This article was published on May 8, 2018

Nearly 400 Drupal sites infected with malware that secretly mines cryptocurrency

Coinhive malware victimizes another 400 websites including US govt, Lenovo, and UCLA

Nearly 400 Drupal sites infected with malware that secretly mines cryptocurrency
Neer Varshney
Story by

Neer Varshney

Former TNW writer

It seems like there’s no stopping the crypto-jacking epidemic, as hackers continue to steal unsuspecting users’ computing power to mine cryptocurrency.

Security researcher Troy Mursch from Bad Packets Report has discovered that a number of websites using an outdated version of the Drupal Content Management System are being victimized by hackers for crypto-jacking.

While the primary targets of this attack — which hit some 400 sites — are US-based government entities and educational institutes, multiple tech firms’ sites have also been infected with the virus.

A list of affected websites compiled by Mursch include those of the US National Labor Relations Board (NLRB) , Chinese tech company Lenovo, Taiwanese network hardware maker D-Link, and the University of California, Los Angeles (UCLA).

Government-run websites in the US, Mexico, Turkey, Peru, South Africa, and Italy have also been affected.

Mursch discovered that all of the infected JavaScript codes were pointing to the same domain name ( and same Coinhive key, implying that it was a single individual or entity behind all of these attacks.

Mursch’s previous research had found nearly 50,000 websites to be running crypto-jacking campaigns, many of them unwittingly.

An interesting fact about all of these attacks is the hackers’ mining service of choice — there’s a clear preference for Coinhive, which is responsible for more than 80 percent of all the infected websites.

Coinhive received some legitimacy after it rolled out a feature that required user consent before their computer could be used for mining. The Coinhive service along with this feature was even integrated by UNICEF to fund its charity for children in Bangladesh.

However, researchers have found that the ‘opt-in’ version is not usually very popular with websites, and they chose to integrate Coinhive with their website in a way that doesn’t inform the users.

It is high time that Coinhive halts its services that allow for mining without the knowledge of the user, and keeps only the mandatory opt-in version moving forward.

There’s no way for a user to know if their computer is being used to mine cryptocurrency through Coinhive unless they notice the high CPU usage on their device, and investigate the cause.

Thankfully, there’re ways to stop these cryptojacking malwares from exploiting your CPU’s computing power, and you can read all about them here.

Those interested in the detailed Bad Packets Report on this attack, can read it here.

Get the TNW newsletter

Get the most important tech news in your inbox each week.