Cryptomining scheme hits university sites

Hackers trying to mine the digital currency Monero exploited thousands of websites, including those for educational institutions in the U.S. and elsewhere.

More than 4,000 websites, including those of education institutions and government agencies worldwide, were compromised over the weekend by a scheme to mine the cryptocurrency Monero.

A vulnerability associated with the third-party web browser plugin Browsealoud allowed hackers to put the cryptomining code into the source code for the affected websites, according to a U.K.-based cybersecurity researcher. A number of university sites were pulled in to the scheme, including Lehman College (, the City University of New York ( and Marymount Manhattan College (

Malmo University and Lund University in Sweden, among other Swedish education institutions, were also affected by the hack. None of the universities contacted about the incident had responded as of Monday afternoon to EdScoop’s requests for comment.

Browsealoud reads aloud web pages for those with vision problems. Organizations that want Browsealoud to work on their sites must add its code to their source code, and the hackers took advantage of that relationship to co-opt the computing power of visitors to those sites. Loading a page from one of the affected sites meant that a visitor also loaded the mining code. Cryptocurrency mining essentially involves solving large math problems, and the currency is the reward.


Closing an affected computer’s web browser — or even just a browser tab that has loaded a compromised website — would be enough to end the connection and block the mining, cybersecurity researchers said.

Browsealoud’s British parent company, Texthelp, has shut off the plugin until the situation can be fully investigated.

“Customers will receive a further update when the security investigation has been completed,” said Martin McKay, Texthelp’s chief technology officer, in an official statement.

The malicious code was only active for about four hours on Sunday, according to the company. The plugin is expected to resume normal operations again on Feb. 13.

A list of affected websites can be found here.

Latest Podcasts