Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why did Coinhive, the in-browser crypto miner, fail?
38 points by jungle_bells 15 days ago | hide | past | web | favorite | 48 comments
It's really hard for me to understand why it failed as they seemed to be the PERFECT alternative to running ads. The official statement doesn't really cut it for me, what are your thoughts on this?

I'm not sure how it's a perfect alternative. It seems worse on almost every dimension.

You're stuck between running this miner covertly (scummy) or asking for permission (who is going to click yes?).

How much of Coinhive's income comes from users who are unknowingly running the code? It seems like a move towards more user-hostility, not less.

The one time I saw an actual fit for the end user was an online game that would let you turn on the miner to win in-game coins. Who else can pull off an opt-in?

The 0x00sec.org security forum has/had this effort to mine coins to keep the site ad-free. From the comments[1] users seem to have been happy to help.


I routinely disable my adblock for certain news websites because they tell me to, otherwise I can't see their content. Websites asking for 'opt-in' does work. It works on me all the time.

Sure, and you are unique in this regard. Just look the developments of counter-antiadblocker rules making it on to Easylist. People don't even see those pleas.

Of course, the other issue is that this was only feasible under very specific and temporary circumstances, so it cannot be the answer to ads. Coinhive is done. The experiment failed.

The performance disparity between browser-based javascript and specialized mining hardware is so large, that you will be hard-pressed to generate enough revenue to support a website.

I remember reading a research paper estimating that coinhive made over $250,000 every month. What do you think about this?

Coinhive was making that much in aggregate, but the websites running their client were not. It couldn't replace ad revenues, especially after the prices crashed, and thus people ceased using it.

Hope this helps illustrate the point:

That $250,000 every month amount was made at the cost of way more than $250,000 worth of electricity.

But it wasn't coinhive or coinhive's users who were paying for it. Website visitors carried the cost...

And website visitors may have gotten website content that wouldn't have existed otherwise.

We wouldn't have as much web content as we do today if it weren't for web advertising. (Just another form of payment).

We were all paying for it...

But the cost to remove ads here is very worth spending that electricity over my attention.

What about the environmental and other external costs?

I run an ad blocker most of the time because crappy ads and ad-tech uses a lot of bandwidth and battery. Crypto-mining is even worse for power consumption.

CoinHive. Not CoinHive's customers.

Well, for one, AV software started to classify any website with its code as 'infected' with malware. Then adblockers blocked their script, and even today their website doesn't load properly with uBlock activated.

These are definitely important issues but they don't sound like show-stoppers. Many people use anti virus software and adblockers but then again many don't!

Additionally they (or some alternative) may have been able to improve the software and create a simple consent process to avoid being blacklisted.

I tried it on a couple of sites I have with ~1k users using pretty heavily. I made $1.50 USD over a couple of months, and most complained that it was being blocked/giving security warnings when visiting the site.

Not that I am making much from ads either, but it just really wasn't worth it. Affiliate revenue, while small on a grand scheme, was much more effective .

Even at the start their rates were fairly bad, price crashes + being blocked must have made it a lot worse. And few legit sites are going to use something that gets them branded as hosting malware, even if only some of their users use software detecting it.

Spamming the adblockers to whitelist them (and their authedmine alternative) definitely didn't help https://github.com/easylist/easylist/issues/712

While I agree that they didn't handle it well, I'm mixed on this. While I think putting a miner on a site covertly is unethical, I also think blocking something that's not an ad in an ad-blocker is equally unethical.

I think a miner like this could provide an interesting way for people to monetize their content, as long as it's opt-in, but blocking a non-ad like this just totally deflates the argument that ad-blockers are about privacy or intrusiveness, and their really about people having their cake and eating it too.

I don't think any of the mainstream blocking plug-ins claim to just be ad blockers. E.g. The first line on the uBlock origin Readme:

> uBlock Origin is NOT an "ad blocker": it is a wide-spectrum blocker -- which happens to be able to function as a mere "ad blocker". The default behavior of uBlock Origin when newly installed is to block ads, trackers and malware sites

Any third party scripts tend to fall under "trackers" (stuff like typekit, disqus often gets blocked by default as well), something that just burns your CPU in the background without approval could be classified as malware.

The real reason they failed (mining efficiency aside) is because the technology was co-opted by criminals that embedded the miner into hacked sites and display advertisements without permission. This caused them to land on every single anti-virus and domain blacklist out there.

