Once upon a time, a small piece of JavaScript promised to revolutionize how websites made money — and instead became the poster child for a new kind of cybercrime. Coinhive, the in-browser Monero miner, gave publishers a tantalizing alternative to ads before it spiraled into one of the most notorious cryptojacking tools the internet has ever seen. Here is the full story of how a clever idea went very wrong.

What Was Coinhive, Really?

Coinhive launched in September 2017 as a service that let website owners mine Monero (XMR) directly through visitors' browsers. The pitch was disarmingly simple: instead of bombarding users with intrusive banner ads, why not use a small chunk of their CPU power to generate a few fractions of a cent? The company even branded itself as the "opt-in alternative to ad blocking."

The team behind it positioned Monero's privacy features as a selling point. Bitcoin mining had already been cornered by industrial ASIC farms, but XMR's algorithm was deliberately designed to be CPU-friendly — making it theoretically possible for any laptop user to contribute. Within months, the script was sitting on thousands of legitimate sites, from streaming portals to news outlets experimenting with new monetization models.

Of course, the internet had other plans. Almost as quickly as the service launched, attackers realized that "opt-in" was a polite suggestion, not a hard requirement.

How Browser Mining Actually Worked

At its core, Coinhive was a JavaScript library — a few lines of code a site owner could paste into their page. Once loaded, the script would run in the background, performing the computational work needed to validate Monero transactions, then sending the rewards back to the operator's wallet.

The technical flow looked roughly like this:

  • The website loads a JavaScript file from Coinhive's CDN.
  • The miner's WebAssembly module starts hashing using the visitor's CPU.
  • Each solved share is sent to a pool server, which credits the site owner's account.
  • The owner's accumulated XMR can be withdrawn once it crosses the payout threshold.

On paper, the system was elegant. In practice, it was almost too easy to weaponize. The same snippet that ran quietly on a hobby blog could be injected into a compromised WordPress site, a browser extension, or even a public Wi-Fi captive portal — all without users ever clicking "allow."

The Allure for Publishers

For legitimate operators, the math looked genuinely appealing at first. A visitor staying on a page for a few minutes could generate meaningful fractions of a Monero. For niche sites, gaming portals, and file-sharing platforms losing revenue to ad blockers, the promise of "money that does not get blocked" felt revolutionary. Some publishers openly praised the model as a way to fund content without selling user data.

The Cryptojacking Craze

By early 2018, the script had escaped its sandbox. Security researchers started reporting mass infections across the web — from government websites to major plugins. The technique got a new name: cryptojacking, the unauthorized use of someone's computer to mine cryptocurrency.

"Coinhive didn't invent malicious mining, but it democratized it. Anyone with a stolen admin password could become a miner operator overnight."

Several high-profile incidents made headlines during the peak of the epidemic:

  • Hidden miners embedded in compromised WordPress themes and plugins, silently draining visitor CPUs.
  • Browser extensions on official app stores that bundled the script and ran around the clock in the background.
  • YouTube advertisements that secretly activated the miner while videos played.
  • Public Wi-Fi networks in cafes and airports injecting the code into every page users visited.

The damage was not just stolen electricity — though that added up. Laptops ran hot, fans screamed, batteries drained, and entire corporate networks ground to a halt as IT teams scrambled to find the source. Coinhive's reputation collapsed almost in lockstep with its adoption rate.

The Shutdown and What It Left Behind

In March 2019, Coinhive announced it was shutting down. The official statement cited the collapse of the crypto market, a drop in Monero's hash rate, and — perhaps more tellingly — the fact that the platform had become synonymous with abuse. The team said it had spent the last year trying to fight bad actors, and the fight had become impossible.

The service officially went offline on March 8, 2020. For a brief moment, the internet breathed a sigh of relief. But the legacy was already baked in.

Lessons That Still Matter

Coinhive's rise and fall gave the security industry a clear playbook for dealing with in-browser resource abuse. Modern equivalents exist — from clipboard hijackers to stealthy mining pools — but the pattern is familiar: a clever primitive weaponized at scale.

For users, the era popularized tools and habits we still rely on today:

  • Browser extensions that block JavaScript miners and fingerprinting scripts.
  • Tab freezing and CPU-limiting features baked into major browsers.
  • Heightened awareness that "free" web services sometimes come with hidden compute costs.

Key Takeaways

Coinhive was a fascinating, short-lived experiment at the intersection of crypto, publishing, and malware. It proved that any sufficiently powerful monetization primitive will be turned into a weapon eventually — and that the line between "innovative" and "exploitative" is thinner than most founders want to admit.

If you remember nothing else, remember this: the script that promised to save the web from ads ended up teaching the web a hard lesson about consent, compute, and trust. Monero kept mining, cryptojacking evolved, and the ghost of Coinhive still haunts every "your CPU is helping us" banner you see today.