This blog post pertains specifically to concerns around crypto miners being embedded into display advertisements. Cryptojacking within the larger context of the web is an altogether different beast, and a rather pervasive problem worthy of concern and significant scrutiny. Cryptojacking incidents that are not ad related usually stem from the compromise or hostile takeover of a website or browser extension by a malicious attacker.

A few years back, Bitcoin embarked on a notorious bull run putting it onto the world’s financial radar. Blockchain technology quickly went from ersatz transactional medium to one that needed to be taken seriously. At the time I worked at an ad exchange and all week long you heard these conversations buzzing around the office.

But what is it?

How do you actually spend it at a store?

How can we as a technology company take advantage of this new and valuable “thing”?

Over lunch, one of the sysadmins suggested in jest that we just use our idle servers to mine during off-peak hours, but this was immediately shrugged off as too costly to make solid business sense. Well, how about we blockchainify our transaction data and actually become the first fully transparent ad exchange? That idea fell flat on its face as well with the realization that this would require a complete engineering overhaul of an infrastructure optimized to handle hundreds of millions of daily impressions. A voice crept out of the corner of the room:

You guys are thinking about this entirely wrong. Just think about the quarter billion or so impressions that we see each day. What if each of those impressions was actually doing some mining on our behalf, on the client side? That might add up real fast….

It was like a light bulb went off — and the number crunching was under way. Unfortunately (or fortunately) we determined that a JavaScript driven CPU hash rate was nowhere near enough to make this a worthwhile exercise when competing against vast farms of ASIC miners. The conversation fell by the wayside.

Then, several years later a Hacker News thread caused quite a stir:

https://news.ycombinator.com/item?id=15246145

Looks like some folks were finally able to connect the dots with a formula that included Web Assembly and a cryptocurrency called Monero. Monero’s mining algorithm is optimized for CPU performance, which makes it a great candidate for browser based mining. The service is called Coinhive, and the business model is very much akin to that of a traditional ad network. Publishers place a tag on their sites that runs WASM code and communicates back to the network via web sockets. In return they get paid a rev share of ~70%.

It took approximately one day (maybe less) from the moment that Coinhive made their announcement until we saw their code being stuffed in a programmatic ad. The following week, the practice of embedding cryptocurrency miners into webpages was dubbed “cryptojacking” and all of the trades were awash with stories on the topic.

To be clear: The hunt for a sensible method of browser based mining never surfaced from a place of malicious intent, but rather out of a deep need for an alternative source of hash power. Cryptocurrency mining is a very competitive landscape with a high barrier to entry. The more mining nodes that live on a network, the harder it is to get a piece of the pie for a smaller new comer.

The conversation around distributed mining in the browser was never about nefarious activity, it‘s about a desire to lower the bar and tap into these underutilized resources. Remember SETI or Folding@Home? These are both good examples of responsible distributed computing projects along the same lines, but not cryptocurrency focused.

JavaScript based mining is not inherently malicious or threatening, and should the numbers behind it ever stack up appropriately, it could very well become a viable alternative for monetizing impressions.

However, big problems occur when the JavaScript miners are set to run un-throttled at full scale, and without notifying the visitor. An un-throttled JavaScript miner can very rapidly degrade hardware and browser performance and ruin a visitor’s experience.

The bulk of the cryptojacking out there is done by nefarious actors that hack websites and hijack browser plugins in order to stuff the crypto mining code into visitors pages. This is somewhat prevalent and certainly harmful. However, when we look at the programmatic landscape, it happens to be a very rare, short lived, and minor nuisance.

Now for the proof.

At Confiant, we monitor billions of impressions every month, all in real time, with the explicit focus of identifying and blocking malicious advertisements as they are served. It’s what we do best, and we’re getting exceedingly efficient at it. The reason we have been able to start blocking Coinhive from day one is, because browser based crypto miners are easy to block. Here’s why:

1) Browser based crypto mining is always conducted by a “client” that talks back to a centralized service via WebSocket. It’s trivial to identify the presence of that centralized service based on their domain appearing in the creative code.

2) JavaScript miners, from what we have seen, are all implemented in Web Assembly or WASM. WASM is a great technology, but today it has little to no application in digital advertising. In fact, if someone were to pursue a copycat implementation on their own, they would likely be running WASM code inside their own creative. So, how many standalone WASM creatives have we seen in the last 30 days?

Zero.

Now don’t get me wrong… on occasion we do see the occasional campaign that serves alongside it a Coinhive tag, or the tag of a Coinhive copycat, but how often does that happen? Here are some stats:

• In the past 30 days Coinhive (and copycats) have made up 0.13% of all total security violations identified and blocked by Confiant.

• ~70% of those occurred over a 3 day flash spike, likely from a single bad actor.

• ~99% of all cryptojacking incidents we have seen are Coinhive and not copycats.

So why is cryptojacking just a drop in the bucket when it comes to the world of programmatic ad security? I believe the answer is simply that it’s just not that lucrative.

Javascript mining is not profitable enough to stand alone when pitted against the cost of running the ad, so malvertisers might try to pair the cryptojacking with whatever other unsavory campaigns they are running. However, because cryptojacking is so easy to identify and block, bad actors are quick to realize that the effort is actually siphoning profits away from their other shady doings, and as a result they pull back almost immediately.