Cyber Incident Victim: Showtime
Date:
Sep 2017
Location:
United States of America
Summary
Showtime's websites were found running a cryptocurrency mining script utilizing visitor CPU resources to generate Monero, discovered via social media. The script operated at minimal throttle, suggesting possible intentional testing rather than malicious activity, though the company did not confirm. This caused increased processor usage for users, mirroring controversial experiments by other platforms. The code was subsequently removed, but potential revenue remained low due to the service's relatively modest web traffic compared to larger sites.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 25, 2017, cybersecurity observers identified unauthorized cryptocurrency mining activity affecting two Showtime domains: showtime.com and showtimeanytime.com, the latter serving as the official platform for the company’s streaming service. The incident was first detected at approximately 17:00 ET (22:00 GMT) by Twitter user SkensNet, who observed the domains loading Coinhive, a JavaScript library designed to mine Monero cryptocurrency using visitors’ CPU resources. The main Showtime domain, sho.com, remained unaffected. Analysis revealed the mining script operated with a throttle setting of 0.97, limiting active mining to 3% of a visitor’s CPU time. Showtime did not respond to requests for comment from Bleeping Computer prior to the article’s publication, leaving the intrusion’s origin unresolved—either unauthorized access by threat actors or a deliberate experiment by Showtime. The throttle configuration suggested potential intentional deployment, as attackers typically maximize immediate profits with lower throttle values before detection.
The incident exposed visitors to elevated CPU usage, though the financial impact appeared limited due to Showtime’s lower traffic rank (~#9,500 per Alexa) compared to sites like The Pirate Bay (#87), which had generated approximately $12,000 monthly in prior Monero mining tests. Coinhive, launched just ten days earlier on September 14, 2017, had already been weaponized by malvertisers, adware, and compromised websites, amplifying concerns about its misuse. Showtimeanytime.com’s involvement raised particular scrutiny as a paid streaming platform, though no user complaints or performance degradation reports were cited. The mining scripts were subsequently removed from both affected domains, but Showtime provided no public explanation or acknowledgment of the incident. The event highlighted emerging risks associated with in-browser cryptocurrency mining scripts, which operated without user consent while offering site operators a controversial alternative to advertising revenue.