Morfix And Its Users Fall Victim to Crypto-Mining

December 28, 2017


Check Point Researchers have recently discovered a crypto-mining script running through Morfix, the popular Hebrew to English online dictionary, without its users’ knowledge or permission.

The mining was operated by a JavaScript, originating from a third party advertisement network, which was injected into different locations over the web page, and was unknown to Morfix.

Check Point researchers notified Morfix, who immediately removed the third party code from their website.

With a global Alexa ranking of 17,852 and as high as 65 within Israel (as of Dec’ 17), Morfix is used heavily throughout Israel and worldwide. it can be confidently considered that the crypto-miner injected to Morfix’s website had reached tens, if not hundreds, of thousands of users.

As reported by Check Point Researchers earlier this year, online miners is a growing trend amongst websites. We now see a different example of this trend, as an ad network takes advantage of the publisher’s website, and its users.

How It Works

The carrier website initially runs a script that scouts out whether a user has an ad-blocker implemented. Upon finding such an ad-blocker a second script is run that covertly utlizes the user’s CPU power to mine the Monero crypto-currency in the background instead.

The script which checks for the presence of an ad-blocker



The hidden instance that redirects to the crypto-miner

Granted, the CPU usage level climbed to nearly 50% when browsing to Morfix by the time it mined Monero over our labs, compared to approximately 1.2% on other browser tabs.

A CPU usage of 50% may not sound too high, however, when used in combination with other heavy CPU instances (such as online gaming), this extensive oppression of the computational resources usually leads to a dismal user experience while browsing the Internet, and eventually may clog the CPU and crash the browser.

The CPU level rises to almost 50% in the tab running the crypto-miner

Alexa rank for ‘morfix\.co\.il’

Our research indicates that in this case, it is the Monero coin that is being mined by the script and that it has vast similarities with the original Cryptonight, the framework used to mine Monero crypto-coin.







Although it is not illegal to not inform of the mining, it would certainly be considered unethical to some users as usage of a crypto-miner can damage browser performance.

For more information and our full report into the bitcoins and cryptocurrencies, please download our guide “Cryptocurrencies: How Safe are They?”

Indicators of Compromise




  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks