How To Find & Remove Coinhive Crypto Mining Malware?

Updated on

CoinHive Crypto Mining Malware

How to remove coinhive crypto mining malware from website

Cryptocurrency miners use CoinHive crypto-jacking malware that can be downloaded on the consumer website by taking in use JavaScript. When consumers go through the website, JavaScript miners will start on the browser. This is the perfect option used as an advertisement on the website. One problem is that the attackers use it as malware to attack the consumer’s website and infect it meticulously.

You will require a JavaScript snippet to start with the Monero cryptocurrency mining and Coinhive is also used with it. Insert the snippet and it will display on the header or footer. When any prospect will visit the website, automatically Coinhive cryptocurrency mining malware will trigger and get the power of the CPU. If you can attract around 20 miners then handsome revenue can be generated out of it every month.

Although it is not the malevolent service, still lots of advantage is taken by the attackers to generate revenue out of it. Due to this reason, the site is blacklisted in Google. Malicious activities like redirecting visitors from your site to malware website, WordPress phishing hack, injecting php backdoors, SEO spam etc can be executed on your website by hackers and it may have long term devastating impact on your WordPress security & SEO rankings.

What to do if your wordpress site is infected with CoinHive malware?

In this article you will learn about what is cryptocurrency mining (Coinhive) malware, How Crypto currency Miners Exploit WordPress Sites & Ways to detect and remove Crypto Mining Coinhive Malware.

What is CoinHive Malware?

It is the service through which the business owner can earn the revenue by mining the CoinHive miner on the consumer site.

This code is formulated to have access over the computer and earns revenue. People are installing the ad blockers so website owner finds Coinhive a better alternative to generate revenue. The only disadvantage is that hackers found its easy way to hack the consumer website and earn money. Every Coinhive miner has to download the codes on the hack websites.

If Coinhive is downloaded and inserted in the header or footer of the site, then your visitor is earning revenue out of it.

The best part is that there is an escape from by removing the CoinHive malware and then comfortably working on your healthy website. This will eliminate the burden of the visitor as well as the whole mining procedure has a direct impact on the visitor’s CPU.

Further, let’s check out some of the steps to follow that will remove the Coinhive malware from your WordPress website.

Also Read – How To remove Favicon.ico virus from WordPress site.

scan wordpress to find and remove coinhive hack

List Of Crypto Mining Code Hosts

We have amalgamated the list of 3rd party domains who are the host. Furthermore, the name of JavaScript is given in accordance with the name of core files so that the webmaster doesn’t have any doubt and it looks legitimate.

  • ads.locationforexpert[.]com
  • camillesanz[.]com/lib/status.js
  • security.fblaster[.]com
  • fricangrey[.]top/redirect_base/redirect.js
  • alemoney[.]xyz/js/stat.js
  • africangirl[.]top/redirect_base/redirect.js
  • ribinski[.]us/redirect_base/redirect.js
  • aleinvest[.]xyz/js/theme.js
  • babybabybabyoooh[.]net/beta.js
  • www.threadpaints[.]com/js/status.js
  • oneyoungcome[.]com/jqueryui.js
  • wp-cloud[.]ru
  • doubleclick1[.]xyz
  • doubleclick2[.]xyz
  • doubleclick3[.]xyz
  • doubleclick4[.]xyz
  • doubleclick5[.]xyz
  • doubleclick6[.]xyz
  • api[.]l33tsite[.]info
  • ws[.]l33tsite[.]info


CoinHive is the most installed malware in the world. Similar to that Cryptographic malware can hijack up to 65% of computers’ processing power.

Cybercriminals target cryptographic malware attacks primarily at businesses. A company specialized in offering security solutions for information technologies, estimates that 55% of the computers of companies around the world are infected with cryptographic malware, a type of malicious software known as crypto-miner.

