In late 2017, a tiny line of JavaScript promised to revolutionize how websites made money — and inadvertently gave birth to one of the web's most notorious security threats. Coinhive let site owners mine Monero straight through visitors' browsers, replacing ad-blocker-bait banners with a "pay-with-your-CPU" model. It sounded clever, felt futuristic, and within months became the blueprint for an entire wave of illicit cryptojacking attacks.
What Exactly Was Coinhive?
Coinhive was a browser-based cryptocurrency mining service launched in September 2017 by a small German startup. Its pitch was disarmingly simple: drop a few lines of JavaScript into your website, and whenever a visitor lands, their device would start solving the cryptographic puzzles required to mine Monero (XMR). The coins would then be split between the site owner and Coinhive itself, typically on a 70/30 basis.
The reason Monero, and not Bitcoin? Monero's mining algorithm (CryptoNight at the time) was deliberately designed to be friendly to everyday CPUs and GPUs. Bitcoin mining had long since been swallowed by industrial ASIC farms, but Monero could still be profitably produced from a regular laptop. That technical quirk made browser-based mining theoretically viable for the first time.
For a brief, shining moment, Coinhive looked like the future of web monetization — no intrusive pop-ups, no tracking cookies, no autoplay video ads. Just quiet, opt-in computation in exchange for content.
The Rise — and the Abuse
The first wave of Coinhive adoption was, by all accounts, legitimate. Independent publishers, indie game portals, and a handful of news sites experimented with it as an alternative revenue stream. Some asked users for permission before activating the miner; others simply replaced their "donate" buttons with a mining widget.
Then things got messy. Almost immediately, hackers realized that the same script could be injected — without consent — into compromised websites, malicious browser extensions, and even pirated software. This practice became known as cryptojacking, and Coinhive's code was its weapon of choice.
The Pirate Bay Incident
The watershed moment came in September 2017, when The Pirate Bay was caught running a hidden Coinhive miner on its site. Visitors' CPUs spun up to nearly 100% the moment they loaded a torrent page. The outcry was immediate, and The Pirate Bay quickly claimed it was only a "short test" — but the damage to Coinhive's reputation was already done.
Security researchers soon estimated that by early 2018, Coinhive's code was running on hundreds of thousands of websites — the vast majority without their owners' knowledge. Browser makers responded by adding miner-blocking features, antivirus vendors flagged the script as malware, and ad-blockers grew dedicated filter lists to kill it on sight.
The Slow Decline and the 2019 Shutdown
For Coinhive, the math eventually stopped working. When Monero's price crashed through 2018, the revenue per hash collapsed, and the rising global hash rate made solo mining through browsers even less profitable. At the same time, the legal and reputational heat around cryptojacking intensified.
In March 2019, Coinhive announced it would shut down. The team posted a candid message saying the project had "made a lot of people upset" and that the economics no longer supported continued operation. The mining pool went offline, the website went dark, and the era of mainstream browser mining effectively ended.
What Happened to the Founders?
Not long after the shutdown, German prosecutors searched the homes of Coinhive's operators as part of an investigation into whether the company had done enough to prevent its tool from being used for illicit purposes. While the broader legal fallout drew significant attention, the takeaway was clear: distributing a tool that powerful, at that scale, came with consequences.
The Legacy of Coinhive
Even though Coinhive itself is gone, its fingerprints are everywhere in the security and crypto industries.
- Cryptojacking became a household word. Before Coinhive, the average internet user had never heard of unauthorized in-browser mining. After Coinhive, it was a category every CISO, browser vendor, and antivirus lab had to address.
- Security tooling evolved. Modern endpoint protection now treats CPU-spiking background processes as a default red flag — a behavior pattern Coinhive essentially normalized.
- The "mine instead of ads" idea never died. Projects keep trying variants of opt-in monetization, from browser extensions to permissioned Web3 sessions, though none have matched Coinhive's scale.
- It raised real consent questions. If a website quietly uses your electricity to mint coins, is that advertising, malware, or something in between? Coinhive forced regulators and ethicists to ask the question out loud.
Key Takeaways
- Coinhive was a JavaScript-based Monero mining service launched in 2017 and shut down in 2019.
- It powered the first major wave of cryptojacking attacks across the web.
- Browser-based mining is technically still possible but is now blocked by default by most browsers and security tools.
- The Coinhive saga remains a textbook case of how a clever monetization idea can spiral when abuse outpaces consent.
Zyra