How ISPs Hijack Video Sites to Run Hidden Crypto‑Mining Scripts

Background

Users in several Chinese provinces reported that visiting major video platforms (Youku, iQiyi, Sohu Video, Tencent Video) sometimes triggered alerts from 360 Security Guard. The alerts were caused by malicious cryptocurrency‑mining code injected into the pages.

Cause

Investigation confirmed the mining code was not part of the video sites. It was inserted by a few network operators via ISP‑level traffic hijacking, modifying the JavaScript delivered to browsers and embedding a mining script that runs in the background.

Geographic Scope

The hijacking is concentrated in Liaoning province, with smaller occurrences elsewhere.

Technical Analysis

Case study of Youku shows the original video‑playback script ykDanmuLoad.js is replaced with a malicious main.js that loads the CoinHive mining library. The replacement adds a line to load main.js after decoding.

De‑obfuscated main.js reveals key parameters:

sitekey : identifier for the mining account, different keys for Windows, Android, iPhone.

throttle : CPU usage limit (30%) to keep mining hidden.

autothreads : flag controlling automatic thread adjustment.

Two additional scripts, main1.js and main2.js, are encrypted copies of the official CoinHive library ( coinhive.min.js).

Impact

The script consumes up to 30% of CPU cycles, which is generally unnoticed by users. Monitoring data shows a steady increase in hijacked pages, indicating expanding scope.

Mitigation

End users should use security software with real‑time anti‑mining protection (e.g., 360 Security Guard). Service providers should avoid inserting profit‑driven code and adopt HTTPS to prevent traffic manipulation.

Source: Cloud Tencent (Yun Toutiao)