The CoinHive Monero Mining Service was hacked using DNS Settings

The CoinHive website for Monero mining was hijacked so that the websites embedded by its code have purposely redirected their generated cryptocurrency to the attackers’ servers, instead of CoinHive’s official servers.

The blooming popularity of cryptocurrencies was so rapid that even attackers have diverted their attention into these digital currencies rather than physical ones.  Attackers have devised numerous ways to take advantage of the anonymity of the currency and its characteristic of being almost impossible to trace.

Mining cryptocurrencies can be a costly investment for it consumes a great amount of computing power, and consequently, hackers have started using malware that, ideally, temporarily rents computing resources of computers it hijacks to make money in forms of digital currency.  Only last September, 2017, Microsoft Servers were targeted by hackers to mime Monero and have successfully earned $63,000 in three months.

Although researchers not yet identified the attackers, it was reported that the attackers have been infecting unpatched Windows web servers with the cryptocurrency miner since at least May 2017 to mine Monero cryptocurrency.

Another breaking news about web-based cryptocurrency mining is the infamous “The Pirate Bay” who secretly included a Javascript cryptocurrency miner in their web page.

The reason of hackers choosing Monero is that it uses a proof-of-work algorithm called CryptoNight, which perfectly suits computer or server CPUs and GPUs.  However, this is not the first time when researchers have reported such malware mining Monero by temporarily utilizing computing resources of compromised computers.

In the CoinHive hacking, hackers have used an old Cloudflare account password to reconfigure’s DNS settings.  The password was allegedly obtained because of the Kickstarter site data breach last 2014.  Due to the modifications made to the DNS settings of, websites embedding Coin Hive’s JavaScript were actually embedding a duplicated script that diverted any Monero generated by their visitors’ browsers into the attackers’ servers.

Officially, CoinHive have released the following statements:

“The DNS records for have been manipulated to redirect requests for the coinhive.min.js to a third party server. This third party server hosted a modified version of the JavaScript file with a hardcoded site key. This essentially let the attacker ‘steal’ hashes from our users,” Coinhive said in a statement.”

CoinHive have also announced that it will recompense users who have been affected of the hacking incident.

Due to the smallest negligence which is one little piece of information, a Cloudfare account password, that slipped through the internet, the CoinHive have suffered a great lost.  This implies that cyber-security is not only about establishing firewalls or general protective measure, but about securing and noting every little cyber-activity that have the potential to cause even the slightest cyber-breach.

Accordingly, it is strongly advised that after reported breaches, affected administrators and users should change their passwords immediately to avoid leakage across the internet.  Using pass-phrases must also be avoided.  It is also advisable to always use two-factor authentication.


Since CoinHive is one of the most popular service that aids websites to utilize their visitorss computing power, others might have been glad of the CoinHive hacking.  However, for those who does not want web pages to take advantage of their computer resources, other third party apps can be installed like No Coin or minerBlock application.  There are also browser extensions that can also block web-based miners.


Manny Cuevas

My name is Manny Cuevas a Security Researcher / Engineer for about 15 years that focuses on Web and Mobile applications and other platforms from the Island of Sulu, Philippines. I’m also a scientist, inventor and a top ranked hacker in the world that bypass all security systems.


Leave a Reply

Your email address will not be published. Required fields are marked *