* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Threat Intelligence](https://www2.paloaltonetworks.com/blog/category/threat-intelligence/)
* Threat Brief: Drive-by Mi...

# Threat Brief: Drive-by Mining - Adapting an Old Attack to Mine Cryptocurrencies

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2017%2F10%2Fthreat-brief-drive-mining-adapting-old-attack-mine-cryptocurrencies%2F)  
[](https://twitter.com/share?text=Threat+Brief%3A+Drive-by+Mining+-+Adapting+an+Old+Attack+to+Mine+Cryptocurrencies&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2017%2F10%2Fthreat-brief-drive-mining-adapting-old-attack-mine-cryptocurrencies%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2017%2F10%2Fthreat-brief-drive-mining-adapting-old-attack-mine-cryptocurrencies%2F&title=Threat+Brief%3A+Drive-by+Mining+-+Adapting+an+Old+Attack+to+Mine+Cryptocurrencies&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2017/10/threat-brief-drive-mining-adapting-old-attack-mine-cryptocurrencies/&ts=markdown)  
\[\](mailto:?subject=Threat Brief: Drive-by Mining - Adapting an Old Attack to Mine Cryptocurrencies)  
Link copied  
By [Christopher Budd](https://www.paloaltonetworks.com/blog/author/christopher-budd/?ts=markdown "Posts by Christopher Budd")  
Oct 17, 2017  
4 minutes  
[Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown)  
[Bitcoin](https://www.paloaltonetworks.com/blog/tag/bitcoin/?ts=markdown)  
[coin mining](https://www.paloaltonetworks.com/blog/tag/coin-mining/?ts=markdown)  
[Cryptocurrency](https://www.paloaltonetworks.com/blog/tag/cryptocurrency/?ts=markdown)

On January 2, 2017, one [Bitcoin](https://en.wikipedia.org/wiki/Bitcoin) was worth US $985.56.

By October 16, 2017, that same Bitcoin was worth US $ 5,707.40: a 579% increase in value in ten and a half months.

By comparison, [Ethereum](https://en.wikipedia.org/wiki/Ethereum) has gone from US $8.15 per ether on January 2, 2017 to US $342.83 per ether on October 16, 2017: a jump of 4,206%.

[Cryptocurrencies](https://en.wikipedia.org/wiki/Cryptocurrency) are big money these days and seemingly getting bigger by the day.

And if we've learned one thing about cybercriminals, they follow the money.

So, it's not surprising to see that cybercrime is turning its attention to cryptocurrencies.

In our latest research, "[Unauthorized Coin Mining in the Browser"](https://www.paloaltonetworks.com/blog/2017/10/unit42-unauthorized-coin-mining-browser/), Unit 42 researchers show how cybercriminals have taken an old tactic, hijacking web browsers without the users consent or knowledge (commonly called a "drive -by attack"), and adapted it to make money in the increasingly lucrative cryptocurrencies markets.

Before, drive-by attacks focused on abusing a browser's legitimate download capabilities [to download malware](https://en.wikipedia.org/wiki/Drive-by_download) onto the victim's system without their consent or knowledge. These new drive-by attacks focus on hijacking the computational resources of the victim's computer to "[mine](https://en.wikipedia.org/wiki/Bitcoin#Mining)" cryptocurrency on behalf of the attackers.

The focus of these attacks is to use the victim's web browser to access the computational resources of their system. The attackers accomplish this through abuse of a legitimate tool by placing it on malicious or compromised websites and running it in the victim's browser without his or her consent or knowledge when they visit the site. The tool is designed to "mine" cryptocurrencies, that is it earns credit in the cryptocurrency in exchange for computing power that is used to power the cryptocurrencies' digital infrastructure. This tool has a legitimate use: sites can and do notify users that they're using the site visitors' resources in this way to support the site, typically as a substitute for ads on the site. But in this case, the attacker actually gets the credit that the victim's computational resources earns without the visitors' consent or knowledge making it a malicious attack.

Put simply, the net result is that the victim's computer slows down (sometimes significantly) while on the malicious or compromised website. And while the computer is impacted like this, the attacker is earning money. The attacker steals the victims computing resources and translates it into a cryptocurrency like Bitcoin.

This new kind of attack tells us that at least some cybercriminals are starting to view theft of victim's computing power to translate into cryptocurrencies as a better business proposition than the traditional practice of loading malware on the victim's system through drive-by downloads.

And our research shows that this isn't an isolated event. Our researchers analyzed over 1,000 of sites and what they found was very telling.

