42 comments

[ 2.9 ms ] story [ 94.9 ms ] thread
I highly doubt this. He cites 40MB of downloads plus high CPU usage. Mining bitcoin won't need 40MB of download. Plus it has an ROI of 0. Even with free adspace this would not be worthwhile. More likely is someone just fucked up their ad.
The ROI is likely nonzero for some coins out there. Bitcoin's difficulty would be too high to make much money even if the ad were served to a very large number of computers. But other non-SHA coins (CryptoNight-based PoW, e.g.) or low-difficulty coins might be worthwhile.

> Mining bitcoin won't need 40MB of download.

Are you sure? I would think something like cgminer compiled to wasm/asm.js could be a 40MB payload.

For more context, OP states:

> "checked sources and discovered it was a Bitcoin add in iframe, looked at JS it used"

> "It was also an ad for a btc exchange/wallet thing, so maybe the mining was just to recoup some cost?"

The nebulous "sources" referred to might be something credible. I imagine bitcointalk.org may have a thread on malicious ads like this.

> The ROI is likely nonzero for some coins out there.

If it's more profitable to mine $ARBITRARY_ALT_COIN than Bitcoin, then people would mine $ARBITRARY_ALT_COIN until the profitability equalized.

> Are you sure? I would think something like cgminer compiled to wasm/asm.js could be a 40MB payload.

There's no need for that: https://github.com/jwhitehorn/jsMiner

> If it's more profitable to mine $ARBITRARY_ALT_COIN than Bitcoin, then people would mine $ARBITRARY_ALT_COIN until the profitability equalized.

That's a reasonable theory but I don't think it holds. Given that (1) $ARBITRARY_ALT_COIN aren't typically well-known, (2) setting up mining may require different hardware/software to enable computing this PoW, that pool, etc, (3) coins and pools have interesting reward & difficulty adjustment algorithms, some better designed to deter coin-hopping. On some coarse-enough scale the general claim of equalization is reasonable -- the differences will be minimized over time. But I have seen times when you could make 5-10% more by mining $ARBITRARY_ALT_COIN (and perhaps taking the altcoin to exchange for bitcoin).

> There's no need for that: https://github.com/jwhitehorn/jsMiner

shrug, seems like we're on a tangent. This thread was speculating about whether the claim of an ad-served-miner exists. The fact that a small JS miner exists for one PoW doesn't seem to rule out the original claim, nor does it rule out the possibility that a wasm/asm.js cgminer might exist.

> But I have seen times when you could make 5-10% more by mining $ARBITRARY_ALT_COIN (and perhaps taking the altcoin to exchange for bitcoin).

Right - maybe you could even make 100% more with an alt, for a limited period. My point is that you'd need to be able to make 20000x as much as you could make with Bitcoin before you reach parity with using traditional ads.

> shrug, seems like we're on a tangent. This thread was speculating about whether the claim of an ad-served-miner exists. The fact that a small JS miner exists for one PoW doesn't seem to rule out the original claim, nor does it rule out the possibility that a wasm/asm.js cgminer might exist.

Gotchya. I was just trying to show that giving access to computing resources instead of viewing ads is not currently anywhere close viable.

> If it's more profitable to mine $ARBITRARY_ALT_COIN than Bitcoin, then people would mine $ARBITRARY_ALT_COIN until the profitability equalized.

Thats.... what people do.

Market inefficiencies come up predictably because coins have different block reward and emission schedules. They have different algorithms which give advantages to different processors. The market efficiency time sometimes requires a completely new fabrication line created in china, this gives significant times till mining arbitrage goes away.

Similarly, multipool miners have software which automatically switches to different blockchain networks when the yield is favorable.

It is a mistake to think there is no opportunity just because someone told you there are always smarter more observant people profiting off the opportunity.

> It is a mistake to think there is no opportunity just because someone told you there are always smarter more observant people profiting off the opportunity.

I agree - I'm not denying that there are ever opportunities for arbitrage, I'm merely asserting that there isn't going to be an alt out that there is "significantly" more profitable to mine than Bitcoin itself.

Okay

I would still disagree, my first thought was defining significantly. When 300% more profitable are the typical differences in yield, how is that insignificant? So then I decided the logical rebuttal would be "over time", where the assertion would be that it isn't significantly more profitable over time.

