
“An on-page advert was mining bitcoin in my browser” - davidgerard
https://twitter.com/adamjogrady/status/902351152460701697
======
turc1656
I met a guy once who made a browser add on that had legitimate functionality
that people wanted, but behind the scenes he secretly read all incoming html
and searched for Google Adsense links and replaced the number that identifies
the source site with the number for his own site that had Adsense on it. So,
whenever anyone with his add-on clicked any ad on any website with Adsense he
would get credit for it and earn the money from it. They were all legitimate
clicks so it was essentially impossible for Google to detect. He was getting
several thousand a month in income from this. Haven't spoken to him in a while
so I'm not sure if it still works of if people even still use his add-on. My
guess is that either his add-on became unpopular over time or some changes
Google made killed his nefarious plan.

I keep telling my other friend it would be really great if we could get a
botnet going to mine Ethereum via GPU since ASIC mining isn't a thing in
Ethereum because of it's resistance to it. Although, if they ever roll out the
proof of stake concept then all mining seems to just evaporate then. Of course
I don't plan on risking felony charges to mine Ethereum, but it is fun to
think about.

~~~
ewanm89
If I was Google I would just remember I served add for website for account x
but the number on the click was for account y. Real easy to detect.

~~~
turc1656
I don't know enough to say with certainty, but I don't think it's that simple.
The way I understand it, the script that loads Adsense does/did so at the end-
user level when their PC loads the HTML and executes the script in their
browser.

For what you are saying, I think it would be necessary for the original
request to come from the site owner to pass through to the end-user, which I
don't believe is the case. If that were the case, ad-blockers would have a
much harder time determining the source of the content.

------
the_stc
I highly doubt this. He cites 40MB of downloads plus high CPU usage. Mining
bitcoin won't need 40MB of download. Plus it has an ROI of 0. Even with free
adspace this would not be worthwhile. More likely is someone just fucked up
their ad.

~~~
wyldfire
The ROI is likely nonzero for some coins out there. Bitcoin's difficulty would
be too high to make much money even if the ad were served to a very large
number of computers. But other non-SHA coins (CryptoNight-based PoW, e.g.) or
low-difficulty coins might be worthwhile.

> Mining bitcoin won't need 40MB of download.

Are you sure? I would think something like cgminer compiled to wasm/asm.js
could be a 40MB payload.

For more context, OP states:

> "checked sources and discovered it was a Bitcoin add in iframe, looked at JS
> it used"

> "It was also an ad for a btc exchange/wallet thing, so maybe the mining was
> just to recoup some cost?"

The nebulous "sources" referred to _might_ be something credible. I imagine
bitcointalk.org may have a thread on malicious ads like this.

~~~
LyndsySimon
> The ROI is likely nonzero for some coins out there.

If it's more profitable to mine $ARBITRARY_ALT_COIN than Bitcoin, then people
would mine $ARBITRARY_ALT_COIN until the profitability equalized.

> Are you sure? I would think something like cgminer compiled to wasm/asm.js
> could be a 40MB payload.

There's no need for that:
[https://github.com/jwhitehorn/jsMiner](https://github.com/jwhitehorn/jsMiner)

~~~
ringaroundthetx
> If it's more profitable to mine $ARBITRARY_ALT_COIN than Bitcoin, then
> people would mine $ARBITRARY_ALT_COIN until the profitability equalized.

Thats.... what people do.

Market inefficiencies come up predictably because coins have different block
reward and emission schedules. They have different algorithms which give
advantages to different processors. The market efficiency time sometimes
requires a completely new fabrication line created in china, this gives
significant times till mining arbitrage goes away.

Similarly, multipool miners have software which automatically switches to
different blockchain networks when the yield is favorable.

It is a mistake to think there is no opportunity just because someone told you
there are always smarter more observant people profiting off the opportunity.

~~~
LyndsySimon
> It is a mistake to think there is no opportunity just because someone told
> you there are always smarter more observant people profiting off the
> opportunity.

I agree - I'm not denying that there are _ever_ opportunities for arbitrage,
I'm merely asserting that there isn't going to be an alt out that there is
"significantly" more profitable to mine than Bitcoin itself.

~~~
ringaroundthetx
Okay

I would still disagree, my first thought was defining significantly. When 300%
more profitable are the typical differences in yield, how is that
insignificant? So then I decided the logical rebuttal would be "over time",
where the assertion would be that it isn't significantly more profitable over
time.

The rebuttal to that is that baskets of alt coins outperform bitcoin
significantly, again by at least 300% barring the worst luck.

And even in a bad year for alts, it is possible to find a difficulty algorithm
that you can game giving you an advantage that nobody else notices.

------
redm
There's not much to discuss here. It's an unsubstantiated claim that seemed to
be backed up by the claim of "I looked at the code." Forget these guys claim
for a moment; the more interesting discussion is the concept of trading mining
resources for service. If it's an ad, it's malware, but if it was opted into
by the user, it could be a new type of payment model.

