Published in News

400 Drupal sites are serving up crypto-jacking software

by on09 May 2018

Admins could not be bothered to update

There are more than 400 sites using the open source Drupal CMS serving up  crypto-jacking software, according to a new security report.

Bad Packets Security researcher Troy Mursch has discovered that a number of websites using an outdated version of the Drupal Content Management System are being victimised by hackers for crypto-jacking.

The sites include US-based government entities and educational institutes, and multiple tech firms, whose visitors will suddenly find their computers running slow as they number crunch for the hackers Coinhive collection.

A list of affected websites compiled by Mursch include those of the US National Labor Relations Board (NLRB) , Lenovo, Taiwanese network hardware maker D-Link, and the University of California, Los Angeles (UCLA). Government-run websites in the US, Mexico, Turkey, Peru, South Africa, and Italy have also been affected.

Mursch discovered that all of the infected JavaScript codes were pointing to the same domain name ( and same Coinhive key, implying that it was a single individual or entity behind all of these attacks.

"Historical DNS data from SecurityTrails was especially interesting. We can clearly see the domain name was used previously in Monero (XMR) mining operations via While it’s somewhat unusual they’d switch from a mining pool with a one percent fee to Coinhive, which takes a 30 percent cut of all mining proceeds, it was the choice they made, he wrote.

Coinhive received some legitimacy after it rolled out a feature that required user consent before a computer could be used for mining. The Coinhive service along with this feature was even integrated by UNICEF to fund its charity for children in Bangladesh.


Last modified on 09 May 2018
Rate this item
(0 votes)

Read more about: