Cyber Incident Victim: PolitiFact
Date:
Oct 2017
Location:
United States of America
Summary
The Pulitzer Prize-winning fact-checking website Politifact was compromised to covertly deploy cryptocurrency mining malware on visitors' browsers, utilizing CoinHive's JavaScript to generate Monero without user consent. Attackers embedded aggressive, non-throttled mining code within the site's navigation script, activating eight simultaneous instances that maximized CPU usage and degraded system performance. Security researchers and users identified the unauthorized operation, noting the site's substantial visitor traffic could yield significant illicit profits. The organization confirmed unawareness of the compromise and initiated an investigation while the malicious code remained active, exploiting visitor resources for financial gain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 13, 2017, cybersecurity analysts discovered that Politifact.com, a Pulitzer Prize-winning political fact-checking website operated by the Tampa Bay Times, had been compromised to deploy unauthorized cryptocurrency mining software. Attackers injected Coin Hive’s JavaScript code into the site’s pages, disguising it within a script ostensibly controlling the navigation bar. This malicious code initiated eight unthrottled instances of Monero mining, consuming 100% of available CPU resources on visitors’ devices without their knowledge or consent. The mining operation exploited the computational power of Politifact’s 3.2 million monthly unique visitors to generate Monero cryptocurrency, valued at approximately $95 per coin at the time, for the attackers’ benefit. Information security analyst Troy Mursch first identified the issue after observing abnormal CPU usage while accessing the site, corroborated by user reports on Reddit. Analysis revealed the code operated at maximum intensity, significantly degrading device performance for visitors. Politifact’s editorial staff confirmed they were unaware of the code’s presence and initiated an investigation upon being alerted by journalists.
The incident impacted visitors through reduced system performance and unauthorized resource consumption, while exposing Politifact to reputational risks. Attackers leveraged Coin Hive’s legitimate mining toolkit, typically used by websites as an alternative revenue stream to advertisements, but deployed it maliciously without Politifact’s authorization. The compromised script operated indiscriminately, affecting all visitors whose ad blockers did not block the code. Quantcast analytics data highlighted the scale of potential computational resource theft due to Politifact’s substantial monthly traffic. Concurrently, the event contributed to growing scrutiny of Coin Hive’s technology, as a separate survey around the same time identified 220 websites—primarily adult content and torrent platforms—using similar mining scripts. Politifact’s investigation focused on determining the intrusion vector and removing the unauthorized code, though the article does not specify remediation timelines or final outcomes. The attack exemplified a broader trend of threat actors compromising reputable websites to monetize visitor hardware resources covertly.