UFC Website Found Secretly Using Visitor’s CPUs to Mine Monero

Earlier this year, popular torrent index website The Pirate Bay ran a one-day Monero mining script trial to see if it would be a viable alternative to running ads. The script, provided by Coinhive, takes advantage of user’s CPUs to mine the cryptocurrency, and was seemingly so effective The Pirate Bay ran it again later on.

The website’s move led to a Monero mining craze, as mining code was even placed on Google Chrome extensions in an attempt to make as much as possible. Even CBS-owned Showtime websites – Showtime.com and Showtimeanytime.com – ran Coinhive’s JavaScript at one point before quickly removing it.

The latest website found to have been running the Monero-mining code was that of a subscription streaming service, Fight Pass, belonging to mixed martial-arts powerhouse Ultimate Fighting Championship (UFC). The code was found by various users, who quickly took it to social media to report on their findings.

View image on Twitter
View image on Twitter
 

Users quickly started contacting the company and showing they didn’t agree with the move, both because they weren’t asked for consent, and because they already pay to access the streaming service’s content. After discovering the mining code with the help of its anti-virus, redditor gambledub stated:

“It’s not harmful AFAIK, but doing this on a service we’re paying for is fucked up IMO. I researched Coin Hive, mentioned by my antivirus, and found the JavaScript on their website, and sure enough it’s running on Fight Pass.”

After users reached out to UFC to know more about the situation, they were told that the company “takes these matters very seriously, and will review this.” Later on, a UFC spokesperson released a statement claiming that Coinhive’s JavaScript wasn’t found on Fight Pass after the company reviewed its code. The statement reads:

“Immediately upon learning of the reported issue, Neulion, UFC’s over-the-top digital service provider, reviewed the UFC.TV/FIGHTPASS site code and did not find any reference to the mentioned Coinhive java script.”

Yet, as some pointed out, various screenshots of the code were taken, making it clear the code was indeed there, although for a limited amount of time. Most users believe UFC’s website was hacked, as the business rakes in large amounts from subscription fees and pay-per-view events, and wouldn’t likely bother its users by using their CPUs to mine Monero without asking for their permission.

According to CoinDesk, Coinhive revealed that none of the screenshots included the site key, and as such it couldn’t reveal how much had been mined. Moreover, it didn’t notice any new top user on its internal site wide dashboard, suggesting the code was either quickly removed or didn’t affect a lot of users.

Coinhive added that it has a strict policy on using the service on hacked websites, and that it terminates accounts that violate its terms of service as soon as notified. The company recently stopped developing its original JavaScript code to focus on new mining code that asks for user’s’ permission before using their CPUs.