The top 10 of the most wanted malware in the world are following:

  • CoinHive: Crypto-Miner designed to perform online mining of Monero cryptocurrency without user approval. The implemented JavaScript uses large computational resources on end-user machines to extract parts, which affects system performance.
  • Rig ek: Exploitation kit that uses Flash, Java, Silverlight and Internet Explorer. The chain of infection begins with a redirect to a landing page containing JavaScript that searches for vulnerable plugins and delivers the exploit.
  • Cryptoloot: Crypto-Miner competitor to CoinHive, trying to outperform it by requesting lower revenue percentages from websites.
  • Roughted: Malvertising or “malicious advertising.” It can be used to attack any type of platform and operating system, and uses adblocking and fingerprinting to ensure it delivers the most relevant attack.
  • Fireball – A browser hijacker that can turn into a fully functioning malware downloader.
  • Globeimposter: Ransomware that is distributed through spam campaigns, malvertising, and exploits kits. After encryption, the ransomware adds the extension .crypt to each encrypted file.
  • Ramnit: Banking Trojan that steals bank credentials, FTP passwords, session cookies, and personal data.
  • Virut – Botnet known to be used for cybercrime activities such as DDoS attacks, spam, fraud, data theft, and pay-as-you-go activities.
  • Conficker: Worm that allows remote operations and downloads of malware. The infected machine is controlled by a botnet, which contacts a server for instructions.
  • Rocks: Web-based Crypto-Miner, hijacking the victim’s CPU and existing resources for cryptography.

Finding Crypto Mining Malware (CoinHive)

If you notice that without any notification the CoinHive process has been started then it clearly shows that the visitor site is injected with the purpose of hacking their website.

Let’s check out who can check whether the website is injected with malicious code or not.

  • Go to the homepage and then choose “View Source”.
  • Now, check out files that look suspicious.
  • Along with it, look out in core files to find the malicious code. If you want us to handle that for you, contact us here else, continue and perform the following steps:

Identify modified files

you can perform the following steps:

  •  use the following SSH command to Search for common malware strings
    find /var/www -name "*.php" -exec grep -l "eval(" {} \;
    Replace the string in bold with the ones listed below and run the command again:

    • echo(gzinflate(base64_decode
    • coinhive (Crypto-Jacking Code Malware)
    • locationforexpert
    • base64_decode
    • gzinflate(base64_decode
    • eval(base64_decode
  • Open the files that are flagged by these searches
  • Examine recently modified files on the server using the following SSH command
find /path-of-www -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r

The first thing to do is to identify which files have been changed. You can do this in several ways:

  • Connect to the server (if it is possible). Use command “$ find ./ -type f -mtime -10”, where -10 means day interval.
  • Use the FileZilla program. First, choose Server -> Search remote files… In the window that opens, select search conditions -> date, after, and enter the date, e.g. 10 days earlier than today.
  • Look up for “CoinHive” keyword in your database table. If you have access to phpMyAdmin, use the Search tool or try to search using SQL LIKE request for connecting to the server.
  • Download functions.php ( wp-content/themes/{look in each theme folder}) > (CTRL + F) to find coinhive any script associated with coinhive & delete.
  • Look for a file named jquory.js (wp-content/themes/…/assets/js/jquory.js)


If you are using nulled themes you need to be careful as these are injected with mining malwares. We recommend you to scan nulled wordpress themes & plugins for malicious code.

Coinhive miner code example:

coinhive miner code example

Remember that this part of the CoinHive JavaScript miner code TnKJQivLdI92CHM5VDumyS is used to identify the user of the script and may vary. You can also take a look at our WordPress malware removal guide.

  • Download a copy of your site to a local PC and use a text file search tool (like wingrep) to search for ‘coinhive’.
  • Or get shell access and do a grep -r ‘coinhive’ *

This will list all the files containing the word coinhive.

NOTE: At times the actual HTML output like that <script src= part is obfuscated so in your source code there might be eval() or base64() lines of code without the coinhive text. Try our security scanner or service to detect the actual infection and vulnerability checklist.

Run a WordPress malware scan for your site to detect the malware and clean it instantly. Let us remove cryptocurrency malware in no time!

Coinhive Malware Removal

To eliminate the malware, you have to in-depth clean your website and fill all the gaps that caused the hijack it.

Fix Crypto Mining Coinhive Malware WordPress Hack

When the attackers infuse the malevolent code then go through the folders, or documents as they definitely have hidden the malevolent code inside the files. Along with it, you should go through the website theme as it might be attacked and hackers have infused malevolent code. If the prospect doesn’t have the search engine bot, then the hackers will infuse the malevolent JavaScript code.

coinhive virus wordpress

So, meticulously inspect and find whether your files or folders are infected or not. Also, keep an eye on the documents that are not systematically put together.

