Cryptojacking and the Computer Fraud and Abuse Act

Posted By: Peter Brown

bitcoin2In recent weeks, tech news has been awash in stories about malignant code, usually found in online ads, called cryptojacking. The word describes script that hijacks the user’s CPU and uses it to mine for cryptocurrency. Victims find CPU load shooting up to almost 100% when visiting sites serving ads with cryptojacking code. Even worse, cryptojackers run even when the user never interacts with the ad—you can be a cryptojacking victim simply by visiting a website.

Cryptojacking perpetrators tend to target websites where users will linger for a long time because the user’s CPU time is the cryptojacker’s (crypto)money. Keep an eye on your CPU next time you visit a site like YouTube, connect to Starbucks’ wifi, or download an app for your phone. While the intrusive and unwelcome nature of cryptojacking is evident, the legal consequences are less clear. With the potential overheat machines, impair access to information, and cause economic harm to businesses, cryptojacking has emerged as yet another threatening form of malicious advertising that is difficult to combat through the legal system.

While individual users are frustrated to discover another unwelcome intrusion into their digital lives, businesses are concerned with the severe system-wide slowing cryptojacking could inflict, especially in industries where milliseconds count. Another issue is the electricity cost – one data protection firm estimated the cost of a single computer running a typical cryptojacker to be about $5 more per month (in the contiguous United States) compared to baseline use. Five dollars is unremarkable alone but becomes significant when multiplied across a large company. Considering most corporate computers are left running overnight and the increasing number of detected attempts, cryptojacking begins taking the shape of a legitimate threat.

With the novelty of both cryptocurrency and cryptojackers, exploiters and exploited confront somewhat unfamiliar legal territory. First, the lawyers have to figure out who to sue. The architecture underlying internet advertising is complex, fast-paced, and involves potentially hundreds of parties. Yet, at the front of the cryptojacking wave has been a single entity known as CoinHive: a service responsible for providing the Javascript responsible for many cryptojacking attacks. Anyone can take the code CoinHive provides, embed it in a website, and wait for the currency to roll in. CoinHive, for its part, takes 30% of the currency while the miner keeps the remaining 70%.

So what legal options do cryptojacking victims have?

One of the more promising avenues is the Computer Fraud and Abuse Act (CFAA). The CFAA protects both government and private computers from unauthorized access. The CFAA creates various causes of action depending upon the nature of the unauthorized access. Sections 1030(a)(2)(C) and 1030(g) would be the most likely provisions to levy against a cryptojacker. Those sections provide that “persons ‘who suffer[ ] damage or loss’ have a cause of action against a third party who ‘intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.’” Essentially, victims bringing claims under these sections of the CFAA must prove that: (1) they suffered damage or loss and (2) that the damage or loss was due to a third party that obtained information from a computer without authorization..

Who to Bring CFAA Claims Against

Likely targets include: (1) the website serving ads containing cryptojacking (usually CoinHive’s) code, (2) the entity responsible for the advertisement containing the code (i.e. DoubleClick—which has been exploited to serve malware in the past), (3) CoinHive, and (4) the cryptojackers themselves. Let’s consider the possibilities one at a time.

If websites serving occasionally malicious ads could be found liable for those ads, the potential scope of liability would be huge. On the other hand, the potential for liability might encourage websites to select the advertisements they serve more carefully. However, given the level of automation website advertising involves, successful CFAA suits targeting websites serving malicious ads seems unlikely.

A company like DoubleClick may evade liability for the same policy-based reasons as the website serving the ads. One of the CFAA’s requirements is that the person obtaining unauthorized access do so intentionally. Both the website and the entity behind the advertisement have a good argument that if there was any unauthorized access, it was unintentional because the behind-the-scenes processing auctioning your browsing data to bidders is automatic.

This leaves CoinHive and the cryptojackers. There is a rather weak argument to be made that CoinHive has intentionally obtained unauthorized access to computers with their currency mining code because their website’s basic directions simply instructed miners to embed the code and start mining. Furthermore, the default settings were configured to enable full-power mining: the code uses all available computing power and spends no time idling. Given that CoinHive received 30% of the currency mined using its code, it’s not surprising they want to exploit as much computing power as possible. Whether this would qualify legally as intentional unauthorized access to a specific computer is less certain.

