‘Drive-by’ cryptomining code was discovered in YouTube ads this week


“Cryptojacking” is nothing new but it has begun to pick up more steam in recent months. For the unaware, cryptojacking typically involves unscrupulous website owners or advertisers using JavaScript code to take advantage of a website visitor’s CPU power to mine cryptocurrency in the background, without their knowledge or consent.

The Pirate Bay was one of the first websites of note to contain this sort of code but its use has only become more common over time. Indeed, the problem has become so pervasive in certain parts of the internet that web browsers such as Opera have received new features specifically designed to mitigate or eliminate these issues — usually in the form of ad blocking filters.

While simply avoiding sketchy sites to begin with might seem like the obvious solution, the issue becomes more complicated when this code starts to appear on bigger, more well-known sites like Showtime or even YouTube.

This past week YouTuber viewers’ antivirus programs began to alert them to the presence of cryptocurrency mining code throughout the website this week, specifically within YouTube’s advertising code. Naturally, this led to some users hopping on Twitter to voice their concerns.

Researchers from antivirus company Trend Micro said these ads resulted in “more than a three-fold spike” in web miner detection stats. The company also said the individuals behind the ads seemed to be targeting YouTube visitors in specific countries, such as France, Taiwan, Italy, Spain and Japan.

“YouTube was likely targeted because users are typically on the site for an extended period of time,” security researcher Troy Mursch said in a statement. “This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made.”

This may not seem like a significant issue but background miners can hog quite a bit of a given system’s computing power if left unchecked, as much as 80 percent according to Trend Micro.

Google issued the following statement on the matter:

Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.

As Ars noted, evidence supplied by Trend Micro seems to contradict Google’s statement. The antivirus company has shown several examples of these ads being in place for the better part of a week, which is certainly longer than the two hours Google claims it took to shut the scheme down.


Please enter your comment!
Please enter your name here