Cryptojacking malware was secretly mining Monero on many government and university websites

A new report published by security researched Troy Mursch details how the cryptocurrency mining code known as Coinhive is creeping onto unsuspecting sites around the web. Mursch recently detected the Coinhive code running on nearly 400 websites, including ones belonging to the San Diego Zoo, Lenovo and another for the National Labor Relations Board. The full list is available here.

Notably, the list names a number of official government and education websites, including the Office of the Inspector General Equal Employment Opportunity Commission (EEOC) and sites for the University of Aleppo and the UCLA Atmospheric and Oceanic Sciences program.

Most of the affected sites are hosted by Amazon and are located in the United States and Mursch believes that they were compromised through an outdated version of Drupal:

“Digging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method. The malicious code was contained in the “/misc/jquery.once.js?v=1.2” JavaScript library. Soon thereafter, I was notified of additional compromised sites using a different payload. However, all the infected sites pointed to the same domain using the same Coinhive site key.

Once the code was deobfuscated, the reference to “” was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.”

Coinhive, a JavaScript program, mines the cryptocurrency known as Monero in the background through a web browser. While Coinhive isn’t intrinsically malicious, it can be injected into unsuspecting code in a “cryptojacking” attack, forcing it to mine Monero without the victim’s knowledge.