Cyber Incident Victim: Los Angeles Times

On February 22, 2018, security researcher Troy Mursch of Bad Packets Report identified unauthorized cryptocurrency mining code operating on the Los Angeles Times' interactive Homicide Report webpage. The cryptojacking script, developed by Coinhive, had been covertly utilizing visitors' device processing power to mine Monero cryptocurrency since at least February 9. Attackers exploited a misconfigured Amazon AWS S3 storage bucket associated with the newspaper's infrastructure, which permitted unauthorized parties to write malicious code directly to the server hosting the Homicide Report. The injected JavaScript miner employed deliberate throttling mechanisms to limit CPU usage, reducing performance impact on visitors' devices and making detection less likely compared to unthrottled cryptojacking operations that typically maximize processor utilization. This configuration prevented noticeable device slowdowns or overheating for most users visiting the affected webpage.

Mursch notified the Los Angeles Times via email upon discovery and advised immediate code removal, after which the cryptomining operation was terminated. The newspaper did not publicly acknowledge or comment on the incident despite media inquiries. Forensic analysis indicated the attackers leveraged the same cloud infrastructure vulnerability previously exploited in cryptojacking campaigns against other organizations, including UK and US government websites and Tesla's cloud environment. The incident highlighted risks associated with improperly secured cloud storage configurations, as the AWS bucket misconfiguration enabled anonymous threat actors to implant and maintain the cryptojacking script for at least thirteen days. While no data theft or additional malware was reported, the compromise demonstrated how resource-hijacking attacks could persist undetected on legitimate platforms through calculated operational security measures by adversaries.