I was still working in the security field (MSSP SOC) when Coinhive came out. It quickly because one of the prominent "threats" we had to deal with. All of our clients wanted any site that had Coinhive on it, whether or not the site owners added it or criminals did, blocked. It was view by nearly everyone in cyber security, including AV companies, as malware. It got a bad reputation because many sites didn't allow you to opt-in, and many didn't even tell you they were running it.

The idea was absurd from the outset. A few minutes of mobile CPU mining in a browser is a nearly worthless pittance.

Yes, and probably a much smaller pittance than that earned through ad revenue from the average brief visit, which means that this idea cannot succeed if it’s framed as an alternative to ads, unless a massive number of people are willing to pay for content with spare CPU cycles rather than with ad impressions. That seems highly unlikely for a number of reasons, chiefly that the demographic that would even understand the pitch is likely contained almost entirely within the demographic that uses adblockers.

A better strategy, then, would be to completely dissociate the idea from ads, and simply make it easy for content creators to ask users if they’d like to support their content via in-browser mining. Make it unobtrusive for viewers and both frictionless and highly configurable for creators. The goal should not be to maximize the number of viewers who consent, but to keep the potential loss in viewership and/or good will very close to zero. Let content creators decide how aggressively they want to pitch the idea to their viewers, with the default being about as aggressive as a small link off to the side soliciting donations.

The result would likely be an extremely high ratio of new widget installations to marginal unit of revenue, but it also wouldn’t totally crash and burn.

If you're a pirate video streaming website and basically banned from every ad network, it could be worth the bandwidth.

This is a particularly bad experience for mobile users with battery and CPU cooling limitations to computing.

While the growth of mobile probably wasn't a primary reason, I suspect the founders may have seen that the future didn't look great, even if they could solve the monetization of exploits and collapse of crypto prices overall headwinds. With crypto pricing falling to near the power input costs when mined on ASICs and GPUs, CPU mining from Javascript was going to be a case where users paid $1 for ~$0.10 of crypto which only a tiny sliver of the original input ($1) went to the content creator.

A million CPUs would not be as efficient mining Bitcoin as a single ASIC. There are no coins where CPU mining is as good as GPU. JavaScript is also inefficient compared to native programs.

Overall, it probably didn't generate very much money. Mining is a commodity. An ad click is worth orders of magnitude more.

I believe Coinhive was actually webassembly, with a fallback to JavaScript.

They were mining Monero, not Bitcoin.

CPU mining XMR is similarly not efficient compared to GPU

As Monero currently has ASICs running on the network no they're not.

But without them yes they are profitable especially if you're not paying for electricity as in this case.

I thought Monero was designed to be resistant to ASICs? Please correct me if I'm wrong, I don't have that much knowledge about crypto₹.

There is no such thing as ASIC-proof. You can make an ASIC for any deterministic algorithm.

"ASIC-resistance", in this context, only means that ASICs can be held to a low multiple of CPU/GPU efficiency. So ASICs can be 10x as efficient as a CPU/GPU, but not 10k-1m times as efficient like they can on something like SHA.

Unfortunately, profit trends towards zero (towards cost of production) until prices change, so having a 10x advantage is still actually quite big. That means you're making at least a small profit when everyone else is forced to turn off their rigs.

In practice this means that ASIC-resistance, as a method of decentralizing control of the network, doesn't work. Big farms pay cheaper rates for electricity (in China, sometimes zero, by stealing it or bribing local officials), and have insider access to much more efficient ASIC hardware than the general public does. So when profit declines to zero, they inherit the network by virtue of being the only miners who remain profitable.

There is no such thing as ASIC-proof. You can make an ASIC for any deterministic algorithm.

True. Although you could probably design an algorithm which requires so many of the capabilities of a CPU, like a fast 64-bit FPU and a lot of cache, that the transistor count of an ASIC would approach that of a general-purpose CPU produced in much greater volume. This would make special-purpose hardware not cost effective.

That's basically the idea of ProgPOW, which is a proposed algorithm that Ethereum may switch to in an attempt to kick ASICs off the network.


The problem is that you still are only taking an infinitely small chunk of the space of all possible Turing algorithms. For example we are not considering any program that lasts longer than say 12 cache hits and 20 math operations (proposed numbers). That means you don't need as much hardware to implement an ASIC as you would a general-purpose processor.

Such algorithms can never possibly contemplate the full space of Turing programs unless you solve the halting problem (because we can't trust participants to give us a fairly chosen algorithm, and presumably we don't want to select a hashing stage that never terminates). This approach will always consider a tiny, fixed area of the problem space and will thus always be amenable to acceleration from specialized hardware.

