A Case Study: How One Big Player Could Impact the Cohive Business in China

"Who is Stealing My Power" is a series of articles on the topic of web mining that we observed from our DNSMon system.

As we mentioned in this series of one, two, and three , the players in the market can be mainly divided into mining sites and content/traffic sites. The former provides mining capabilities and the latter provides traffic.

For the mining sites, the coinhive family is currently the largest, accounts for roughly 58% of the market share.

A lot of interesting things can be observed by tracking DNS traffic for the coinhive family domain name through DNSMon. For example, the following figure shows the volume distribution of domain name requests that are closely related to coinhive.com. (Time: 2018-01-31 to 2018-02-15)

The domain names in the figure all have close relationship with coinhive.com , and you can see their dns request volumes vary. Now let’s take a close look at two of them kw.cndqsjlg.com and v.bjztkeji.com. From February 3 to February 8. The volume rapidly increased but quickly disappeared after February 9. Unlike other stable domain names, the appearance of these two domain names is very abrupt.

The request volumes of these two domain names shoot up at the beginning and then quickly disappeared. This abnormal behavior caught our attention. So here is our analysis.

The Fluctuations of Coinhive.com Request Traffic

As seen in the above chart, the dns traffic of coinhive.com has some major fluctuations between Feb 1st and 10th. It can be broken into four sections:

  • The first spike, Feb 5th
  • The first crash, Feb 6th
  • The second spike, Feb 7th
  • The second crash, Feb 8th

Now let’s exam the causes of these anomalies.

The First Spike of Coinhive Traffic

You can easily spot the big spike of coinhive dns traffic in stage 1, what caused this?

Note the green line, domain kw.cndqsjlg.com:

  • It is a brand-new domain, registered on Feb 2nd, only 48 hours before the peak
  • The web page of this domain has coinhive mining script. The corresponding site_key is 76kBm8jdLIfdkW6rWAbAs58122fovBys
  • The traffic pattern of this domain matched nicely with coinhive.
  • We estimate this domain name contributes ~18% of coinhive source traffic in mainland China

The First Coinhive Traffic Crash

During the period stage 2, from Feb 6 to Feb 7, you can see coinhive traffic had a significant dip, the reason?

  • kw.cndqsjlg.com stopped using coinhive.
  • Instead, it used its own deepminer for mining to avoid 30% Fair Payouts from coinhive

After the 7th, the domain name was no longer active.

The Second Spike of Coinhive Traffic

Now let’s take a look at stage 3, we can see there is another traffic spike for coinhive, the reason?

Similar to above, there is another new domain v.bjztkeji.com (blue line) started to show up:

  • This new domain has the coinhive script running on its website, confirmed by analyzing the web page content
  • The corresponding site_key is 76kBm8jdLIfdkW6rWAbAs58122fovBys, same with the old kw.cndqsjlg.com
  • The traffic pattern of this domain name again matched nicely with the spike traffic of coinhive
  • Further analyze shows the traffic is taken from the old kw.cndqsjlg.com
  • We estimated that this domain name contributed ~15% of coinhive traffic in mainland China

The Second Coinhive Traffic Crash VS 360 Disclosure

On Feb 8, 360 security published an article disclosed this security case, pointed out the company behind was a domestic adnetwork and blocked the above behavior in our browser products. Correspondingly:

  • Traffic of kw.cndqsjlg.com: gradually fell to the floor
  • Traffic of v.bjztkeji.com: dropped to the floor after the 9th
  • Traffic of coinhive.com : substantially lower after 9th and keeps that way till this day. Traffic volume in last week is about 45% ~ 65% of the peak, in mainland China

The corresponding traffic figure:

Not the end

Ad network involved cryptojacking is something really worth noting. In our previous article, we published a similar case regarding to an US company, we will not be surprised there are other players in the market that are doing similar thing.

We will continue to monitor the web mining market. If readers have new discoveries, feel free to contact us on twitter.