The rebuttal to that is that baskets of alt coins outperform bitcoin significantly, again by at least 300% barring the worst luck.

And even in a bad year for alts, it is possible to find a difficulty algorithm that you can game giving you an advantage that nobody else notices.

Well given that mining bitcoin in a browser isn't even remotely profitable, someone crazy enough to do it anyway would also be crazy enough to not give a fuck about their code's efficiency and download 40MB's worth of data.
Mining on GPU's is generally not profitable, but if you don't pay for the GPU or electricity then numbers look different. Especially if you get some people that keep active tabs open for days.

Really the ROI is vs a 40MB download and a few days of R&D.

Depends on how much each ad cost them. The main reason that ASICs are the only profitable way to mine is because of electricity costs and by running this ad they're shunting that cost onto the user of the site. In place of that is the cost to serve an ad which can be really cheap. I could see the math working out buying a lot of really long tail terms super cheap.
CPU mining is not profitable even for free. Assume they get 5 minutes of computation per ad at 100H/s. They need billions of ads a day just to get 1GH/s, which is around 48 cents a year.
I only somewhat doubt this. Someone was thinking "1e-8 bitcoins per pageload, times 100000 people per day, ...". If they sort out how to leverage the GPU via javascript then they might make a little profit.
I don't think it's even that high. It looks like most GPUs are well under 1GH/s. If we assume 1GH/s, then at the current difficulty and exchange rate, if a page load gives you one minute of computation on average (wild guess, but seems reasonable), you're looking at about $5e-7 dollars per pageload. That's 5 cents/day if you get 100,000 people per day.

But this isn't exactly an argument that it can't be happening. They might have failed to understand just how futile it would be.

They don't need any ROI from the mining though, they're paying for the ads to their exchange. They only need the ROI on the visitors to their website.

The mining is just an added bonus.

It has an infinite ROI if you are using other people's processing and electricity.
if the code hurts performance to such a degree that it is uncovered and uninstalled, then no
To say and defend that you would have to either not know how ROI works, or how mining pools work, or both....

I guess I'll help:

The costs in this case would be the time and cost of programming and bundling the ad, as well as the ad spend of getting the ad shown. The earnings would be in cryptocurrency. Any non-zero amount of cryptocurrency earned would mean you have a return .... on investment, and any cryptocurrency amount now or in the future that is valued at more than your costs means you have an ROI greater than zero.

Mining pools count shares of work toward the pool itself finding a block, based on processing power contributed to a pool. So it doesn't matter if users uncovered and uninstalled your mining-ware after 5 minutes in the most technical savvy outlier case, the shares of their processing power was already submitted to the pool and that account got paid.

So wouldn't it be hard or almost impossible to say they have an ROI of zero? They are probably making a good amount of money.

At some point people are going to have to admit that granting execute access to remote agents in order to read content is insanely insecure.
Surely you mean "granting native execute access"? JavaScript executes in a browser. Sure, it's sandboxed, but it's still executed.
I think that's kind of the whole problem GP is alluding to
Nope. I don't want some random code from the Internet tying up resources on my computer. Even if it doesn't have access to much of my data. That's the whole problem with the bitcoin mining - sure it's sandboxed but it's still bad.
only the code tells the truth.
And yet, we don't get upset when burns our CPU cycles with JS just to compose that gotta-have one-page-app on our devices.

The major difference is that the bitcoin ad might actually be profitable at some point.

There's not much to discuss here. It's an unsubstantiated claim that seemed to be backed up by the claim of "I looked at the code." Forget these guys claim for a moment; the more interesting discussion is the concept of trading mining resources for service. If it's an ad, it's malware, but if it was opted into by the user, it could be a new type of payment model.
Trading compute resources for a service is a much better proposition than trading my personal data or behavior for a service. This is interesting.
If average CPM is $3, that's $0.003 per individual impression. A quick back-of-a-napkin calculation shows that at current Bitcoin price (~$4,600), you would have to mine for about 100 hours at 1 GH/s to match that.

