Coinhive is a cryptocurrency miner that can be downloaded without the user’s knowledge and steal computing resources to generate revenue in the form of cryptocurrency. It’s often used for crypto-jacking.
What is Coinhive?
Coinhive is a JavaScript library that can be used by website owners to mine for cryptocurrency and generate revenue. However, it has also been embedded into browser extensions and bundled with other software downloads to crypto jack unsuspecting computer users.
Cryprojacking is a form of theft where malware downloaded without the user’s knowledge steals resources like CPU cycles, memory, and network bandwidth to solve cryptographic puzzles and mine for cryptocurrency for the benefit of the malware distributor.
It has been reported to consume more than 90% of CPU and GPU cycles, meaning any computer installed is likely to slow down or freeze.
How do I know if I have been infected by the Coinhive miner?
Here are a few of the symptoms.
- Your web browser uses an unusually high percentage of CPU cycles (you can check this by launching Activity Monitor from Applications > Utilities and clicking on the CPU column header)
- You notice your Mac connecting to
coinhive.com/lib/coinhive.min.js
- Applications take longer than usual to launch
- Your Mac runs much more slowly
How did it get on my computer?
There are two main methods of distribution: browser extensions and bundling code with other applications. Installing a malicious browser extension can hijack your browser and change settings and install the code necessary for crypto-jacking.
Bundling is a standard method used to distribute malware. It can happen when applications that were once popular but are no longer updated are cracked by hackers who then inject code so that they become trojans for their malware. Bundling also occurs when download managers use software download sites for packaging additional programs with the one you intended to download, so you install them without realizing it.
How can I avoid Coinhive?
To avoid downloading it, you should be vigilant about which browser extensions you install – check carefully before you agree to download and install them. You should also take care when downloading programs from free download sites. Don’t use proprietary download managers, which always bundle extra programs with the app you download. And don’t ignore the message from GateKeeper when it tells you that you are about to install an application downloaded from the internet. Read it carefully and make sure the app you are installing is the one you intend to install.
You should also install anti-malware software that scans your Mac in the background and alerts you if it spots anything dangerous. I use CleanMyMac’s real-time monitoring. Once switched on, it protects your Mac by monitoring what you do and comparing anything you download with its database of known malware.
How to remove Coinhive from your Mac
You can use two methods to remove Coinhive: the easy, automatic method and the longer manual route. The automatic way means using an anti-malware tool to scan your Mac and remove any malware it finds. I recommend CleanMyMac X. In addition to the real-time monitoring described above, you can use it to check your Mac for malware at any time using its malware removal utility. It also has tools to quickly remove browser extensions and files that a crypto jacker may have stored on your Mac. Here’s how to use it.
- Download CleanMyMac and then follow the instructions to install it.
- Launch the app and choose the Malware Removal module in the sidebar.
- Press Scan.
- If it has found anything CleanMyMac X will let you remove it.
Here’s the how to remove Coinhive malware manually
- If you think you acquired Coinhive by downloading software, go to your Applications folder and locate the application you downloaded just before you noticed problems with your Mac.
- Drag it to the Trash and empty it.
- Go to the Finder, choose the Go menu and select Go to Folder. Paste each of the following locations into the box, one at a time, and look for any files in the folders that have the name ‘coinhive’ in them.
~/Library/LaunchAgents
/Library/LaunchDaemons
/Library/Application Support
~/Library/Application Support
That will remove any trace of the app from your Mac. However, if Coinhive has installed a browser extension, you will need to remove that too. Here’s how.
Remove malicious browser extensions
Safari
- Click on the Safari menu and choose Preferences, then Extensions.
- Locate any suspicious extensions, select them and choose Uninstall
Chrome
- Paste the following URL into the address bar:
chrome://extensions
- Look for any extensions that seem suspicious or you didn’t install.
- Press Remove next to any extension you want to get rid of.
Firefox
- Navigate to the extensions settings by pasting this into the address bar:
about:addons
- Choose Extensions and locate the one you want to get rid of.
- Click on the three vertical dots to the reight of the extension and choose Remove.
Coinhive is a crypto miner, often used to hijack resources to generate revenue for hackers. It will slow your Mac down and make it behave erratically. You can avoid downloading by taking the precautions described above. But if you do download it, the easiest way to get rid of it is to use CleanMyMac’s Malware Removal module.