Stop dilly-dallying. Block all ads on YouTube

Cryptominers hijack Google’s DoubleClick ad system.

Graham Cluley
Graham Cluley
@[email protected]

Youtube malicious ad

As Ars Technica reports, YouTube has been spotted pushing ads onto users.

That, in itself, isn’t newsworthy of course. But these ads are surreptitiously stealing resources from visiting computers to mine for cryptocurrencies:

On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google’s DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.

Sign up to our free newsletter.
Security news, advice, and tips.

The ads contain JavaScript that mines the digital coin known as Monero. In nine out of 10 cases, the ads will use publicly available JavaScript provided by Coinhive, a cryptocurrency-mining service that’s controversial because it allows subscribers to profit by surreptitiously using other people’s computers. The remaining 10 percent of the time, the YouTube ads use private mining JavaScript that saves the attackers the 30 percent cut Coinhive takes. Both scripts are programmed to consume 80 percent of a visitor’s CPU, leaving just barely enough resources for it to function.

You should run an ad blocker when you surf the web.

Not just because ads are invariably ugly and ruin the user experience. Not just because you don’t want ads tracking your online behaviour. Not just because ads slow down your online experience and gobble up your bandwidth. Not just because ads can infect your computer with malware, or be secretly sapping your computer resources by mining for cryptocurrencies in the background.

But because even Google, one of the world’s largest advertising companies (with its own considerable security prowess), seems to be incapable of guaranteeing a stream of safe ads. What hope for the other advertising networks if Google can’t get it right?

In a statement, Google said it took action against the offending ads when it became aware of them:

“Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”

To which I say, too little too late. Why does Google DoubleClick allow ads to contain JavaScript in the first place?

It’s a shame, of course, for those websites which depend on advertising as a revenue stream. But we have to face facts. Ads can’t be trusted. Run an ad blocker.

Further reading:

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

10 comments on “Stop dilly-dallying. Block all ads on YouTube”

  1. Dave

    do you have a recommend ad blocker? Can I trust the ad blocker? Why?

    1. tito salah · in reply to Dave

      Nano Adblocker + Nano Defender + Pop up blocker for Chrome
      and say good buy to ADS

    2. Troy Mursch · in reply to Dave

      I recommend using a dedicated extension to block cryptojacking, such as minerBlock.



      You can trust it because I've covered this topic extensively for the last four months and personally shared my feedback with the developer of minerBlock. However, it's wise to be wary as some browser extensions you'd think are helpful are actually malicious, as we've seen in a few recent examples.

  2. Ben

    Word for word, it is exactly what I'm thinking, what I recommand around me, and what I'm doing for years now, I just don't like ads since it became a serious invasive issue,and moreover, when it became security issue.

    To share my "experience". most of the time ads ruined my "experience", and I can't say how much I hate this word, since overused by GAFA's. No, they won't "enhance my experience", they can't do that because for years they managed to ruin it, that's why I use an adblocker, Ublock Origin to name it.. and oh boy! what a difference! thanks to Gorhill, this tool does what it is supposed to do.. to block ads and scripts, and btw it even prevents my browser from loading tons of useless stuff, making loading pages faster, and as UBO is very customizable, it is all I needed.

    Of course, even if I tent to disable it for some websites I know and trust, now I'm a bit concerned .. as Graham wrote in the article, if it happened to Google, what about websites I "trust"? should I?..probbaly not anymore I guess? unfortunately as I don't have any way to know, I feel forced to enable my AB by default no matter which website I visit.. if a content is not available because of that, no problem, I'll find another way.

    "Run an ad blocker" is the best advice so far..

  3. Jack T.

    Javascript should only be allowed to run from the domain in the address bar. Period. No third party javascript allowed. The browser makers can make it so and advertisers will have to go back to images only without privacy and security invading tracking.

    Perhaps web sites will have to figure out how to host the ads on their own site and accept full responsibility for problems. Since it would affect their reputation, they would be careful. The advertisers will have to learn to accept the hit counts from the sites.

    1. APPL5h1T · in reply to Jack T.

      Whilst I agree with what you are saying in principle it is not that simple in practice, unfortunately.

      Just have a look at how many third party resources are being loaded by your average website – most of which running JavaScript of course.

      The vast majority of websites relies on google API's, fonts, etc which are all problematic with regards to privacy. On top of that imagine what happens if one of the popular CDN's gets hacked and starts dishing out malware (Amazonaws, Akamai, Cloudfront, etc…)

  4. drsolly
  5. John Lewis

    The fact is that Google could stop this, they have the technology but they (and Facebook) have no incentive to do so – see –

  6. Xane M.

    I've used an ad blocker on YouTube for a long time and try to never watch videos on mobile as there I'm unsure of if an ad blocker would work. I may feel bad that the content creators aren't getting their money but I've heard of how iffy the ads are and the latest place where mining happens being in these ads…no, I only will mine Monero for myself.

  7. Alfonso

    Great work>>>>>>as always Graham. Regards.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.