A Google Chrome extension has been caught secretly sapping users’ device resources to mine for cryptocurrency, a practice that can cause serious issues like overheating and irreversible battery damage.

The extension Archive Poster, which promised users an easy way to interact with Tumblr posts stored in archives, was removed from the extension store on Tuesday after it was found engaging in an emerging threat known as “cryptojacking.”

“Archive Poster is far from the only case and we’ll definitely see more cryptojacking incidents in 2018,” Troy Mursch, the Las Vegas-based security expert that first publicized the issue, tells Inverse.

Before it was removed, “Archive Poster’s description promised users that it would “reblog, queue, draft, and like posts right from another [Tumblr] blog’s archive.” However, at least four versions — 4.4.3.994 to 4.4.3.998 — contained Coinhive code that would use resources to mine the Monero cryptocurrency. Mursch told Bleeping Computer about “Archive Poster” on Friday, which led to a flood of reports and its subsequent removal.

A series of secpailly-designed Bitcoin miners at work.
A series of secpailly-designed Bitcoin miners at work.

Cryptocurrency mining is where a computer solves a difficult math problem to create a new token. By solving the problem, the computer verifies transactions and helps create a decentralized cryptocurrency that doesn’t depend on a single server. It’s a system that’s come under intense scrutiny due to high energy usage, with one Bitcoin mine in northern China using $39,000 of electricity per day for 25,000 machines —which in turn constituted just four percent of Bitcoin’s total power in the month of August.

Cryptojacking gets other computers to do the hard work. Instead of the computer owner mining a token and receiving compensation for using resources, cryptojacking secretly forces other computers to make these calculations and takes the coins for themselves. “Archive Poster” was mining Monero, a cryptocurrency with a focus on privacy and hard-to-trace transactions.

This attack can have serious results. It can slow down a target’s computer, push up energy usage, and drain batteries. In serious cases, it can even cause the battery of mobile devices to fail due to overheating:

“Archive Poster” is not the first culprit. Mursch detailed numerous other cryptojacking incidents in the past year on his blog, including:

  • Malware found on the CBS Showtime Anytime website in September, active for three days.
  • A compromised JavaScript library on Politifact, active for four hours in October.
  • Coinhive code found on UFC Fight Pass in November, which the company denies was ever present.
  • A widespread cryptojacking campaign that hit over 1,400 websites after the LiveHelpNow customer support chat widget was compromised in November.

Unfortunately, these incidents are likely to be just the beginning.