Back in 2017, a small startup had a radical idea: turn every website on the internet into a tiny crypto mine. That company was CoinHive, and for a brief, chaotic moment, it looked like the future of online monetization. Then it all came crashing down in a storm of hacked sites, antivirus warnings, and one of the wildest shutdowns in crypto history.

So what exactly was CoinHive, why did it matter, and why does its ghost still haunt cybersecurity talks today? Let's dig into the rise, the abuse, and the dramatic end of the world's first mainstream browser miner.

What Was CoinHive, Really?

CoinHive was a JavaScript-based Monero (XMR) mining service launched in 2017 by a German-Swedish team. Its pitch to website owners was disarmingly simple: instead of slapping another ad on your page, drop in a small script and let visitors' CPUs mine Monero in the background. The site owner got paid, the user got an ad-free (or ad-lighter) experience, and CoinHive took a cut.

The grand vision was even bolder. Co-founder Marvin Jägli pitched CoinHive as a way to fund the open web itself — replacing ads, fighting adblocker revenue losses, and giving small publishers an alternative income stream. On paper, it sounded like a revolution in monetization-as-a-service.

The real product, though, was something narrower: an API and a JavaScript snippet that any site could embed with a few lines of code. It was easy to integrate, hard to detect, and ran on just about any browser. That combination, as it turned out, would prove catastrophic.

How Browser-Based Mining Actually Worked

Under the hood, CoinHive ran the Cryptonight algorithm inside a JavaScript WebAssembly module. Once embedded, it would quietly tap into a visitor's CPU cycles to solve hashing puzzles, sending the results back to a CoinHive pool in exchange for a share of XMR rewards.

For legit publishers, integration was laughably simple:

  • Sign up at CoinHive.com and get a unique site key.
  • Drop the coinhive.min.js snippet into the page.
  • Optionally trigger mining only when the tab is visible, or throttle to a fixed hash rate.
  • Withdraw earnings to a Monero wallet, with CoinHive taking a 30% fee.

The clever twist was that users didn't need wallets, accounts, or even to know what mining was. The browser did it all, transparently, in exchange for content. For a few shiny months, it genuinely felt like a glimpse of a post-ad internet.

The Rise of Cryptojacking

Then came the abuse. Almost immediately, hackers began injecting the CoinHive script into compromised websites — WordPress blogs, Magento stores, even government portals. Visitors had no idea their laptops were running full-tilt for someone else's crypto wallet.

This new form of attack got a memorable name: cryptojacking. And CoinHive made it dirt-cheap to launch. You'd see reports of pirate streaming sites, cracked software forums, and shady extensions all silently mining via CoinHive, sometimes at 100% CPU.

Some of the worst offenders went further:

  • The Sephora browser miner script reportedly tried to mine in-store WiFi traffic using a rogue popup on Sephora's site.
  • A CoinHive variant spread through a flaw in a popular WordPress plugin and infected tens of thousands of pages.
  • Showtime ran an experimental version on its own site, claiming it was a “monetization test” — and quietly dropped it after backlash.

By late 2017, antivirus vendors had added CoinHive detection to nearly every major engine. The script became synonymous with malware, even when the publisher deploying it was completely innocent.

Why CoinHive Died in March 2019

On March 8, 2019, CoinHive abruptly shut down all services and posted a terse note on its site. The team cited the long, sustained crypto winter, the collapse of Monero's price, the rise of ASIC-resistant algorithm forks, and — perhaps most importantly — the decision by Monero to hard-fork away from Cryptonight in October 2018, which made browser mining far less profitable.

The numbers told the story. CoinHive had paid out millions of dollars to publishers, but the cost of running its backend, paying its team, and absorbing constant fraud had eaten the margin. The note hinted at a deeper reason too: the founders said they wanted to move on from a project that had been “associated with misuse and negative connotations.”

Within days of the shutdown, XMR wallets linked to CoinHive's mining pool stopped showing new activity. Browser mining, once touted as a future of the web, effectively died with it.

The Legacy: What CoinHive Left Behind

Even though it's gone, CoinHive reshaped several conversations that are still active today. Browser-based crypto mining research never fully stopped — projects like JSECoin, Webchain, and newer opt-in models from networks like Brave and certain Web3 browser extensions all owe a debt to that original script.

Cryptojacking, meanwhile, exploded into its own category of cybercrime. The 2017–2019 wave paved the way for modern threats like cloud instance mining hijacks, container-cluster cryptominers, and even AI-training GPU thefts — all using the same basic trick of stealing compute to make money.

Regulators and security researchers also took notes. CoinHive ended up referenced in advisories from the NIS, NCSC, and various CERTs, and it's still used as a textbook example of how a legitimate SDK can be weaponized at scale.

Key Takeaways

  • CoinHive was a legit tool turned infamous. It started as a publisher-friendly Monero mining script and ended as the symbol of the cryptojacking era.
  • Browser mining is technically possible but reputationally toxic. Almost any opt-out mining today gets treated like malware by default.
  • Monero's 2018 hard fork was the killing blow. Without a profitable in-browser algorithm, CoinHive had no business model.
  • The shutdown reminds us how fragile crypto services are. A great product can still collapse if token prices crash and abuse overwhelms the network.
  • The CoinHive story lives on in modern browser-mining experiments, crypto-fraud forensics, and every cybersecurity course that covers cryptojacking.