YouTube Users’ Computers Hijacked by Cryptocurrency Miners

There have been some ads on YouTube recently, created by a few unknown attackers, that have been slowing down YouTube users' computers, and using their CPUs and electricity to generate digital currency.

Reports of the ads first came out last week on Tuesday when a few YouTube users reported to the site that their antivirus systems were detecting cryptocurrency mining code only when they were visiting YouTube, even when they changed browsers.

“An analysis of the malvertisement-riddled pages revealed two different web miner scripts embedded and a script that displays the advertisement from DoubleClick,” said Trend Micro, concluding that the ads were being displayed to select countries, like Japan, France, Taiwan, Italy and Spain. “We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices.”

That ads being displayed all contain JavaScript that essentially mines digital coins called Monero. About 9 out of 10 times, the ads use JavaScript from Coinhive, which is a cryptocurrency-mining service that lets its subscribers secretly profit off of using other people’s computers. It’s a controversial service to say the least. The rest of the time, the ads use private mining JavaScript that allows the attackers to keep the 30 percent of what Coinhive takes. All this leaves user’s computers barely functioning; it takes up about 80 percent of the target CPU's processing power.

"YouTube was likely targeted because users are typically on the site for an extended period of time," independent security researcher Troy Mursch told Ars Technica. "This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made."

A Google representative has responded to the situation. Here is what the representative has to say:

“Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”

However, despite the representative claiming that the ads were blocked in less than two hours, Trend Micro, along with other YouTube users, has shown evidence that suggests the ads have been running for as long as a week.

Sean Berry
Sean Berry
Sean Berry is Videomaker's managing editor.

Related Content