In reality, jsMiner is the only JavaScript Bitcoin mining utility of which I'm aware, and it only uses CPU. A modern machine's CPU is only going to yield a hashrate of 5 MH/s or so, which means you'd have to mine for them for 20,000 hours to equal the revenue generated by your eyes being exposed to a traditional ad.

In short, your PC is too slow by several orders of magnitude to make this a viable replacement for traditional ads.

> but if it was opted into by the user, it could be a new type of payment model

Something like https://www.nicehash.com/ but delivered in a manner that they layman can agree to by just clicking "go ahead"?

Or, as is far more likely because people tend to do first and ask later, in small print at the bottom of the page "by opening this page you agree to let us use your CPU and GPU resources for what-ever we want, if you want us to stop using your CPU and GPU resources you can opt out by closing this tab/window"...

I met a guy once who made a browser add on that had legitimate functionality that people wanted, but behind the scenes he secretly read all incoming html and searched for Google Adsense links and replaced the number that identifies the source site with the number for his own site that had Adsense on it. So, whenever anyone with his add-on clicked any ad on any website with Adsense he would get credit for it and earn the money from it. They were all legitimate clicks so it was essentially impossible for Google to detect. He was getting several thousand a month in income from this. Haven't spoken to him in a while so I'm not sure if it still works of if people even still use his add-on. My guess is that either his add-on became unpopular over time or some changes Google made killed his nefarious plan.

I keep telling my other friend it would be really great if we could get a botnet going to mine Ethereum via GPU since ASIC mining isn't a thing in Ethereum because of it's resistance to it. Although, if they ever roll out the proof of stake concept then all mining seems to just evaporate then. Of course I don't plan on risking felony charges to mine Ethereum, but it is fun to think about.

If I was Google I would just remember I served add for website for account x but the number on the click was for account y. Real easy to detect.
I don't know enough to say with certainty, but I don't think it's that simple. The way I understand it, the script that loads Adsense does/did so at the end-user level when their PC loads the HTML and executes the script in their browser.

For what you are saying, I think it would be necessary for the original request to come from the site owner to pass through to the end-user, which I don't believe is the case. If that were the case, ad-blockers would have a much harder time determining the source of the content.

I'm surprised this sort of thing hasn't happened more commonly. I suggested it, as I'm sure did others, some year ago.

While I doubt mining bitcoin is going to be worth the hassle currently, other currencies might be, other tasks might be (generating rainbow tables for hash attacks?), and if it is bitcoin maybe that algorithm was just picked as a test for the delivery mechanism.

As JS JiT compilers get better and other tech that might help number-crunching becomes commonly available (webassembly? does webGL allow useful access to GPU processing power?) this sort of thing might become common too.

For people doubting the idea for ROI reasons: if the time to code the mechanism isn't time you would have otherwise paid for, and the delivery network isn't one you run but one you've managed to secret your code into by surreptitious means, then the investment is practically zero and any return is a profit. Heck, for some he intellectual challenge and/or willy-waving potential might be profit enough!

Of course, without seeing the code in question I would say it is far more likely that this is just a really badly coded animated advert or advert cycling code, chewing CPU with unneeded DOM changes & redraws and eating 40Mb of bandwidth constantly reloading content for animation frames that could be cached in a better design. The link to crypto-currencies just because the user had a bitcoin related advert on-screen at the time is, while possible, quite a distant conclusion to jump to IMO.

It does happen commonly.

There was an entire mining botnet operating for weeks using the same CIA exploit that the Wannacry attackers used. It made a lot more than Wannacry did.

Wannacry's ameteurish and public ways led to patches that both exposed the existence of and killed the botnet.

No source posted so until that happens, this didn't happen.
I suspect "Bitcoin" here is a synecdoche for "cryptocurrency" in general. (in the manner of intrusion detection software flagging a Monero miner as a "Bitcoin miner".) Plenty you can still mine on a CPU/GPU ... particularly if it's not your electricity.
> I suspect "Bitcoin" here is a synecdoche for "cryptocurrency" in general.

An advantage for all of us that actually get this market. Perpetuated market inefficiencies due to ignorance

This actually might be a brilliant (and by "brilliant" I mean "absolutely abominable") way to monetize a website without "ads" per se. Just use visitors' broswers to mine some altcoin while they're reading your article or what have you. The more visitors you get, the more money you get.