YouTube is turning passive viewers into cryptocurrency miners, and Google isn’t happy.
The issue became apparent earlier in the week as complaints surfaced on social media claiming that YouTube ads were raising red flags in anti-virus software. A service called Coinhive was hijacking a viewer’s CPU and using its power to mine crypto.
A Friday blog post from Trend Micro, an international cybersecurity company, confirmed the sharp uptick in Coinhive use earlier in the week, pinning it to a “malvertising campaign” that subverted a Google ad service used on YouTube.
“Attackers abused Google’s DoubleClick, which develops and provides internet ad serving services, for traffic distribution,” the post notes. Trend Micro’s data pointed to Japan, France, Taiwan, Italy, and Spain as the countries affected by the campaign.
In a statement given to Ars Technica on Friday, Google confirmed the cryptojacking threat, noting that “[i]n this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”
Google’s “blocked in less than two hours” timeline doesn’t add up, however. Trend Micro’s data suggests that “an increase in traffic to five malicious domains” from DoubleClick advertisements started on or sometime before Jan. 18. By Jan. 24, the company had detected “an almost 285% increase in the number of Coinhive miners.”
Google didn’t respond to any follow-up questions regarding the timeline.
Coinhive wasn’t always used for nefarious purposes. The script was created originally to let website owners harness the processing power of a visitor’s computer to mine Monero. So long as the site owner let people know about Coinhive up front and didn’t let the script monopolize processing power, it was a relatively ethical way for website operators to turn traffic into income.
Then, in late December, users of a certain Chrome extension discovered that it was also secretly running CoinHive. This incident quickly turned into one of the higher profile examples of a relatively new phenomenon in the malware world: “cryptojacking,” the practice of hijacking a PC user’s CPU to mine cryptocurrency.
The spread of cryptojacking to YouTube is an alarming development. While it’s good that Google eventually shut the activity down, this is a new wrinkle in the cryptocurrency craze that internet gatekeepers will have to better protect against in the future.