Hackers have infected more than 3,500 websites with a hidden crypto-miner that runs directly in the visitor’s browser, mining Monero (XMR) without the user’s knowledge. According to analysts, the malicious script does not steal data or block access to the device - it simply siphons off part of the CPU’s processing power for the benefit of the attackers.
Less Noise, More Time
Researchers from the company c/side have uncovered an active cryptojacking campaign in which attackers have taken extreme measures to mask the script’s activity. Instead of causing noticeable CPU spikes like in earlier attacks, the malware now operates with limited CPU usage, leveraging WebAssembly and WebSocket technologies. This makes the activity nearly invisible to users and antivirus software.
According to c/side’s report, the code masks network traffic, and a persistent connection with the server enables uninterrupted mining of XMR (private coin). This method allows the attackers to remain undetected for weeks or even months.
Reusing Old Infrastructure
A cybersecurity researcher familiar with the campaign reports that the attackers are using previously compromised WordPress sites and old infrastructure from earlier Magecart campaigns. In those attacks, hackers inserted malicious code into checkout pages to steal payment data. Now, they are simply adding another JavaScript file using the same access.
“Deploying the script took minimal effort - they just linked an extra piece of code to already compromised sites,” the researcher explained.
According to him, what sets this wave of cryptojacking apart is its stealth: there are no sudden spikes in performance that would typically expose malware.
Although the current script does not interact with users’ crypto wallets or steal funds, researchers warn that in theory, the code could be expanded with malicious payloads such as wallet drainers. For now, the primary targets of the attack are website and web app owners who might not detect the issue for months.
$330 Million Stolen in BTC and Converted to Monero
In April, blockchain analyst ZachXBT revealed a possible link between a sudden 40% surge in XMR and the theft of $330 million in BTC. According to him, there was a notable uptick in trader activity that coincided with the theft. As a result of the attack, one user lost approximately 3.520 BTC.
“Immediately after the transfer, the funds were broken into smaller portions and routed through more than six exchanges. They were then converted into XMR, likely to obfuscate the transaction trail,” he said.
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.