Sneaky Crypto Malware Miners Are Targeting Ad Networks Next

Websites and publishers need to be prepared for cryptocurrency miners slipping into ads on their sites, according to Israeli adtech firm Spotad.

AccessTimeIconJan 4, 2018 at 7:00 a.m. UTC
Updated Sep 13, 2021 at 7:20 a.m. UTC

Websites and publishers need to be prepared for cryptocurrency miners slipping into ads on their sites, according to Israeli adtech firm Spotad.

The company, which operates an AI-powered advertising platform for purchasing media space, recently discovered cryptocurrency mining activity on its network, a development the company claims is becoming part of wider trend.

Spotad’s AI system, named "Sarah," recently identified anomalies in the code of seemingly legitimate ads for both desktop and mobile that turned out to be a miner for the cryptocurrency monero. The JavaScript-enabled ad was designed to dupe users into clicking on a pop-up that would initiate the mining process.

According to co-founder Yoav Oz, the agency responsible for the ad was unaware of the code that was embedded inside. The name of the agency or the subject of the ad has not been disclosed.

"Look at what's happening today around this entire cryptocurrency world, you see how much money is involved, you see the volume picking up week by week," added Tomer Horev, chief strategy officer, who led the team that discovered the code.

He told CoinDesk:

"I think people identify that as the next gold rush and they will try to do everything that they can in order to produce this kind of money."

Oz and Horev explained that Spotad's AI system regularly monitors for irregularities in ads and is now being trained at spotting cryptocurrency mining scripts.

Some of the key signals include a lack of click or behavior patterns typically seen in legitimate ads. "It was showing a different kind of behavior where users were not clicking much, there was no engagement on the ad. That’s where we got the signals out of our system," said Horev.

Monero mining

Why monero though? The cryptocurrency is currently trading at around the $440 mark while bitcoin is having its bumper year, topping $18,000. According to Oz and Horev, it’s simply easier to mine surreptitiously.

Horev explained:

"The mining protocol for the big [cryptocurrencies], like bitcoin and bitcoin cash… to mine that kind of crypto requires high end servers and even GPU-based processing. Monero has script that can perform well on CPUs that actually reside in any desktop, laptop, and mobile device."

"This type of cryptocurrency has value harvesting through low end devices," he continued.

This week Russian cybersecurity firm publicized a piece of Android malware called Loapi that is spread through ad campaigns and app stores, which can mine for monero even with low-powered processors.

Cryptocurrency miners have become a controversial topic after torrent site The Pirate Bay tested out a monero mining code that it claimed it was testing as an alternative to advertising. Even sites from TV network Showtime and MMA organization UFC had run code from CoinHive, which makes this type of script for mining monero. In these cases, users were not immediately aware that their CPUs were being put to work mining for cryptocurrency.

Symantec published a report this week that stated there is now a cryptocurrency miner “arms race” under way as more cybercriminals seek ways to cash in on the cryptocurrency buzz, whether it’s monero or other coins like zcash or ether.

Time to act

Per the Symantec report, publishers and website owners need to be vigilant with the integrity of their websites’ source and be wary of any injections that may be miner scripts. Online publications typically use tools to detect fraudulent activity or inappropriate traffic on their sites.

These tools will need to evolve to consider miners, added Horev.

"I think here requires a different type of fraud detection that when something happens on the device itself and not on the publisher website. I’m not sure that this type of technology is yet to be introduced in fraud detection tools but I believe it’s just a matter of time," he said.

For regular users, the tell-tale signs are a little easier to spot as the CPU will run at 100% and the responsiveness of the site in question, and even the entire device, will slow down. Some antivirus and security software vendors have moved to block scripts suspected of being miners.

"The motivation is out there [to mine]," said Horev. "It’s time for more action to be taken and fraud and detection tools to get into the game."

Crypto malware via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.