~~~
devmunchies
Trading compute resources for a service is a much better proposition than
trading my personal data or behavior for a service. This is interesting.

~~~
LyndsySimon
If average CPM is $3, that's $0.003 per individual impression. A quick back-
of-a-napkin calculation shows that at current Bitcoin price (~$4,600), you
would have to mine for about 100 hours at 1 GH/s to match that.

In reality, jsMiner is the only JavaScript Bitcoin mining utility of which I'm
aware, and it only uses CPU. A modern machine's CPU is only going to yield a
hashrate of 5 MH/s or so, which means you'd have to mine for them for 20,000
hours to equal the revenue generated by your eyes being exposed to a
traditional ad.

In short, your PC is too slow by several orders of magnitude to make this a
viable replacement for traditional ads.

------
eadmund
At some point people are going to have to admit that granting execute access
to remote agents in order to read content is insanely insecure.

~~~
delinka
Surely you mean "granting native execute access"? JavaScript executes in a
browser. Sure, it's sandboxed, but it's still executed.

~~~
sp332
Nope. I don't want some random code from the Internet tying up resources on my
computer. Even if it doesn't have access to much of my data. That's the whole
problem with the bitcoin mining - sure it's sandboxed but it's still bad.

------
dspillett
I'm surprised this sort of thing hasn't happened more commonly. I suggested
it, as I'm sure did others, some year ago.

While I doubt mining bitcoin is going to be worth the hassle currently, other
currencies might be, other tasks might be (generating rainbow tables for hash
attacks?), and if it is bitcoin maybe that algorithm was just picked as a test
for the delivery mechanism.

As JS JiT compilers get better and other tech that might help number-crunching
becomes commonly available (webassembly? does webGL allow useful access to GPU
processing power?) this sort of thing might become common too.

For people doubting the idea for ROI reasons: if the time to code the
mechanism isn't time you would have otherwise paid for, and the delivery
network isn't one you run but one you've managed to secret your code into by
surreptitious means, then the investment is practically zero and _any_ return
is a profit. Heck, for some he intellectual challenge and/or willy-waving
potential might be profit enough!

Of course, without seeing the code in question I would say it is far more
likely that this is just a _really_ badly coded animated advert or advert
cycling code, chewing CPU with unneeded DOM changes & redraws and eating 40Mb
of bandwidth constantly reloading content for animation frames that could be
cached in a better design. The link to crypto-currencies just because the user
had a bitcoin related advert on-screen at the time is, while possible, quite a
distant conclusion to jump to IMO.

~~~
ringaroundthetx
It does happen commonly.

There was an entire mining botnet operating for weeks using the same CIA
exploit that the Wannacry attackers used. It made a lot more than Wannacry
did.

Wannacry's ameteurish and public ways led to patches that both exposed the
existence of and killed the botnet.

------
yellowapple
This actually might be a brilliant (and by "brilliant" I mean "absolutely
abominable") way to monetize a website without "ads" per se. Just use
visitors' broswers to mine some altcoin while they're reading your article or
what have you. The more visitors you get, the more money you get.

------
davidgerard
I suspect "Bitcoin" here is a synecdoche for "cryptocurrency" in general. (in
the manner of intrusion detection software flagging a Monero miner as a
"Bitcoin miner".) Plenty you can still mine on a CPU/GPU ... particularly if
it's not your electricity.

~~~
ringaroundthetx
> I suspect "Bitcoin" here is a synecdoche for "cryptocurrency" in general.

An advantage for all of us that actually get this market. Perpetuated market
inefficiencies due to ignorance

------
davidgerard
"An experiment with in-browser distributed bitcoin mining"

[https://github.com/howardchung/jsminer/blob/master/README.md](https://github.com/howardchung/jsminer/blob/master/README.md)

------
drivingmenuts
And yet, we don't get upset when burns our CPU cycles with JS just to compose
that gotta-have one-page-app on our devices.

The major difference is that the bitcoin ad _might_ actually be profitable at
some point.

------
holmberd
only the code tells the truth.

------
mmaunder
No source posted so until that happens, this didn't happen.

