3,500 Websites Compromised to Covertly Mine Cryptocurrency with Stealthy JavaScript and WebSocket Techniques

Share

Jul 21, 2025Ravie LakshmananWeb Security / Cryptocurrency

In a startling resurgence of malicious activity, over 3,500 websites have fallen victim to a new attack campaign that employs JavaScript cryptocurrency miners, reminiscent of the notorious cryptojacking episodes sparked by platforms like CoinHive. This trend not only highlights an evolving threat landscape but also raises serious concerns regarding web security.

The culprits behind this campaign have deployed stealthy miners embedded within obfuscated JavaScript, which cleverly evaluates the processing power available on devices. It utilizes background Web Workers to execute mining tasks simultaneously, carefully avoiding detection and functioning without causing users alarm. This blend of ingenuity and malice underscores a departure from the clunky cryptojacking models of previous years.

According to findings from security researchers at c/side, the technique employed in this recent wave of attacks leverages WebSockets to collect mining tasks from external servers. This allows for real-time adjustment of the mining intensity based on the capabilities of the compromised device, cleverly throttling resource consumption to maintain a low profile.

As security researcher Himanshu Anand aptly stated, “This was a stealth miner, designed to avoid detection by staying below the radar of both users and security tools.” The implications are staggering: while unsuspecting users browse these compromised sites, their devices inadvertently engage in cryptocurrency generation, effectively turning them into silent minions of the attackers.

This insidious approach has led to a growing number of compromised sites being linked not just to cryptojacking but also to **Magecart** attacks—historically notorious for their data skimming practices. This dual approach indicates an alarming trend where attackers are diversifying their payloads, seeking multiple revenue streams from the very visitors who unwittingly support their malicious endeavors.

The connections established between domains disseminating both cryptocurrency miners and card skimmers underscore a growing trend among threat actors. They are not just content with one mechanism of exploitation; they are weaponizing JavaScript to orchestrate complex and opportunistic attacks on unsuspecting visitors, effectively blurring the lines between different cyber crimes.

As the digital landscape evolves, client-side attacks continue to manifest in increasingly sophisticated forms. Recent findings have detailed various methodologies employed by attackers, ranging from malicious JavaScript embeds that exploit vulnerabilities in Google OAuth endpoints to direct injections into the WordPress database via Google Tag Manager.

Another disturbing tactic involves compromising critical WordPress files, such as the **wp-settings.php** file, to load malicious scripts that establish a connection with command-and-control servers. Once in control, these attackers leverage the site’s search engine ranking to inject spammy content, effectively manipulating search results to promote their nefarious objectives.

Among other techniques, attackers have also been known to exploit fake WordPress plugins designed to evade detection. This includes timing their activation to coincide with search engine crawlers, ensuring their malicious content remains hidden from regular visitors while still achieving their exploitative aims.

Security teams behind popular plugins like Gravity Forms recently disclosed incidents where backdoored versions of their software were distributed through legitimate channels, further emphasizing the importance of vigilance in plugin management. These backdoors allow attackers to download additional payloads, create unauthorized user accounts, and gain full control of the targeted sites, escalating the potential for widespread damage.

As this threat landscape continues to evolve, it highlights the urgent need for enhanced web security measures and user awareness. The stealthy tactics employed by modern attackers pose serious challenges, from resource theft to data exfiltration, all while remaining cloaked in the guise of legitimate web activity. Navigating this complex environment requires a proactive and informed approach to cybersecurity.

Read more

Related News