Last week there was an article pointing out that hundreds of websites have been hacked to add bitcoin cryptocurrency mining scripts into them. This of course is interesting to the media because it uses the words ‘hacked’ and ‘bitcoin’ cryptocurrency in the same sentence. Tools like AT&T’s Video Optimizer will find these connections in a mobile application or website, and webpagetest.org would also work for mobile or desktop websites.
Now, when I hear things like “hundreds of sites” and infected… I immediately start thinking - “I wonder how many sites are mining bitcoin?” This (of course) leads to “How badly does bitcoin cryptocurrency mining affect the performance of the site?”
I know these are normal things to ask oneself. Right?
How Does One Mine bitcoin Cryptocurrency on a Website?
Essentially what happens is that a Javascript library is added to the page, and as long as the page is open, the Javascript (through the browser) will use the local CPU to perform bitcoin cryptocurrency calculations, and the person holding the bitcoin key can make money for any hashes that are uncovered. The consumer may not know that their device is crunching some pretty heavy numbers, but may notice faster battery drain, or perhaps the device getting warm to the touch.
The most popular JavaScript library for this is CoinHive. You add a script dependency:
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
and a few lines of code - and you are on your way to wealth and riches. The documentation talks about how “you should not do this without telling your customers that you are doing it, because that is not ethical…” Clearly, this disclaimer is not working. 
So, How Many Sites ARE Mining Bitcoin Cryptocurrency?
A quick search in the 10-15-2017 mobile HTTPArchive shows 1,040 sites that are using some form or other of “coinhive.min.js” There are a few duplicates - it appears some sites are running 2 separate instances (one hosted at coin-hive.com and the other at coinhive.com.) Since mining bitcoin cryptocurrency is a CPU intensive thing - I would imagine that 2 instances would be competing for resources, and might not be the most efficient way to mine bitcoin.
SELECT
pages.rank rank,
pages.url url,FROM
httparchive.runs.latest_pages_mobile pages join(
SELECT
url,
pageid,
FROM
httparchive.runs.latest_requests_mobile
WHERE
url CONTAINS “coinhive.min.js”) requests
ON
requests.pageid = pages.pageid
ORDER BY
pages.rank ASC
We can modify this query to get SpeedIndex and VisuallyComplete from “latest_pages_mobile.”
Can We Get CPU Usage?
My assumption is that bitcoin cryptocurrency mining is going to really impact CPU usage - and we can get CPU usage from the HAR data in HTTPArchive. While I am at it, I’ll grab the Time to Interactive too:
CREATE TEMPORARY FUNCTION
getHarEntry(payload STRING,
field STRING)
RETURNS INT64
LANGUAGE js AS “”"
try {
var $ = JSON.parse(payload);
return $[field];
} catch (e) {
return ‘’;
}
“”“;
SELECT
url as url,
getHarEntry(payload,”_TTIMeasurementEnd") AS tti,
getHarEntry(payload,“_fullyLoadedCPUpct”) AS cpu
FROM
httparchive.har.2017_10_15_android_pages
I saved this result in a table, and then can join it with the first query to learn the TTI and CPU % for each site that mines bitcoin cryptocurrency.
Timing Metrics
Let’s take a look at the load performance metrics. I have timing stats for all of the sites than mine bitcoin. I calculated quartiles(metric, 11) to get the percentiles at 10% intervals for all of the speed metrics. The data is similar at every decile, so for simplicity, I will only report the median values here.
In this chart, I am comparing the median site that mines bitcoin to the median value for all mobile sites in the HTTPArchive:
Sites with bitcoin cryptocurrency mining have a small 6% impact to SpeedIndex, but VisuallyComplete and TimeToInteractive are 18.5% and 21% slower. This is not terribly surprising, right? The site is throwing another process on the CPU that we know is going to use as much CPU as possible - and that will impact the page loading (especially on a mobile device)
So, how much more CPU is used when JavaScript bitcoin cryptocurrency mining is going on?
The Median site with bitcoin mining uses 14% more CPU than the median site in the HTTPArchive (45%-32%).
Coinhive API Parameters
What else can we learn about bitcoin cryptocurrency mining in the Browser? The Coinhive API lists a bunch of different parameters that can be configured in your mining operation. To see these, we need to get the bodies where the Coinhive JavaScript is called:
select
page, url, body
from httparchive.har.2017_10_15_android_requests_bodies
where body CONTAINS “coinhive.min.js”
This is a ~500GB query, so I made sure to save the results in a table to simplify future calculations.
There are only 645 results (from the 1040 pages found).
The first parameter to look for is the “isMobile()” which allows the bitcoin cryptocurrency miner to turn off mining when the customer is on a mobile device. There are only 16 matches (of 645) and a manual check shows that none are being used in reference to the CoinHive scripting. So basically - if a site has bitcoin mining running - it will mine on your phone as well.
We now know that every site that mines bitcoin will do it on your phone… So how hot is your phone going to get? The mining API has parameters to adjust how many threads to use for mining (the default is navigator.hardwareConcurrency - the number of CPUs available). The API also allows you to throttle the usage of the CPUs; the default throttle is 0 - meaning 100% of the CPU will be used to mine bitcoin.
Here is the query I used to measure the percentiles of thread count: https://bigquery.cloud.google.com/savedquery/554669893916:ff156ca38c414d8a9b69bd7d03d865a0
Let’s see what we can learn. There are only 157 sites that return a value for “thread” based on my Regex. This means that 500 (77%) will be using all of the available CPUs. The remaining sites have 61 with Javascript parameters, but 96 have a simple value. Of those 96, the median # of threads specified is 2, but the 60% percentile onward specify 4-8 threads:
How much CPU will these threads use? In the Coinhive API, you can configure the throttle on your mining operation. A throttling value closer to 0 means “mine fast and cook the phone” and a number close to 1 means “mine slowly, so no one will notice.” The default value is 0. In my query for throttling parameters, I find 292 sites that set this parameter. Of course, this implies that 353 (or 55%) of these sites have throttle set to 0.
Of the sites that set a parameter for throttling, there are 221 entries that specify a value for the throttle, and we find that the median site runs at 50% throttle.
Conclusion
There are a small number of websites (1040 on mobile, 1165 on desktop) that mine bitcoin cryptocurrency using the CoinHive JavaScript library on their home page. Of 645 that I was able to examine the Javascript code on, over 50% use the default settings of mining on “all available CPUs” with 0 throttling.
The median site using the CoinHive bitcoin mining library uses 14% more CPU compared to the HTTPArchive dataset, and has a Time to Interactive that is 21% slower.
It may be the case that adding bitcoin cryptocurrency mining to your site allows to to earn money without using ads. However, the data presented here shows that there is a performance impact to the addition of these mining libraries to your site.
NOTE: CoinHive mines Monero, not Bitcoin, and I used these as synonyms. I changed all instances to “cryptocurrency.”
