You have six tabs open. Your laptop fan spins up. The keyboard feels warm. Your battery drains in two hours instead of six.
You check Task Manager. Something is using 80% of your CPU. But you are just reading articles. You did not download anything. You did not install anything.
You close the browser. The CPU drops. Problem solved. A glitch, maybe.
Not a glitch. You were mining cryptocurrency for a stranger.
The silent cryptominer is back. But it is not hiding in downloads anymore. It is hiding in WebAssembly. Running right inside your browser tab.
No installation.
No antivirus alert.
No warning.
Let me show you how it works and how to protect yourself.
What Is WebAssembly? (The Short Version)
WebAssembly (WASM) is a technology that lets websites run high-performance code in your browser. Think of it as a bridge between compiled languages (C, C++, Rust) and the web.
What WebAssembly was designed for:
1. Video editing in the browser
2. 3D games without plugins
3. CAD tools on web pages
4. Real-time data visualization
What WebAssembly is not: It is not JavaScript. It is faster. It is lower-level. And it has access to your CPU in ways JavaScript does not.
This speed and power make WebAssembly attractive to legitimate developers. It also makes it attractive to attackers.
The Return of Browser Cryptojacking
You may remember Coinhive. In 2017 and 2018, websites embedded JavaScript miners that used your CPU to mine Monero cryptocurrency. The idea was simple: website owners could earn revenue instead of showing ads.
Coinhive shut down in 2019. Browser mining seemed to die with it.
But attackers learned a lesson: JavaScript mining was too slow and too detectable. WebAssembly is faster. Harder to detect. And runs on every modern browser.
The new generation of cryptominers:
|
Feature |
JavaScript Miner (2018) |
WebAssembly Miner (Now) |
|
Speed |
Slow |
Near-native |
|
Detection |
Easy (network calls visible) |
Harder (compiled binary) |
|
CPU usage |
Noticeable |
Extreme (85-100%) |
|
Persistence |
Tab open only |
Service Worker can survive tab close |
|
Obfuscation |
Limited |
Full binary obfuscation |
Attackers have rebuilt cryptominers from scratch using WebAssembly. They are faster. They are stealthier. And they are spreading.
How a WebAssembly Cryptominer Works
Here are some simple steps to understand how these attacks function at their core!
Step 1: Access a hacked web page.
When you access the infected web page, there are four ways you could have arrived at that infected web page.
1. Accessing a legitimate website (hint: they could have been hacked)
2. Accessing a malicious website that pretends to be a free application or movie streaming service (these sites will usually have shady ads)
3. Accessing a third-party ad network that is serving malicious code from a compromised site.
4. Accessing a compromised WordPress plug-in
In this example, you didn't do anything wrong - simply clicking on your desired link has allowed you to be infected!
Step 2: The server will deliver the required code to you in WebAssembly language via a JavaScript file.
Although it looks like there may be nothing wrong with the homepage, when the browser loads this homepage, a small JavaScript file will get loaded first. The small JavaScript file will load the required .wasm binary file (the file that contains the compiled cryptominer).
These files will be small, often 50 KB or less, which explains why when they are downloaded, you won't notice them!
Step 3: CPU Activation of the Miner
At this point, the executable code of WebAssembly will start to run and perform calculations using the algorithm that Monero uses to generate hashes. Execution will continue for many iterations of the program as long as your browser allows it, which means a large increase in the usage of your CPU.
The miner is executed inside the web worker which means that it will run in the background and data exchanges that occur between your CPU and the miner are done without you seeing any changes on your browser. All you will notice is that your computer is getting warmer.
Step 4: The Completion of a Hash and Reporting to the Attacker
Every time the miner completes a hashing calculation, the miner will perform a small network request to report the completion of the hash to the miner's pool. As a result, the attacker will receive a credit for the work completed on their behalf and you will receive a slow laptop due to your CPU continuing to be used by the miner.
Step 5: The miner persists (advanced variant)
Some attackers register a Service Worker. This background script can restart the miner even after you close the original tab. It runs in the background. You close your browser. The miner keeps running.
Real-World WebAssembly Cryptominers in the Wild
These are not theoretical attacks. They are happening now.
Case 1: The Pirated Streaming Sites
Researchers found WebAssembly miners on multiple free movie streaming sites. When a user clicked "Play," the site loaded a WASM miner disguised as a video codec. The miner ran while the video played. Users assumed the CPU spike was video decoding. It was not.
Case 2: Fake Browser Update
One of the more common ways that people get infected with malware is via malvertising (malicious advertising). A malvertising campaign shows a message saying "your browser is out of date". When you click on the update button, it did not download anything at all. Instead, it just loaded a miner that would run in the background while also displaying a fake download progress bar. As a result, the user would be waiting for an update that would never come – the miner was in fact running the whole time.
