CoinHive Miner Continues Operating Even After Browser Is Closed

Cryptocurrency hunters have found a way to make their JavaScript miners keep running even after users leave the web page that contains them. According to Malwarebytes security researcher Jerome Segura, some crafty individuals have written special code that allows the Monero cryptocurrency miner (the already notorious CoinHive) to keep working even after the browser tab is closed or the user navigates to another site. Essentially, scammers have used an old, simple trick from advertisers’ playbooks—a hidden pop-up window.

Segura explains that when a user visits a site, a small, barely noticeable window opens and hides behind the Windows taskbar or system clock. The miner is launched not by the main web page, but by this background window. As a result, site owners (or hackers who have compromised the site) continue to use the victim’s computer resources even after they leave the site or close the browser entirely. “The trick is that the hidden window remains open even after the main browser window is closed,” the researcher noted.

The location of the window can vary depending on screen resolution, but it always hides behind other elements. The miner also tries to conceal its presence by limiting CPU usage, so the victim doesn’t notice a significant slowdown that might raise suspicion. Sites that include miners in embedded ad banners can skillfully bypass ad blockers.

How to Detect and Stop a Background Miner

It is still possible to detect a background miner. According to Segura, the process will appear in the Windows Task Manager as a browser process and can be easily terminated. Additionally, if the miner is still running after the browser window is closed, its icon will remain active on the taskbar.