Dissecting the Infrastructure Used in Web-based Cryptojacking: A Measurement Perspective
Ayodeji Adeniran, Kieran Human, David Mohaisen
TL;DR
The paper analyzes the infrastructure behind web-based cryptojacking by leveraging the MANiC dataset of 887 sites, Whois-derived hosting data, and VirusTotal scans to assess current malicious content and geographic distribution. It finds CoinHive as the dominant cryptomining service within the malicious subset and reveals a heavy-tailed geographic distribution with concentration in the United States and other tech-forward regions. A substantial fraction of sites have cleaned up or no longer host malicious content, but a nontrivial portion remains at risk, underscoring detection gaps and the need for ongoing monitoring. The study provides an infrastructure-centric view of cryptojacking, offering actionable insights for security practitioners and policymakers to target hosting patterns, strengthen defenses, and track threat evolution.
Abstract
This paper conducts a comprehensive examination of the infrastructure supporting cryptojacking operations. The analysis elucidates the methodologies, frameworks, and technologies malicious entities employ to misuse computational resources for unauthorized cryptocurrency mining. The investigation focuses on identifying websites serving as platforms for cryptojacking activities. A dataset of 887 websites, previously identified as cryptojacking sites, was compiled and analyzed to categorize the attacks and malicious activities observed. The study further delves into the DNS IP addresses, registrars, and name servers associated with hosting these websites to understand their structure and components. Various malware and illicit activities linked to these sites were identified, indicating the presence of unauthorized cryptocurrency mining via compromised sites. The findings highlight the vulnerability of website infrastructures to cryptojacking.