Case 3: WordPress Compromise
Countless websites using WordPress are compromised because the owners don’t keep the plugins updated. The attackers were easily able to inject a small piece of JavaScript code that would cause the mining script to run for every page on the site. The site owners had no idea anything was happening, but their website visitors were complaining about how slow it was running. It took weeks for anyone to notice that it was happening.
How to Detect a WebAssembly Cryptominer
Unlike traditional malware, WebAssembly miners leave few traces. But there are indicators.
Browser-Level Indicators
1. High CPU usage on simple pages
You are reading a text article. Your CPU is at 50% or higher. Something is wrong.
2. Fan noise and battery drain
Your laptop fan spins up. Your battery drains faster than usual. On pages that should be lightweight.
3. Task Manager inspection
In Chrome: Press Shift+Esc to open Chrome's Task Manager. Look for tabs using high CPU. A valid website will not continuously use 100% CPU.
4. Inspecting your browser's network tab
To inspect your browser's network tab, open Developer Tools (F12) and look through the network tab to see if there are recurring requests for fraudulent domains that include keywords such as mine, pool, coin, hash, or numeric IP addresses.
5. Inspecting your browser's performance tab
To inspect your browser's performance tab, record a performance profile while using Developer Tools, and analyze the performance profile for repeated WebAssembly function execution. Proper use of WASM will usually result in a short burst of usage, while a mining program will have continuous execution using loops.
System-Level Indicators
1. Persistent CPU after closing the browser
If your CPU usage is still high after closing all open browser tabs, check to see if there are any hidden browser processes or service workers still running.
2. Unexpected outbound connections
Use a network monitoring application such as Wireshark or GlassWire to see if you are connecting through your browser to one of the mining pool domains or IPs on ports 8080, 8443, or 3333.
How to Stop WebAssembly Miners (Protection Guide)
You do not need special software. Your browser already has the tools.
Immediate Actions (Right Now)
1. Close suspicious tabs immediately
If a tab is using excessive CPU, close it. Do not just navigate away. Kill the tab.
2. Remove All Service Workers
Service Workers may hold your miners for an indefinite time after you've closed out of the tab.
To manage your Service Workers in Chrome: Navigate to chrome://serviceworker-internals/ and then click "Unregister" for all of the Service Workers already registered.
To do the same in Firefox: Go to Settings, then Privacy and Security, select the Cookies and Site Data section and click the Clear Data button.
3. Completely Restart Your Browser
Simply closing your tabs will not work; you need to exit the program and end any other background processes also.
4. Check your extensions
Some malicious browser extensions contain WebAssembly miners. Remove unfamiliar extensions.
Ways to Protect Your Web Browser
1. Disable WebAssembly (Advanced users).
You can do this using the command-line option in Chrome by typing chrome --disable-feature=WebAssembly or you may want to use an extension called No WASM to create controls for untrusted sites.
2. Use an extension that blocks Cryptomining.
There are several options available:
1. NoCoin - A free Extension that blocks access to Cryptomining domains.
2. uBlock Origin - Contains blocklist to block access to all known mining sites (just enable the "EasyList" and "Resource Abuse"value options).
3. MinerBlock - Is specifically targeted at blocked access to any known mining domains.
3. Enable Enhanced Tracking Protection in Firefox (this will prevent Firefox from allowing known mining domains).
When set to "Strict", the Firefox Enhanced Tracking Protection feature will not permit access to any known crypto miner sites when they're being monitored by a third party(s).
4. Use a content filtering DNS service.
There are many Content Filtering DNS Services available that can prevent your PC from connecting to known miner domains. The three most popular are Control D, NextDNS and AdGuard DNS.
5. Keep your browser updated
Browser vendors add miner-blocking heuristics over time. Updates matter.
The In-Depth Look: Evaluation of a WebAssembly Miner
Here are instructions for evaluating an incident with a suspicious WASM file for security professionals or experienced users:
Step 1: Find the .wasm file.
Utilizing Developer Tools → Network and refreshing the web page, find any files with the file extension of .wasm. These are the WebAssembly binaries.
Step 2: Save the binary.
By right clicking on the .wasm file, save it to your hard drive as a local copy. Do NOT execute anything. Save only!
Step 3: Convert WASM to text.
With the use of wasm2wat (WebAssembly Text Converter) provided from the WebAssembly Binary Toolkit:
wasm2wat suspicious.wasm -o suspicious.wat
The .wat file is now transformed into a human readable file (mostly).
Step 4: Search for indicators of mining.
Look for the following in the .wat file:
1. Cryptographic Functions = keccak, sha3, cryptonight, RandomX
2. Memory pattern manipulation = continuous loops, large size of memory
3. Exported functions = mine, hash, solve
Step 5: Extract potential network locations.