1. According to Alexa, 5 of these sites ranked in the top 2K of sites, 29 sites in top 10K and 155 sites in top 1 million.
2. While many of these sites can be dated back to 2013, we saw steady level to the number of sites until October 2017: then we saw 502 (63%) of these domains spring up suddenly.
3. We found these malicious and compromised sites resolved to 47 different counties with the majority being in the United States.
4. The greatest number of victims we could identify come from the Eastern United States with the Western United States in second. Europe and Asia Pacific came in third and fourth respectively.
5. In terms of the domains where we found these malicious and compromised sites, .download and .bid domains accounted for the majority, comprising more than 35% of these sites. .com and .review tied for 3^rd^ with 13% of the sites each.

The good news is that these attacks are more like denial of service attacks: they don't do lasting harm to your system and they end when you leave the site.

The bad news is that these are harder to defend against than typical drive-by download attacks. Where drive-by download attacks usually exploit unpatched vulnerabilities, the root of these attacks is that they abuse otherwise legitimate functionality: you can't prevent them by being fully patched.

Security products that take a comprehensive, layered approach can help prevent these attacks. And if you think your system is being affected by one of these attacks, you can, in most cases, end the attack by either leaving the site or closing the browser.

Most of all, this latest development shows how a changing economic landscape in turn changes the cybercrime landscape. Loading malware through drive-by downloads is so 2012: in 2017 it's about drive-by mining attacks to earn cryptocurrencies.

*** ** * ** ***

## Related Blogs

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Threat Brief: What's Driving the Shift to Cryptocurrency Mining Malware?](https://www2.paloaltonetworks.com/blog/2018/03/threat-brief-whats-driving-shift-cryptocurrency-mining-malware/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Threat Brief: A Declining Rig Exploit Kit Hops on the Coinmining Bandwagon](https://www2.paloaltonetworks.com/blog/2018/02/threat-brief-declining-rig-exploit-kit-hops-coinmining-bandwagon/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown)

[#### Threat Brief: Malware Authors Mine Monero Across the Globe in a Big Way](https://www2.paloaltonetworks.com/blog/2018/01/threat-brief-malware-authors-mine-monero-across-globe-big-way/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown)

[#### 'BabyShark' Targets Cryptocurrency Industry](https://www2.paloaltonetworks.com/blog/2019/04/babyshark-targets-cryptocurrency-industry/)

### [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### The Rise of the Cryptocurrency Miners](https://www2.paloaltonetworks.com/blog/2018/06/unit42-rise-cryptocurrency-miners/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown)

[#### 2 Minute Threat Brief: Browser Cryptocurrency Mining](https://www2.paloaltonetworks.com/blog/2017/10/2-minute-threat-brief-browser-cryptocurrency-mining/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer} Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/ai-security?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Next-Generation Identity Security](https://www.paloaltonetworks.com/idira?ts=markdown)

* [Privileged Access Management](https://www.paloaltonetworks.com/idira/human/privileged-access-management?ts=markdown)

* [Identity and Access Management](https://www.paloaltonetworks.com/idira/human/identity-and-access-management?ts=markdown)

* [Endpoint Privilege Manager](https://www.paloaltonetworks.com/idira/human/endpoint-privilege-manager?ts=markdown)

* [Identity Governance](https://www.paloaltonetworks.com/idira/human/identity-governance?ts=markdown)

* [Workforce Password Management](https://www.paloaltonetworks.com/idira/human/workforce-password-management?ts=markdown)

* [Agentic Identities](https://www.paloaltonetworks.com/idira/agentic?ts=markdown)

* [Secrets Management](https://www.paloaltonetworks.com/idira/machine/secrets-management?ts=markdown)

* [Unified Secrets Governance](https://www.paloaltonetworks.com/idira/machine/unified-secrets-governance?ts=markdown)

* [Application Credentials Delivery](https://www.paloaltonetworks.com/idira/machine/application-credentials-delivery?ts=markdown)

* [Vendor Privileged Access](https://www.paloaltonetworks.com/idira/human/vendor-privileged-access?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)  
  Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)

* [Careers](https://jobs.paloaltonetworks.com/en/)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)

* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)

* [Investor Relations](https://investors.paloaltonetworks.com/)

* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)

* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)  
  Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)

* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)

* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)

* [Event Center](https://events.paloaltonetworks.com/)

* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)

* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)

* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)

* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)

* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)

* [Tech Docs](https://docs.paloaltonetworks.com/)

* [Unit 42](https://unit42.paloaltonetworks.com/)

* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)

* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)

* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)

* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)

* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language