I built a screenshot API and some guy was mining cryptocurrencies with it.

Timothée Jeannin
3 min readApr 27, 2018

Hey folks, just wanted to share this story. Yes, I could have been better prepared for what happened, I know. :)

This morning when I opened up my inbox, I had around 150 alert emails from the logging tool I use. I immediately thought I must have pushed a nasty bug to production and started investigating. I quickly realized some guy was creating new accounts really fast on our screenshot API and was rapidly using all the free plan credit.

He was making screenshots of this page https://cnhv.co/2uujp to mine cryptocurrencies on the machines hosting the chrome instances we use to make screenshots.

I figured he was hanging out on ApiFlash’s homepage so I could reach him through Crisp, the tool we use to chat with potential clients. Here is the conversation we had:

Me: Hi. Please stop creating multiple accounts on ApiFlash, you’re violating the terms of service.

Him: how do you know?

Me: From our admin interface we have metrics to monitor usage.

Him: so u tracked my ip? wow!!!

Me: We have legal obligation to gather data from our clients.

Him: oh. sorry. i was using your server for mining cryptocurrency

Him: sorry i will stop it

Me: Thank you.

Him: will there be any legal proceedings ? 😅

Me: If you stop now. No. If you continue yes.

Him: but its your fault. you have not implemented any mechanisms to prevent bots or automated access

Me: We allow users to create accounts freely, but we have various tools in place to ban people. We also have a contractor that can build a legal case if needed.

Him: ok i understand. but its your duty to make sure that automated softwares cannot make account on your site

Me: We might add more security if we feel the need.

Him: i am web developer too. i can help you

Him: i just created a tool in php for automatically creating accounts on your site. 😅

Me: We figured. 🙂

Me: Selenium ?

Him: no php curl

Him: i can help you if you want

Him: so , you have no idea about site security or are you just too lazy to implement it? 😅

Him: please implement a captcha in your site . it will prevent all those automated tools

Me: Thank you for your advice.

Me: Are we the first website you are attacking ?

Him: no.. 😅

Him: this is my hobby

Him: for fun and profit

Me: Do you make decent money from coinhive ?

Him: no. i have not made anything yet

Him: so i thought of using such sites to mine some coins. 😉

Him: i am sorry if you had any loss

Me: It's ok we haven't lost anything.

Me: There is a bunch of other screenshot website you might want to try. 😉

Him: 😅

Him: it will consume their processing power . you know it

Me: Yes it's in browser monero mining.

Him: btw why would you want me to try other websites? just to make some loss for them? 😅

Me: No, don't. I was just joking. 🙂

Him: ok.

Him: can i be a part of your team ?

Me: i'm sorry but we already have a developer in house.

Him: 😥

Him: anyway it was nice meeting you.

Me: I'm sure you're a great guy deep inside. There is a ton of better ways to make money as a developer. It was nice meeting you too. Good luck ! I hope your life is going to be great ! 🙂

Him: thanks. bye 🙂

I think it’s one of the most pacific way I did mitigate an attack, and he was not that bad of a guy after all. 😄