Utilizing "strings" command with the .wasm file in order to find potential networks embedded in the binary
strings suspicious.wasm | grep -E 'http|https|ws|wss|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'
Step 6: Compare against threat intelligence.
Submit the hash of the .wasm file to VirusTotal. Many WebAssembly miners are now detected. Look for "Cryptominer" or "CoinMiner" in detection names.
Why Traditional Security Misses WebAssembly Miners
Your antivirus does not alert you. Your firewall does not block it. Here is why.
1. No file download: The miner never touches your hard drive. It loads directly into browser memory.
2. Signed by legitimate browsers: The code runs inside Chrome, Firefox, Edge. These are trusted applications. Security software trusts browser processes.
3. Polymorphic Obfuscation: The attackers compile the miner with new names and structures every few hours; signature detection is unable to recognize this.
4. Legitimate Domain: The miners are frequently being loaded from actual, compromised domains, blocking the domain would prevent access to the legitimate functionality of the website.
5. Small Network Footprint: The traffic from the miners going to the mining pool is similar to standard HTTPS traffic. Ports 443 and 8080 look like regular web traffic on a normal internet connection.
The Future: WebAssembly Malware Beyond Miners
Cryptominers are just the beginning. Attackers are exploring more dangerous WebAssembly capabilities.
Emerging WebAssembly attack vectors:
1. Credential thieves: WebAssembly (WASM) programs that access forms without being detected by JavaScript
2. Browser attacks: Memory-corrupting security holes in WebAssembly environments
3. Network scanners: WebAssembly (WASM) code that scans the local area network (LAN) from the browser (breaks out of the box they're in)
4. Ransomware within the browser: Encrypted databases and local storage according to Index.
5. Phishing evasion: Login forms implemented entirely in WASM, bypassing password manager detection
Researchers have already demonstrated proof-of-concept WebAssembly keyloggers and network scanners. It is only a matter of time before these appear in the wild.
Your Browser Is the New Malware Delivery Platform
Ten years ago, malware came as email attachments. Five years ago, it came as drive-by downloads. Today, it loads in your browser tab. No downloads. No installations. No alerts.
The WebAssembly cryptominer is the canary in the coal mine. It is annoying but not destructive. The next WebAssembly malware will not just use your CPU. It will steal your passwords. Encrypt your local storage. Scan your internal network.
What you should do today:
1. Install a miner-blocking extension (uBlock Origin with miner lists enabled)
2. Learn to check your browser's Task Manager
3. Close tabs that spike your CPU for no reason
4. Keep your browser updated
5. Consider disabling WebAssembly on sensitive or untrusted sites
The browser was never designed to run compiled binaries. But now it does. And attackers have noticed.
Your laptop fan is spinning. Is that YouTube? Or are you mining cryptocurrency for someone in a different country?
Check your tabs. Check your CPU. And close anything that feels wrong.
FAQ Section
1. Is there a way for a website to secretly use my device to mine cryptocurrency without my knowledge?
Yes! When you view a web page, the browser can run JavaScript and WebAssembly code on your machine which is able to utilize CPU resources to mine cryptocurrency. As long as the tab is open this miner will be active. Some more sophisticated miners will use Service Workers to continue to operate after you've closed the tab.
2. What are ways I can tell if a website is mining cryptocurrency in my browser?
An indicator of potentially using your device to mine will be higher than expected CPU usage on a page that should not consume that much CPU. Use your browsers task manager (Shift + Esc in Chrome) to look for tabs consuming over 50% of your CPU for a long period of time, as well as monitor how quickly your battery drains and whether there is an excess noise from the fan when using those tabs.
3. Are the dangers of malware based on WebAssembly simply annoyance, or could they potentially pose significant threats?
At the present time, the primary issue associated with WebAssembly mining is nuisance, in that it impacts personal computing performance, drains battery power, etc., but also, researchers have demonstrated instances of other forms of malware using WebAssembly, including keyloggers, network scanners, and multiple types of memory corruption exploits. Therefore, the potential for significantly more harmful forms of WebAssembly-related malware exists.
4. Is there an anti-virus solution that can find WebAssembly-based mining programs?
Typcially, when you download an executable file and run it on your local system, an anti-virus solution will see it, but with WebAssembly-based mining software, there is no downloaded executable file present, as it operates solely within the memory space allocated to your web browser. However, some EDR solutions and some web filter solutions now possess methods to detect mining-related activities, or are able to block known mining domains.
5. What is the best method of block all WebAssembly-based mining programs permanently?
To effectively block WebAssembly-based mining solutions, you must install uBlock Origin (with the "Resource Abuse" list active) and then use a content-filtering DNS solution such as NextDNS, Control D or AdGuard DNS to block all known mining domains. For advanced users, you may also wish to consider disabling WebAssembly altogether through browser policy settings or by using a browser extension (such as "No WASM").