Check and compare these files for modifications:

  • index.php
  • wp-admin/admin-header.php
  • wp-content/uploads
  • wp-includes/general-template.php
  • wp-includes/default-filters.php
  • wp-includes/manifest.php.
  • Look for unrecognized code in header.php in your theme folder
  • functions.php

Remove Crypto Mining Coinhive Malware in Magento

If using the Magneto, search for the CoinHive code in your database. Check out the “core_config_data table”, you can use a proper tool like phpMyAdmin and check out the value of head/includes/design. Scan the files and eliminate the one having JavaScript using <Script> tag.

Furthermore, you should also look at copyright text to inspect whether there is any other malicious code or not. After eliminating all the malicious files clear Magneto.

Remove Crypto Malware(Coinhive) Hack from OpenCart

You might find some infected files or folders in OpenCart. The way you can clean the files is the same as discussed earlier. After cleaning it, you can assure originality by comparing it with the actual files and folders.

  1. If you are accessing the Drupal website then you need to check the .js files. Though the Google analytics module, you can find the code of crypto mining:


You might have noticed that ConHive code is mentioned after Google analytics. In this way, the Coinhive code will be activated, to begin with the process.

Removing CoinHive Malware From WordPress Site

You have to find the malicious code before cleaning it. You can search for the malware through any plug-in or manually.

If you go for the manual option, then it will be a bit intimidating. A few years back when there was no complex structure of these files at that time attackers only had someplace to hide the malicious code and you can easily look out for these malicious files manually. But not anymore!!

Websites are formed with tons of files and software. Now, the malicious code can be hidden anywhere. If you search for it manually then it will be time-consuming and it is not sure whether you will find the malicious files or not.

So, it is advisable to use the plug-in to find the malicious code as it will consume less time and will also find the infected files. The difficult part is selecting the right plug-in as there are some of the plug-ins that are not much effective.

Cryptomining Malware CoinHive in Database

The attackers infuse the malware code to the website database. Here is the screenshot of the malicious code.


Prevent CoinHive Malware Hack

Firstly, run the scanner through the files and folders. Get the tools so that your work will be a bit easy as the tool will monitor the files and scan out what the changes are taking place. The hackers modify the files while infecting them with the code.

  • Security Policy

Only purchases the credible source to get the JavaScript files and be very vigilant while including Java files to the website. JavaScript includes some security standards that will safeguard the site and web pages from injecting any malicious code.

  • Importance of CMS Upgradation

Every time the CMS version arrives, there is always an upgrade in the security updates. To safeguard your website updates all the security updates available. You can also join the group from where you can get regular updates about updates available in the market.

  • Install ALL vendor-released security patches

Each CMS releases security patches as critical issues are reported. Subscribe to their security mailing lists / RSS feeds and keep your software up to date.

  • Create a content security policy (CSP)

This is an IT security standard intended to prevent code injection attacks such as cross-site scripting (XSS), clickjacking, etc. CSP allows malicious content to be executed in the web page of trust on client browsers.

  • Only include JavaScript files from trusted sources and CDNs

Be careful before including JS files in your website. JavaScript is a very powerful tool and you must use it with the help of an expert.

  • Regularly monitor file integrity

Use the WP Hacked Help scanner to regularly monitor and scan files on the server, then continue to check if they have changed. Hackers tend to modify files on the server and add malware to the core files of your website.


Coinhive is just a service; it is not any malware but attackers exploit it excessively to infect the consumer site. To eliminate the use of CoinHive illegally, a new version has been released named “AuthedMine”. This is for the JavaScript library and business owners have to get the consent of the consumers before providing the CoinHive service. But as a matter of fact, this version is still prevailing in the marketplace and hackers are taking full advantage of it as they are inserting the malevolent code to the consumer website and infecting it. This is done with the purpose of generating income.

If you are having business over the online platform, then your website is like the face of your brand. So, make sure that it is secured properly from all the malevolent code so that it can continue smooth functioning.