Threat actors are making millions by stealing your CPU cycles for crypto mining when you visit an infected or malicious website. In fact, the trend is growing and users may not even be aware that their resources are being leveraged against them for someone else’s financial gain. So why not make this practice legal and have legitimate browser extensions or software perform this work in lieu of the methods websites make money today through banners, ads, and subscriptions? This might be the next big thing for content rich sites that use your computer to make money versus selling space and paying search engines. Think it is crazy, read on.
How Content on the Internet Works
Think of your favorite websites – anything from social media apps to news sites. Now, think of your streaming websites and sports. The former are laced with sponsors, ads, and promotions that are paid for by businesses and individuals to support the development and security of the platform and ultimately the business itself. As a user, these sites are typically free but in order to make money, they have to sell real estate in order to function. Streaming content providers (including entertainment and sports) however make their money from subscriptions. This is generally an annual or monthly rate to subsidize the royalties they pay for content or production of their own material. This is how the content on the Internet works. We pay to review the material or someone else pays to advertise material. I think there is room for another option.
Crypto Mining Defined
First, let us define crypto mining. Crypto mining is the process of solving complex problems to verify digital transactions or other mathematical problems using computer hardware and dedicated computational software. Miners can either create a cryptocurrency or get paid for their processing power in a cryptocurrency once mathematical problems have been solved and verified using affiliate technology like Blockchains. In order to be successful, micro processing (CPU or preferred graphical processing power) is needed and the average computer, phone, and streaming device sits idle throughout the day or is not fully utilized when services are rendered. This leaves room for spare CPU cycles to be implemented for this type of project.
The Value of CPU Cycles
Now, let us continue with the value of CPU cycles. A single CPU cycle represents a financial loss or gain based on the on the work processed. If you consider the cost of the initial system, amortized depreciation, maintenance costs, and monthly electric and cooling costs, each CPU cycle literally can be translated into some dollar value. While this would be infinitely small based on modern CPU clock speeds, the cost realization per hour, day, or month is something we reconcile every day; especially when licensing CPU power from shared and cloud resources. Therefore, CPU time has a value and the goal of legal crypto mining is to offset the purchase and operational cost of the CPU and to perform the work in the background of legitimate services.
The result to the consumer is a free or discounted subscription fee or the need for the provider not to market and sell advertisements. If the initial costs are not in a mining farm, but rather from someone else’s environment, the profit ratio can be easily be biased towards the mining and content operator.
Why Illegal Crypto Mining is Popular
This is why illegal crypto mining is becoming so popular – because threat actors are making money using some else’s investment. The real objective is to turn this around and allow for real services to perform the same work while consumers use their resources. Large scale crypto mining for the provider and no subscription fees or advertisements (commercials) for the consumer. A win – win situation for both and crypto mining might just be the first step for other businesses to leverage spare CPU cycles from idle devices. In addition, the more time you spend using the service (like binge watching a TV show), the more CPU time the provider gets in the background to support the model.
All it would take is enabling an application to use background CPU for a purpose and the consumer to accept an end user license agreement (EULA) that grants the content provide to use a fraction of their resources for an additional purpose.
A Real Example of How This Could Work
If you think this entire scenario is far-fetched, the technology already exists to make this work. The University of Berkley has open source software for volunteer computing called BOINC. The technology uses the idle time (or spare time) on your computer to cure diseases, study global warming, discover pulsars, look for alien radio signals, and do many other types of mathematically intensive scientific research. There is no reason the same approach cannot be used for crypto mining or adopted by content providers to use spare resources along with their services to solve many of these humanitarian problems the world faces today. Imagine streaming a movie and spare CPU cycles are looking for a cure to a genetic disease or predicting the weather. Sitting on the couch could actually be proven to be productive.
Whether this concept actually becomes reality is to be seen. It might be another form of digital transformation or maybe it is just a glimpse into the future. In either case, organizations will still need to determine if CPU cycles are being used for legitimate business purposes, for someone else’s financial gain, or for potential malicious activity. A vulnerability assessment is a good way to determine if your assets are at risk for malicious activity and if your browsers could be hijacked today for illegal crypto mining. For more information on how Retina CS could help perform these assessments, contact us. Otherwise, stay tuned. The services you utilize today might end up solving some of the world’s most mathematically challenging problems while you sit on the couch.

Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.