A Retrospective Analysis of User Exposure to (Illicit) Cryptocurrency Mining on the Web

Ralph Holz, Diego Perino, Matteo Varvello, Johanna Amann, Andrea Continella, Nate Evans, Ilias Leontiadis, Christopher Natoli, Quirin Scheitle

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

23 Downloads (Pure)


In late 2017, a sudden proliferation of malicious JavaScript was reported on the Web: browser-based mining exploited the CPU time of website visitors to mine the cryptocurrency Monero. Several studies measured the deployment of such code and developed defenses. However, previous work did not establish how many users were really exposed to the identified mining sites and whether there was a real risk given common user browsing behavior. In this paper, we present a retroactive analysis to close this research gap. We pool large-scale, longitudinal data from several vantage points, gathered during the prime time of illicit cryptomining, to measure the impact on web users. We leverage data from passive traffic monitoring of university networks and a large European ISP, with suspected mining sites identified in previous active scans. We corroborate our results with data from a browser extension with a large user base that tracks site visits. We also monitor open HTTP proxies and the Tor network for malicious injection of code. We find that the risk for most Web users was always very low, much lower than what deployment scans suggested. Any exposure period was also very brief. However, we also identify a previously unknown and exploited attack vector on mobile devices.
Original languageEnglish
Title of host publicationTMA Conference 2020
Subtitle of host publicationProceedings of the 4th Network Traffic Measurement and Analysis Conference, Berlin, Germany, June 10-11, 2020
Number of pages9
ISBN (Electronic)978-3-903176-27-0
Publication statusPublished - 1 Jun 2020
EventTMA 2020 Network Traffic Measurement and Analysis Conference - Online Conference, Berlin, Germany
Duration: 10 Jun 202011 Jun 2020


ConferenceTMA 2020 Network Traffic Measurement and Analysis Conference
Abbreviated titleTMA 2020
Internet address


  • Cybersecurity


Dive into the research topics of 'A Retrospective Analysis of User Exposure to (Illicit) Cryptocurrency Mining on the Web'. Together they form a unique fingerprint.

Cite this