The cryptocurrency mining malware epidemic is getting out of hand: nearly 50,000 sites have been surreptitiously infected with crypto-jacking scripts, according to security researcher Troy Mursch from Bad Packets Report.

Relying on source-code search engine PublicWWW to scan the web for pages running crypto-jacking malware, Mursch was able to identify at least 48,953 affected websites. He adds that at least 7,368 of the compromised sites are powered by WordPress. 

The researcher notes that Coinhive continues to be the most widespread crypto-jacking script out there, accounting for close to 40,000 infected websites – a stunning 81 percent of all recorded cases.

It is worth pointing out that Mursch was able to find at least 30,000 websites running Coinhive back in November last year.


For the rest, Bad Packets Report indicates the remaining 19 percent are spread between various Coinhive alternatives, like Crypto-Loot, CoinImp, Minr and deepMiner.

His research suggests there are 2,057 sites infected by Crypto-Loot, 4,119 by CoinImp, 692 sites by Minr, and 2,160 by deepMiner.



Back in February, security researchers discovered that a slew of legitimate websites – including government and public service agency portals – were quietly running crypto-jacking scripts.

The researcher has also published a document on PasteBin file detailing the 7,000 affected sites found since January 20 this year. “Some of these sites have already removed the crypto-jacking malware,” the PasteBin page reads. “However, many remain compromised. Browse at your own risk.”


In the meantime, those seeking to protect themselves against such attacks ought to read this piece explaining how to stop hackers from secretly borrowing your CPU power to mine crypto.

Those interested in the full Bad Packets Report can read the post here at “How to find cryptojacking malware”.