Hackers Hijack 3,500+ Websites to Silently Mine Crypto in Users’ Browsers

Over 3,500 websites across the internet have been hacked in a massive and quiet cyberattack. The goal of this attack was to secretly mine cryptocurrency using the computers of people who visited these websites. Most users had no idea this was happening in the background while they were browsing. The mining was done through cleverly hidden JavaScript scripts that triggered when someone opened the infected site.

The attack involved a JavaScript file called karma.js which acted as a loader. This script was designed to be extremely hard to detect because it was obfuscated, meaning the code was scrambled and hidden on purpose. Once the loader script was active, it reached out to other attacker-controlled domains to download and run the actual mining software inside the user’s browser.

What made this attack so effective was that the script didn’t just start mining right away. It first checked the user’s device to see if it was powerful enough to handle mining. It looked at things like how many CPU cores the device had, whether the browser supported advanced features like WebAssembly, and if it could run heavy scripts without slowing down. Only if the system passed those checks would the mining begin.

When the mining started, it didn’t take over the whole system. Instead, it used a method called Web Workers, which lets JavaScript run multiple threads in the background. These Web Workers were programmed to use only a small portion of the system’s CPU, usually less than 20%, which made the activity very difficult to notice. The mining ran quietly while the user continued browsing, unaware that their resources were being used.

One of the most dangerous parts of this attack is that it was controlled remotely in real-time. The JavaScript code connected to attacker-owned servers using encrypted WebSocket connections. These connections allowed the hackers to send commands and change the behavior of the mining activity while it was happening. They could increase or decrease the CPU usage, stop the mining if someone noticed, or update the scripts instantly.

Researchers also discovered that many of the domains and servers used in this mining attack had previously been linked to other cybercrimes. Specifically, the same infrastructure was once used in Magecart attacks, which are known for stealing credit card information from websites. It shows that the hackers behind this new cryptojacking wave are experienced and have reused tools from their past campaigns.

The mining scripts weren’t loaded directly. First, the loader script would connect to a domain like trustisimportant.fun, which would then pass the command to another server like yobox.store to pull the actual mining script. This multi-step process helped the attackers hide their tracks and made it harder for security tools to block everything at once.

Cryptojacking was a huge issue a few years ago when services like CoinHive were popular. But after CoinHive shut down in 2019, many thought browser-based mining was gone. This new attack proves that cryptojacking is not only back, it’s more advanced than ever. By using smart fingerprinting, real-time control, and stealthy code, the attackers have created a system that is hard to detect and can steal small amounts of power from millions of people.

If you’re a website owner, this is a wake-up call. Make sure to audit all your plugins and third-party scripts regularly. Watch for strange or encrypted WebSocket traffic from your site, and scan your codebase for anything suspicious, especially base64 or minified JavaScript files. Removing these threats early is key to protecting your visitors and your website’s reputation.

For regular users, it’s important to stay protected. Using browser extensions that block mining scripts, ad blockers, and keeping your browser up to date are small but effective steps. Cryptojacking doesn’t steal your data, it steals your system’s power and performance without you even noticing. This silent threat is happening right now, and awareness is the first step to fighting it.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news