Cryptocurrency mining delivered via websites, a monetization model where JavaScript or WebAssembly code runs within a victim’s browser to mine cryptocurrencies, has reemerged in a quieter-but-still-problematic form. While early tools like Coinhive (2017–2019) made headlines, today’s active platforms include CryptoTab Browser, Pi Network, and YouHolder, which offer mining-like experiences via browsers or mobile devices.

Yet, despite renewed interest, browser-based mining remains largely unprofitable for individuals. High electricity costs and limited CPU-based yields mean that users often earn only a few cents per day, far less than what traditional mining setups deliver. More efficient miners rely on WebAssembly to boost performance, but this also raises the stealth factor and the potential for misuse.

Media outlets once spotlighted Coinhive, particularly after a high profile case in which sources such as BleepingComputer and Gizmodo reported on the presence of Coinhive’s Monero Blockchain JavaScript miner on two of Showtime’s websites. The script was removed though it was unconfirmed if this was intentional or the result of a hack. Most sources also stated that Showtime had refused to comment. This undisclosed miner script usage was coined as ‘drive-by mining’ by Malware Intelligence Analyst Jerome Segura in his article on the subject:

“Because mining happens in the browser via JavaScript without user interaction, we could compare it to drive-by downloads. As publishers need to retain the visitor’s attention so that the JavaScript code runs uninterrupted for as long as possible, this is where the type of content matters. We know that for example gaming or video streaming sites tend to keep people on their page much longer than others.”

Coinhive’s closure in March 2019 marked a shift in the cryptojacking landscape. Cryptojacking persists today via new script variants and injection techniques, but the overall volume of attacks remains lower than during the Coinhive peak. However, as browser-based cryptomining evolves, with more efficient script types and new distribution channels, visibility into which domains host these resource-draining scripts is more important than ever. That’s why Malware Patrol created our Cryptojacking Data Feed: a curated, updated list of domains running active mining scripts.

This feed enables security teams to:

• Block access to cryptojacking domains before resource abuse impacts user experience or infrastructure.

• Monitor your environment for emerging threats or suspicious mining behavior.

• Conduct threat research using real-time domain data.

Note: This feed is strictly focused on browser-based cryptomining scripts – it does not include cryptomining malware.

The feed is updated twice daily and included for free with any commercial subscription. Existing customers can contact their account manager to enable integration in your portal. Not a customer yet? Contact us to discuss your threat data needs or to arrange a free data evaluation period.