Library Improvements and Best Practices

We have implemented some improvements for our JavaScript API and the Simple UI to help you deliver a better experience for your users.

The JavaScript API has gained two new methods: miner.isMobile() to check if the user is on a phone or tablet and miner.didOptOut() to check if the user did cancel the opt-in screen in the last few hours.

Mining on mobile devices is quite slow and it also drains the battery quickly. So to be more user friendly, consider to disable mining on mobile devices completely. Also, if the user cancels the opt in, you probably don't need to show it again on each new page load. You can achive both now with a simple if:

// Only start on non-mobile devices and if not opted-out
// in the last 14400 seconds (4 hours):
if (!miner.isMobile() && !miner.didOptOut(14400)) {
	miner.start();
}

For the Simple UI you can now listen on all miner events, just like for the JavaScript API. See the documentation for the details.

posted on Nov 01, 2017, the Coinhive Team

Security Incident - DNS Breach

Tonight, Oct. 23th at around 22:00 GMT our account for our DNS provider (Cloudflare) has been accessed by an attacker. The DNS records for coinhive.com have been manipulated to redirect requests for the coinhive.min.js to a third party server. This third party server hosted a modified version of the JavaScript file with a hardcoded site key. This essentially let the attacker "steal" hashes from our users.

No account information was leaked. Our web and database servers have not been accessed.

The root cause for this incident was an insecure password for our Cloudflare account that was probably leaked with the Kickstarter data breach back in 2014. We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account.

We're deeply sorry about this severe oversight.

We're looking for ways to reimburse our users for the lost revenue tonight. Our current plan is to credit all sites with an additional 12 hours of their the daily average hashrate. Please give us a few hours to roll this out.

posted on Oct 24, 2017, the Coinhive Team

Lower Minimum Payouts

We have received a lot of criticism for our minimum payout threshold. Many our users deemed it as far to high. If you had a small website without much traffic your money would be essentially locked up on our servers for a long time.

We don't want to hold your money hostage - the truth is simply that the transaction fees in the Monero network are quite high. So far, we have paid all these transaction fees out of our own pockets.

Today we're offering a compromise: we're giving you the option to configure a lower minimum payout (down to 0.05 XMR) and in turn charge 0.01 XMR for each transaction below 0.5 XMR. Head to your payment settings if you want to set a lower minimum payout for your account.

All payouts at or above 0.5 XMR will of course continue to be free.

posted on Oct 20, 2017, the Coinhive Team

AuthedMine Localization

That was fast. Yesterday we asked we our users to translate the AuthedMine opt-in screen into other languages. Today, after 354 edits from 303 users we can proudly add support for 54(!) languages. We are very grateful to have such an amazing community.

You don't have to do anything to use the localized version of the opt-in screen. Our system will automatically select the right language based on the user's accept-language setting.

If you want to force a specific language, you can use the language property with the ISO 639-1 code. We also added an optional "dark" theme for the opt-in screen. See the Constructor Options documentation for the details.

Here's the full list of languages: Abkhaz, Afrikaans, Albanian, Arabic, Basque, Belarusian, Bosnian, Brazilian Portuguese, Bulgarian, Catalan, Chinese, Croatian, Czech, Danish, Dutch, English, Esperanto, Estonian, Finnish, French, Georgian, German, Greek, Hebrew, Hindi, Hungarian, Indonesian, Italian, Japanese, Korean, Latvian, Lithuanian, Malay, Marathi, Norwegian, Norwegian Bokmål, Norwegian Nynorsk, Ossetian, Persian, Polish, Portuguese, Romanian, Russian, Serbian, Sinhala, Slovene, Spanish, Swedish, Tamil, Thai, Turkish, Ukrainian, Vietnamese, Yoruba.

If your language is missing or you see an error with one of the translations, please suggest an edit. If you edit an existing translation, please state in the comments what exactly you changed and why.

Thank you for your contributions!

posted on Oct 19, 2017, the Coinhive Team

AuthedMine – Non-Adblocked

Shortly after we launched some adblockers and even antiviruses began blocking Coinhive. We have outlined our ideas about this issue in our previous blog post and we're happy to report that we have a solution: AuthedMine.

AuthedMine enforces an explicit opt-in from the end user to run the miner. We have gone through great lengths to ensure that our implementation of the opt-in can not be circumvented and we pledge that it will stay this way. The AuthedMine miner will never start without the user's consent.