Last are the cryptojackers. These are the people who inserted code into ads knowing that the code would hijack a user’s CPU to mine cryptocurrency that gets sent to a specific cryptocurrency wallet. If anyone should be liable for unauthorized access of a computer, it should be the cryptojackers. Unfortunately for the victims, the nature of mining, blockchain, and cryptocurrencies make transactions difficult to trace. Even if cryptojackers are the most obvious targets for a CFAA suit, discovering their identities would be a challenge. As a result, more easily identifiable entities (such as the websites serving the ads) are reasonable targets because they simply found and less likely to judgement-proof due to lack of funds.

Having considered a few possible targets for CFAA claims, let’s turn to how the victim would prove their CFAA claims, namely that (1) they suffered damage or loss and (2) that the damage or loss was due to a third party with unauthorized access to and collection of information.

Damage or Loss

Section 1030(e)(11) defines loss fairly broadly: loss means “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Damage, defined in § 1030(e)(8), means “any impairment to the integrity or availability of data, a program, a system, or information.”

Proving damage or loss in the case of cryptojacking would likely be easier than in other CFAA cases because cryptojacking can cause both physical and digital harm. First, poorly written cryptojacking code can overheat a user’s device, impair the availability of data, and require replacement of physical parts. Cryptojackers wouldn’t be the first to cause physical harm with code. Second, CPU power is a source of revenue. In the case of an individual victim, the cryptojacker has harmed the victim’s ability to use fully the hijacked computer, whether for business, cryptocurrency mining, or personal use. To corporations, CPU power is likely critical for operating much of their business – such as for performing calculations, accessing data, and coordinating work. At the very least, because cryptojackers often use all available CPU power, cryptojacking would inflict damage and loss by impairing the availability of a system. Finally, as noted above, a large-scale, long-term cryptojacking would measurably increase electricity (and cooling) costs.

Intentional Unauthorized Access

In the case of cryptojacking, the website, the entity responsible for the ads served, and the source of the cryptojacking code all likely exceeded authorized access to the victim’s computer. The website displaying the ad exceeded authorized access by displaying ads with malicious code. The entity responsible for the ads selected ads with malicious code for display on the website. However, the most logical claim would be against the source of the code. Code designed to convert a user’s CPU power into cryptocurrency sent to a third party likely exceeds authorization. Unfortunately for the exploited users, much of cryptocurrency’s purpose is to facilitate difficult-to-track transactions. Thus, tracking down the most logical target and the source of the malicious code may also be the most difficult option. As a result, CPAA suits may be focused on other more easily traceable targets, such as websites displaying ads containing cryptojackers.

Ultimately, cybersecurity firms disagree on whether cryptojacking is here to stay or is merely a fad riding the wave of cryptocurrency hype. Those predicting the long-term staying power of cryptojacking cite the growing number and value of various cryptocurrencies as well as the possibility of an alternative to advertising. Alternatively, others dismiss cryptojacking concerns because of the ease with which they can be blocked and the relatively small number of cryptojacking attacks compared to other malicious internet activity.

One positive facet of cryptojacking is the potential it has to alter or replace the increasingly intrusive advertising paradigm that plagues the internet. Instead hosting obnoxious auto-playing videos, websites could ask users to opt into (or out of) cryptocurrency mining operations. Opt-in systems would avoid the shock of unwelcome intrusion and help protect benevolent currency miners from CFAA claims—there is at least one courteous miner who asked users to opt into his mining operation. An added benefit of an opt-in system is that it lessens risk under the CFAA for legitimate mining operations. The CFAA requires access to be unauthorized—user-granted access to run mining code should qualify as authorization.

Ultimately, well-executed cryptojacking intrusions will either go unnoticed or, if noticed, unprosecuted due to the inherently difficult-to-trace nature of cryptocurrency. Of those attempts that are noticed, most will not run the target machine at full capacity for long enough to cause physical damage. This would make only large-scale, long-running cryptojackers worth bringing into court. Whatever the long-term prospects for cryptojacking as an unscrupulous mining method are, the exploding popularity of initial coin offerings and currency mining operations indicate that cryptocurrency and the accompanying legal issues are here to stay.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s