Good, we will start our talk about the web-based crypto hacking in the wild, when your browser

is mining coins for other people. It will be by Mariusz Musch, who's doing a PhD as technical university bound shriek on web application security with a focus on client-side attacks and large-scale analysis. Please welcome Mariusz.

Hi everyone, I'm Mariusz, thanks for having me. Today I will talk about web-based crypto checking. I worked on that project as part of my PhD together with my colleagues Kristian Resnäger, Martin Jones and Konrad Rieck.

So unless you have been living under a rock in the past two years, you might have heard about Bitcoin and all the cryptocurrency stuff. So in January 2017, we had Bitcoin at an exchange rate of about a thousand dollars and it went up all the way to 20,000 in December. And today we're somewhere between 3,000 and 4,000 back again.

So just for context, when we worked on this, it was around February when we started on this project and the final data collection was around May. So it was after the real hype died down, but still cryptocurrencies were somewhat more popular and higher priced than today.

So to get you quickly on the same page, I've prepared two slides about mining in general. So mining is the process of creating new coins in cryptocurrency and what you need is the state of the current network, which also is called the blockchain, and also you need a random number or a nonce. So you take both these things, put them together and calculate a hash over this.

And the resulting hash sum is compared to a target. So in the end, you basically want a resulting hash that has a very low number. So we have a lot of leading zeros in the case of Bitcoin. You actually want to find a hash that has 19 leading zeros.

And this is usually not the case, so repeat this process very, very often so you brute force a lot of hashes. And in the end, you hopefully someday then find such a hash and then you have basically mined a block. This is what mining is about. And in this process, you're trading your computational power and electricity for shiny new coins.

So you have the initial investment of hardware and you have this constant cost of the electricity and for you, mining only really makes sense if the coin is worth more than the electricity you pay for. And we also need to know about mining pools. So the problem is if you are now decide to start mining with your desktop computer

and with a normal CPU and you say, yeah, I want to mine Bitcoin now because I felt that's the next new thing. So the problem is this is very inconsistent because you could mine for centuries and not mine a single block. So you never get any reward at all, but you still have to pay for all the electricity. So what you could do is you could join forces with other miners and you get a more

consistent reward because if anyone in this pool finds a block, then it's shared amongst all the peers in the pool according to their contribution. So the pool has to track who calculated how many hashes and then later you get the pay out based on that amount. So it's a lot less random, this reward.

And so that you better understand how this could work, I have here a simplified protocol of me speaking to the pool. So in the beginning I say, oh yeah, I understand version seven of this protocol and the side key will become relevant later in this talk. So this thing basically ties the hashes you calculate to your account.

So it's just some ID that later says, okay, if you then pay me, remember these hashes I calculate now belong to this account specified here. And the pool will then say, oh yeah, okay, I know you calculated zero hashes so far. So here this block is basically the state of the current network that we need.

And you've seen that in the previous slide with the nonce. And this contains stuff like the Merkle tree root hash and the current block header and transactions and stuff. So we don't really care what this is, it's just a block for us, right? And also the pool says, here is this target, I want every hash that's lower than this number.

So we need two leading zeros in this case. And the thing is, now we report, we retry it for a bit and then report to the pool. Yeah, for this job you gave me, I found this nonce and that resulted in this hash, and so the pool can verify that fast. And why do we do this? You see only two leading zeros, this will not result in a new mined block.

And the thing is, the pool doesn't want to be cheated, right? So if you just say to a pool, we tried a million hashes and we didn't find anything, and the pool says, yeah, great. That would be a dumb protocol, right? So in this case, we report a subset of the hashes, and that is all that have two leading zeros, because the pool requested it this way.

And because the hashes are basically random, right, we can't predict what's the output. And we know this is hexadecimal, so each position in this hash has 16 possible cases. So 16s and 16s gives 265.

So basically, because we found this hash, the pool can now say, okay, we probably needed around this amount of tries. So this continues and continues and so on. So, so far for the basic introduction into mining and the mining pool, just as we know what we are talking about. Now, what's this crypto checking, which is actually what the talk is about?

So imagine the story kind of like this. Somebody came up with the idea, okay, so we have this cost. It's electricity, why should we pay for this? Maybe somebody else can mine for us, right? So this is basically what externalizing cost is about.

It's a rather technical term. Imagine if you're an energy company which is producing fusion energy or something like that, and they create a lot of radioactive waste that they don't care about, and they just say, yeah, the society will deal with it. Then they have externalized the cost. And this kind of success model got adopted into the cryptocurrency world

in the sense that some people decided, well, I could just mine on other people's computers, so neither need the hardware nor pay for the electricity, right? So this is rather old news from 2017, actually. The register wrote in May that some cryptocurrency miners were found and

they were armed with exploits that were already seen on another malware campaign. And I'm the guy on the right who is rather like, okay, this is actually rather boring because if you can infect a computer with malware, you achieved arbitrary code execution, obviously you can start a miner, right?

You could encrypt the hard disk, but then you have to deal with all this payment. Maybe this guy has a backup and just wipes this machine and loads the backup. So maybe you just start a miner and you have less hassle, but it's not really interesting on you in any way.

But then we saw this article that was in October and they said your browser could be mining cryptocurrency for a stranger. And I'm like, this is rather interesting actually, because now there are no exploits involved, right? We have just normal people visiting a website and they are part of your cryptocurrency mining scheme.

