YouTube Ads Infected by Cryptocurrency Malware

The problem of cryptocurrency-mining malware embedded in online ads reared its ugly head in a big way last week, as several malicious ads popped up on YouTube. This happened due to a rogue actor injecting corrupted content into Google's own DoubleClick ad network.

Image credit: pathdoc/Shutterstock

(Image credit: Image credit: pathdoc/Shutterstock)

The ads were geared to consume 80 percent of the victim's CPU time to "mine" the Monero cryptocurrency, but didn't otherwise harm computers or steal data.

"Hey @avast_antivirus seems that you are blocking crypto miners (#coinhive) in @YouTube #ads Thank you :)" tweeted Italian web designer Diego Betto last Thursday (Jan. 25).

Google has nipped the problem in the bud for now, but this won't be the last time that something similar happens to YouTube or other prominent websites.

What You Should Do

To make sure you're protected against "malvertising," make sure you're running third-party antivirus software that inspects the web pages you load. You could also consider running a script blocker or an ad blocker on some or all of your web browsers. However, ad blockers publishers (including this one) from being able to generate revenue.

Most good antivirus software will screen the URLs your web browsers connect to. Microsoft's built-in Windows Defender does this as well, but only for Internet Explorer and Edge. To get similar protection for Google Chrome, Mozilla Firefox or Apple Safari, you'll need to use a third-party product. Alternatively, you could switch to Opera, a free browser that has an ad blocker built in.

How Did This Happen?

Antivirus maker Trend Micro's researchers were among the first to spot the problem. In a company blog posting Friday (Jan. 26), they said that they "detected an almost 285 percent increase in the number of Coinhive miners on January 24," but had "started seeing an increase in traffic to five malicious domains on January 18." Most of the cryptocurrency-mining activity was seen in France, Italy, Japan, Spain and Taiwan.

Coinhive is a legitimate browser-based cryptocurrency-mining operation that some website operators deploy to augment income, although they're supposed to notify visitors that their CPUs are being temporarily harnessed to earn money for the site. It mines Monero, a cryptocurrency that is easier to mine than Bitcoin.

Unfortunately, the Coinhive script is easy to inject into a site's code. For the past few months, criminals have been infecting websites without the site administrators' consent, then directing the generated money to their own cryptocurrency wallets.

Putting Coinhive code into online ads was the inevitable next step. The chaotic, decentralized nature of the online ad market lets bad actors drop in malicious ads far upstream from the websites that end up displaying them, and those sites often never find out where the bad ads came from.

Trend Micro's researchers found that the malvertising code deployed the standard Coinhive script in 90 percent of instances, but used an off-brand script the other 10 percent of the time, perhaps to dodge Coinhive's 30-percent commission fee.

Under the Radar

Regular ads display during this entire process, Trend Micro said, so that the end user is none the wiser unless he or she checks his CPU usage. However, Ars Technica reported that some of the malicious scripts generated ads for fake antivirus software, which DoubleClick wouldn't normally allow.

Google told Ars Technica and The Register that "[i]n this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms." That doesn't quite jibe with Trend Micro's observation that the malvertising activity lasted six days, from Jan. 18 to Jan. 24, but in any case, the ads are gone for now.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.