The Washington PostDemocracy Dies in Darkness

Hijack customers’ computers to generate bitcoins? New Jersey has a problem with that.

A physical representation of virtual currency Bitcoin. (Photo by George Frey/Getty Images)

While the Bitcoin digital currency is making its most high-profile splash yet in Congress, an online gaming company just agreed to a $1 million settlement in New Jersey for hijacking users' computers to generate Bitcoins for the company's benefit.

E-Sports Entertainment ran an anti-cheating service for popular online video games. But the complaint against the company alleges that it was trying to cheat its customers by installing on their machines malicious code that enabled the company to monitor computers even when not signed into the service and linked the computers to a botnet to mine for bitcoins.

Bitcoins are created by "mining," where computers compete against each other to process Bitcoin transactions. When a computer wins the computational race, it receives a reward of a certain number of Bitcoins, currently 25.

By creating a botnet that draws on the power of many computers, E-Sports could get a speed boost in that race. And the press release for the settlement suggests that it was working:

It is estimated that, during a single two-week period, E-Sports took control of approximately 14,000 computers in New Jersey and across the nation, and generated approximately $3,500 by mining for bitcoins.

It's unclear if that two week profit was calculated based on prices at the time or using today's skyrocketing Bitcoin value. But regardless, E-Sports and the Office of the Attorney General for New Jersey agreed to a settlement over the company's alleged actions.

E-Sport will pay a $325,000 of the $1 million settlement now, but the rest is suspended and will be vacated after 10 years if the company complies with the rest of the settlement: Refraining from "deploying software code that downloads to consumers’ computers without their knowledge and authorization," submitting itself to a 10-year compliance program, and creating a dedicated page on its Web site detailing what type of data it collects and how it's used.

However, Ashkan Soltani, a security researcher who worked with the New Jersey attorney general's office on the complaint, suggests that the case may have broader implications.

"I think this raises the question of whether companies can leverage consumers' computers for their own gain, beyond simply collecting data for the purpose of behavioral advertising," he says, adding, "There are now a number of ad networks trying to use your computer's CPU to mine bitcoin when you visit their sites."

Add-ons and plugins including BitcoinPlus and Tidbit allow webmasters to paste a code to their side, then engage the unused computing power of web visitors.

But, given the New Jersey ruling, Soltani says, "we'll want to ask how far a 3rd party software developer or Web site can go to make a buck off of their users."