In turn, we hope that Adblockers and Antiviruses acknowledge the legitimate use and value of Cryptominers when the user gives an explicit opt-in. There is no need for them to block the AuthedMine implementation.

opt-in screen
Example of the opt-in screen for the JavaScript API

Transitioning to AuthedMine

If you already implemented Coinhive on your website, you don't have to do anything. Our previous solutions will continue to work exactly as they did. However, we want to encourage you to use our new opt-in solution if you can.

If you want to switch, for the Simple UI and the Captcha all you have to do is to load the new JavaScript files from authedmine.com instead of the ones hosted on coinhive.com. You only lose the autostart ability, but will benefit from not being adblocked.

I.e. for the new AuthedMine Captcha:

<script src="https://authedmine.com/lib/captcha.min.js" async></script>

And the Simple Miner UI:

<script src="https://authedmine.com/lib/simple-ui.min.js" async></script>

The switch to our new JavaScript API is equally simple. You just have to load the authedmine.min.js instead of the coinhive.min.js. The API works exactly as before, but the miner.start() call will now present an opt-in screen to the user.

<script src="https://authedmine.com/lib/authedmine.min.js"></script>

Please refer to our AuthedMine documentation for all the details.

A Note to Adblock and Antivirus Vendors

We urge you to please read this blog post and our AuthedMine documentation carefully. You will find that there's no need to block authedmine.com or any files on this domain and we promise it will stay this way.

If you have any questions, please get in touch. We strongly believe in the future of this project. We want to do this right and we hope you will support us.

posted on Oct 16, 2017, the Coinhive Team

First Week Status Report

We launched our JavaScript Crypto Miner a little over a week ago. The last 8 days have been a mixture of pure excitement and sheer terror. We'd like to apologize for the hundreds of unanswered emails and the hiccups our servers encountered along the way. It's fair to say we weren't properly prepared for what was about to come.

Hashes/s, Last 8 days

Coinhie Hasherate

See that little hill on Sep. 14? We had an Oh shit! moment right there. A few sites were actually using our service and collectively mined at 100K hashes/s. We have since peaked at 13.5M hashes/s – a quite respectable 5% of the global hash rate of the Monero blockchain.

In just one week we scaled from one lonely server to 28 WebSocket proxies, 6 web servers, two database servers and two VPS doing maintenance work. We had countless performance issues to fix and a few sleepless nights, but we are now handling 2.2 million concurrent WebSocket connections quite comfortably.

We still have a lot of hard work ahead of us if the pace keeps up like this.

An Alternative to Ads, blocked by AdBlock

Our goal was to offer a viable alternative to intrusive and annoying ads that litter so many websites today. These ads are not only a distraction to end users, but also provide notoriously unpredictable and non-transparent revenue numbers. We set out to change that.

The revenue you receive from Coinhive is easily predictable and our payouts are now fully automated and initiated 12 times a day. We don't hold your money hostage for months on end like so many ad networks do. So we delivered on that part already.

Providing a real alternative to ads and users who block them turned out to be a much harder problem. Coinhive, too, is now blocked by many ad-block browser extensions, which - we have to admit - is reasonable at this point.

The Way Forward

We're a bit saddened to see that some of our customers integrate Coinhive into their pages without disclosing to their users what's going on, let alone asking for their permission. We believe there's so much more potential for our solution, but we have to be respectful to our end users.

We hope we can convince website owner to integrate the miner in a way that is more meaningful and honest to their users. With our API you can already keep track of hashes each user on your site has submitted and provide incentives for running the miner. We will expand our API to enable even more use cases, including user toplists and more detailed statistics.

It's probably too late to do anything about the adblockers that already prevent our current JavaScript from loading. Instead, we will focus on a new implementation that requires an explicit opt-in from the end user to run. We will verify this opt-in on our servers and will implement it in a way that it can not be circumvented. We will pledge to keep the opt-in in tact at all times, without exceptions.

This way we hope to convince ad-block extensions to not block this new implementation, but instead, see it as just another JavaScript library that you can integrate on your site.

It's been a wild ride so far. It sparked our own excitement for the future of the web again.

posted on Sep 22, 2017, the Coinhive Team

© 2017 coinhive