How to Detect & Remove Cryptojacking Malware — CoinHive Bitcoin-Miner in WordPress

Cryptojacking, Coinhive Bitcoin-Miner malware is javascript based and expolits browser's system resources for bitcoin mining.

Cryptojacking Malware

Cryptojacking — the new fancy buzzword means hijacking websites (and) users browsers to mine cryptocurrency. There’s nothing wrong with mining cryptocurrencies (unless it’s illegal in your country). The problem is with hijacking the website and user’s browser without their knowledge. In order to mine cryptocurrencies, the bad guys hijack a website or user’s browser or machine to get the job done. But what is Crypto-currency mining anyways?

What is Cryptocurrency Mining?

Cryptocurrency-mining is the process of earning money by discovering new coins (in the cryptocurrency). The way it works is that you have to solve a puzzle, and if you do, you get paid. That’s not an easy puzzle though. For example, for mining bitcoins, today you need to find the data the sha256 hash of which has eight leading zeroes. Game for it? Bitcoins’ algorithm is such that there can ever be 21 million bitcoins. New bitcoins are created upon successful problem solving. However due to the nature of the problem, this works requires computer’s processing power which requires electricity. So strictly speaking, bitcoins just can’t be printed like paper bills. This adds monetary value to each new bitcoin; after all you’ve spent time and energy to discover the new coin.

China has bitcoin mining farms. Farms of cheap, throwaway, refurbished CPUs that are used to mine bitcoins. However as time passes, the difficulty in the algorithm keeps increasing and it get more and more difficult to discover new coins. So after a certain limit these farms are sure to go out of business since it’s not feasible to keep investing so much electricity and effort into the work.

What’s Cryptojacking?

So if cryptocurrency mining is not financially feasible, why not mine the currency on others’ computers for free? Would you want to let others use your processor, run it on full power and cause your machine to run hot and hang other apps? Not unless someone asks for your permission and you approve. That’s where the hijacking part comes in.

Isn’t it just better if a site could be hijacked to spread the malware to anyone visiting that site and use the users’ system to do the mining? This means hacking into the website to be able to insert malware.

Also in the last 5 years or so the internet has seen a major wipe-out of online ads due to ad-blocking plugins and browsers. Cryptomining is one alternative that seems feasible, so some websites actually throw a popup in the face asking for the users system to be used to allow cryptomining.

It’s not only websites, even some smartphone ads and apps have this cryptomining malware built in or downloaded on to the system / phone.

Elon Musk, Apple, Bill Gates and Other High Profile Twitter Accounts Hacked in Cryptocurrency Scam

Also here’s a little bit of history on coinminer if you are interested.

While the original intent behind Coinhive was to use only a portion of a person’s computing power, the result was that cryptojackers turned the knob to 11, slowing down the computer to the point of unusability.

Cryptojacking, Bitcoin Miner Virus Removal

Malware are typically difficult to identify with the naked eye. Most malware are smart enough to tell if it’s actually a human being visiting the site versus a bot. The other problem with cryptojacking malware (as far as websites are concerned) is that this type of malware is pure JavaScript based malware. So a smart malware scanner may only be able to figure out from a fixed list of signatures of known cryptomining libraries.

WordPress has the majority share of the CMS used on websites and is the most targeted CMS by the bad guys. Use a highly reliable WordPress malware scanner to scan and identify if your WordPress site is hacked. Ideally you should use a malware scanner to only scan and identify malware. Using scanners to automatically fix your site could result in a crippled / broken site prone to data leak, loss or totally hijacking. In my personal experience, many a times using Wordfence’s delete all infected files has resulted in breaking the site. If you are not sure what to do, you can approach a professional WordPress malware removal service. A professional infection cleanup service will not only hunt down the malware but will also identify any security holes and find out how the malware got into the server in the first place. This part is critical to prevent further infection and server abuse.


Cryptojacking is on the rise — the attacks exploded by 8,500% in 2017, imagine the scene in 2018 now. Don’t take website security for granted especially when the bad guys are motivated by monetary greed.

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.