Remember that old chestnut, "anybody can come up with a crypto algorithm that they themselves cannot break"? You can add a corollary to that: "anyone can come up with a hashing algorithm that they themselves cannot design an ASIC for".

We've been through this over and over again. I remember when Ethereum was supposed to be impossible to accelerate with ASICs. I remember when Monero and ZCash were supposed to be impossible to accelerate. But when you put hundreds of millions of dollars of free money on the line, very smart people get creative.

The idea of ASIC resistance can be summarized as making specialized hardware no more efficient than general hardware. And that's simply an impossible task. Specialized hardware will always be at least somewhat more efficient than general hardware. Maybe not hugely, but it doesn't need to be hugely more efficient, 5-10x more efficient is more than enough to shift control over to ASIC insiders.

On top of that, ASICs pose massive advantages for deployment even apart from efficiency advantages. One box that you plug a power cable and ethernet cable into replaces two mining rigs with finicky, delicate riser cables and a dozen GPUs precariously strung from wire shelves. ASICs don't crash anywhere near as much either. Literally just having the same efficiency but being 10x as easy to deploy is still a massive win.

You can still rotate algorithms every 6 months, but the clock starts ticking when you propose an algorithm. It took four months from the last switchover before Monero had ASICs on the network again. Presumably they were designing as soon as the algorithm was proposed, and taping out as soon as the switchover was announced.

ASICs are inevitable, and it may be better to simply accept democratic control of ASICs rather than insiders with control of them. If you switch every couple months you disincentivize ASIC holders from releasing them to the public (and revealing their existence), instead they will hold them private so they don't trigger an algorithm change. Which is exactly the centralization that you're supposedly trying to avoid.

That's one of the goals yes.

However efficient ASICs were able to be constructed for the current (and previous) algorithms.

Monero will make a hardfork, right now actually, to brick the existing ASICs. The new algorithm isn't sufficiently different to prevent them however and we will probably see efficient ASICs in under 6 months.

The long term hope instead lies on a new algorithm[0] which tries to change the POW algorithm all the time. Will it hold up or will someone manage to create efficient ASICs? Your guess is as good as mine.

[0]: https://github.com/tevador/RandomX

The issue is that anything that changes the POW has to be to be deterministic, so we'll just see programmable ASICs make a return... so invest in Cisco?

Back in the days when GPU mining was a thing, CPU mining was reasonably efficient. This was actually a design goal, it was seen as promoting decentralization.

Now, obviously a rig full of Vega cards put out a lot higher hash rate than an 8C CPU, but the CPU was actually reasonably efficient in terms of wattage. At the time, building quad-CPU rigs on older architectures was actually a reasonably efficient build.

At least in times past (2015-2017) there wasn't a huge discrepancy. My i5 3750k at default low clocks would do 40 H/s per core while my AMD 7950 did about 400 H/s going all out. Trying to do it in javascript in a browser is a real performance killer though.

So why didn't they use GPU? Could you build something like that for WebGL?

No compute shader support in WebGL. Have to wait for WebGPU for that.

Speculating here, but a browser JS engine is not the ideal mining vehicle, particularly on mobile. I think you would have to have enormous volume to actually make any money. A significant amount of that would then go to the site owner (why else would they use it?), leaving very little profit for CoinHive itself.

This is a big question for me too! Especially since they didn't seem to have any major reason to burn a lot of cash or to run out of money! Was it maybe a lawsuit, fraud or regulatory issue? I would LOVE to know.

their own statement: The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the “crash“ of the crypto currency market with the value of XMR depreciating over 85% within a year. This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive.

https://coinhive.com/blog/en/discontinuation-of-coinhive (you probably need to whitelist that in your adblocker to read it)

Sounds like "lots of work to do soon and not making all that much money, not worth it". (surely being known as "malware" didn't help either...)

I think this is the best kind of site to use archive.is on: http://archive.is/6gbeU

I think in most cases “failed” just means the founders think there are other (clearer) opportunities to pursue. Doesn’t necessarily mean what they were working on didn’t make sense.

IMHO there still is quite an opportunity to find substitutes for ads that provide revenue for websites and aren’t as annoying as ads whether it is mining or something like SETI or something like re-captcha.

Would love to see more in this direction.

Just adding a datapoint. I run a SaaS where people can run their own (Javascript) code. The first thing I did was block any Coinhvive script as those were the first obvious abusers of the service.

Coinhive is now, for me at least, always associated with scammers.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact