Ua
Main Investments Hackers secretly mined Monero on 1,000s of websites

Hackers secretly mined Monero on 1,000s of websites

25 July 2025 13:33
Monero cryptocurrency. Photo: founder.ua
Borys Zhmur
editor

Cybersecurity researchers have uncovered a massive campaign that has affected thousands of websites around the world. More than 3,500 sites, including popular WordPress platforms and online stores, have been targeted by a hidden Monero cryptocurrency mining operation. Attackers are using these sites to secretly mine cryptocurrency, siphoning off computing resources from visitors and server owners.

Researchers from the c/side have uncovered one of the largest cyberattacks on web infrastructure in recent years, according to ForkLog.

Attackers took advantage of existing access to sites that were previously used for phishing and stealing payment details. This time, they simply added another script to the existing code.

"Implanting the miner was a trivial task. They added a script that loads another one, already compiled in WebAssembly," the c/side explained.

How hidden Monero mining works on infected sites

At first glance, everything looks completely safe — the user enters the site and does not even suspect that his computer has already started mining Monero. This type of attack is called cryptojacking — the use of computing resources without the user's consent.

The script runs in the background in the browser and uses WebAssembly technology. It provides performance close to native code, and therefore mining becomes effective even without a noticeable load on the system. Data transfer occurs via WebSocket, which allows you to hide activity in general browser traffic.

"Scripts are adapted to avoid CPU spikes. Even antiviruses often don't detect them," the c/side added.

What are the dangers of hidden mining for website owners?

Although crypto-scripts do not steal data directly, website owners are at risk. First, they risk losing the trust of visitors if they notice suspicious activity or excessive load on their device.

Second, an infected site can be blacklisted by search engines, which will lead to a decrease in traffic and revenue.

Another serious threat is the possibility of such sites being used as a conduit for further attacks, such as the distribution of malware or phishing pages.

Why exactly is Monero used by hackers?

Monero (XMR) is one of the most anonymous cryptocurrencies in the world. Its main feature is the complete opacity of transactions. Unlike Bitcoin, where the movement of coins between addresses can be traced, Monero hides both the sender and recipient addresses, as well as the amount of the transfer.

It makes it attractive to attackers, as it is impossible to track where the mined funds go. That is why it is often chosen for cryptojacking, darknet operations, and evasion of monitoring.

Why did the website infection go unnoticed?

One of the most dangerous aspects of this campaign is its near-complete invisibility. The attackers used a moderate CPU load and left no trace in the system logs.

The professionally disguised code looked like part of a regular JS framework, and it was loaded from an already legitimate domain.

"The scripts were adapted to operate with minimal power. This allowed them to remain in the shadows even for months," the c/side noted. 

In many cases, site owners were not even aware of the infection until c/side analysts conducted an in-depth analysis and discovered common script signatures across thousands of domains.

How to protect yourself from hidden mining on websites

The main advice for users is to use browsers with script blocking and install extensions like NoCoin or uBlock Origin. It is also worth updating security systems and antiviruses, which are already starting to include protection against WebAssembly miners.

Website owners are advised to:

  • Regularly check the integrity of the page code;
  • Use scanners for third-party scripts;
  • Update CMS and plugins;
  • Restrict access to administrative panels;
  • Enable Content Security Policy (CSP) to restrict the loading of third-party scripts.

What does this campaign mean for cybersecurity in the future?

Now it is clear that attackers are moving to less visible, but larger-scale ways of earning money. And if yesterday the target was banking data, today it is users' computing resources. It is a new stage, where profit is obtained not through theft, but through long-term parasitism on other people's systems.

"This campaign has shown that hackers are becoming more cautious and smarter. We need another layer of protection, with a focus not only on intrusion, but also on hidden activity," the c/side analysts believe.

Recently, Elon Musk's humorous post about peanuts on the social network X caused a sudden 10% increase in the price of the cryptocurrency Peanut (PNUT) on the Solana blockchain. This meme caused a significant stir among traders, which led to a rapid increase in trading volumes and the price of the PNUT token.

We also reported that in May 2025, the cryptocurrency sector suffered significant losses from hacking attacks, reaching USD 244.1mln, due to at least 20 incidents. Although this is 39.29% less than in April, the scale of cybercrime in this industry is still of serious concern.