Hackers infected over 3,500 websites with hidden Monero miner
23.07.2025
Hackers have returned to covert crypto mining – this time using a new, stealthier method. According to c/side, malicious code was detected on more than 3,500 websites worldwide.
A JavaScript script (e.g., karma.js) is injected into infected websites, launching Monero mining directly in visitors' browsers. The script utilizes WebAssembly, maximizing the use of the device's computing power.
The key to this attack is its invisibility. The script limits CPU usage to avoid detection, allowing it to remain active longer without noticeably slowing down the system.
How it works
Before starting the mining process, the script checks browser and system capabilities. If WebAssembly is supported, it activates a more productive mode. Communication with the command server happens via WebSocket, helping to bypass protections and conceal data transfer.
Infected websites become part of a distributed mining network: users’ devices mine Monero, and the resulting hashes are sent to remote servers. The attackers profit by mining cryptocurrency on users’ devices without their consent.
Why it's dangerous
These scripts don’t steal passwords or files, but they exploit visitor resources. Infected websites risk being blacklisted by search engines and antivirus systems. The code can also be extended to steal crypto wallets or install additional malware.
Mass browser-based mining first gained traction in 2017 through the Coinhive script, which was later shut down. Many believed the trend had ended, but this new wave proves cryptojacking is still alive and evolving.
Security researchers note that the code is becoming more sophisticated – adapting to different devices, using secure communication channels, and disguising itself as normal site content.
What website owners should do
It’s advised to audit code regularly, monitor third-party script connections, and enforce strict JavaScript execution policies. Be alert to abnormal CPU usage patterns.
Browser-based mining isn’t a traditional attack, but it undermines trust and introduces risks for both users and site owners. Modern cryptojacking is quiet, technically advanced, and still profitable.Return to blog