekend’s UK-wide cyberjacking scam, the return to be made on browser mining is pitiful.
One million visitors spending five minutes on a website would result in a total of $64 of monero being mined. The 5,000 UK government machines that were infected using Coinhive netted a paltry $24 in monero. Browser mining cryptocurrency, be it on a permissioned or permissionless basis, is unprofitable. If you’re going to bend the rules to mine crypto, you need access to a government supercomputer and the skills to avoid getting caught. Otherwise, the juice simply isn’t worth the squeeze.