So you can roll out this much more easily, right? You don't need to infect a lot of computers, you just need a website that's rather popular. And that's basically what web-based crypto checking is about. So you have a popular page and you just insert a small mining script into the HTML,

a small JavaScript file, no exploit involved. People visit your website, they mine for you, people leave the website, they stop mining. That's rather the drawback of this case. If they close the website again, then the whole thing stops. But on the other hand, you can far more easily start the mining, because you don't need to really infect somebody,

you just need somebody visiting your web page. So, okay, we want to do mining in the browser. But I'm sure you're kind of skeptical now, because there are a lot of problems that we will see, right? So the first thing is fast execution. You think a miner in JavaScript, that doesn't really sound great. But luckily, the solution is WebAssembly.

It's a new language supported by the browser. It's a low-level byte code language. And that's executed in a stack-based virtual machine inside the browser. So you can write code in C++, translate it to WebAssembly, and then call that from a JavaScript API. So basically, we can execute the hashing function in WebAssembly.

So that will be really fast and efficient. So that's great for us. So one problem less. But then also we want to do multi-threaded, right? So if somebody visits with four cores, then we want to use all that four cores. Well, luckily, there's also an API for that, which we can call from JavaScript.

We can say, we can ask the browser, how many cores does this visitor have? And the browser will happily return to us the correct number. And then we can instantiate so-called web workers. And basically, these spawn multiple threads. And these will be even deactive if the user switches the tab, as long as he does not close it. So okay, we have very efficient and fast execution.

We can use all the cores of the machine. What would be also very useful is efficient communication, right? We don't want to talk to the pool over HTTP, because we have to send a lot of very small messages that we don't want to really deal with all the HTTP headers and that stuff.

So we can use WebSockets. And these allow for a full-duplex communication without all the overhead. Because imagine if you have tens of thousands of concurrent visitors to your website. You don't want them to DDoS your own mining backend infrastructure, right? That would be bad. So we can use these WebSockets.

And combining all these things, we have a rather good miner actually now. But I'm sure some in the audience are still skeptical, right? Because we're in the browser. So this proof-of-work, this hashing function that we have to call very, very often, we execute it on the CPU. And you might say, oh wait, mining on the CPU?

That's like 2011 or something. So that's true, right? But for Bitcoin at least, not only. So in Bitcoin, the proof-of-work, the hashing function, is a normal SHA. So the thing is, this is much more efficient if executed on a GPU or even on specialized hardware

like an ASIC, which is an application-specific integrated circuit. So it's imagine a hardware that was specifically designed only to do this hashing function, right? It's not a general purpose thing like the CPU which can execute arbitrary stuff, but it only does these hashing functions. But it does them really, really well.

So if you combine these numbers, you actually see, these are just rough estimates, but such an ASIC could perform like as much computation as 12,000 CPUs. So our web-based mining can't really compete with these huge mining farms for Bitcoin, which employs ASICs.

So what is the solution here? Well, the solution is just to not mine Bitcoin. Because there are a lot of other cryptocurrencies out there. And in this case, we take Monero, which is of the Kryptonite family. So they use this Kryptonite hashing function, which was specifically designed for cryptocurrency.

So they invented a new hashing function which is resistant to all these other hardware. So it executes really well on a CPU. But if you use a GPU or something else, it's not really much faster. And people tried to design ASICs, but it's really hard because they implemented this algorithm in a way with a special

two megabyte scratch pad, which exactly fits into a cache of the CPU and stuff. So ASICs have really problems there. And also when one was announced, they just changed the algorithm. So somebody said, and it was just last month, that they actually changed it again. So when somebody announces, yeah, we're selling our special Monero mining ASIC,

you can buy that for $5,000. And they just say, oh yeah, we do a hard fork. So we changed the algorithm. Now all the money you invested to build these things, and this is really expensive to build such an ASIC, this is now basically worthless. And everybody who bought such a thing is also broke. Okay, so with all these things together,

with mining this Monero and using the Web SMD and Web Workers and Web Sockets, somebody combined all that, had this brilliant idea, and this was the birth of CoinHive. So CoinHive is a service or infrastructure. They were the first big

and are still the largest of them all. They provide you with a JavaScript file. You embed that into your web page. And then you also add a small configuration script, which I've shown here. So here you see the side key again. So you basically have to identify your visitors. So each calculated hash will be attributed

to this account that you write in there in the side key. And if you're nice, you can also say, I don't want to mine at 100% of the CPU, but because I don't want to annoy my visitors that much. So you can say, I only mine about at 70%, which is this throttle here.

So what you also could do is you could say, if you detect a mobile device, then we don't start the mining because it will not help very much, but you can also skip that step. And they claim that this miner they've implemented actually performs at about 65%

of the native miner performance. So it would be still more efficient if you would do this not in the browser, but on the machine natively, but it's not too bad. Like you get two thirds of the possible computation in the browser. And CoinHive hosts this infrastructure with the web socket backend and the pool communication and all that for you,

but they take a 30% cut. So you don't get all the money. They actually do. It was kind of to be expected that people then started to clone this script. They basically just copied the script and modified it a bit and booted up their own backend infrastructure. So there are slight modifications of the script, but from what we've seen,

it's actually all the same script that was initially implemented by this CoinHive. And there's also an interesting story behind that, which I can't go into detail here, but if you're interested, look up the block by Brian Krebs, where he found out that CoinHive actually originated from the German image board program, which surely somebody here knows.

So if you're interested into that and the story behind that, look that up. So we have this great service, CoinHive, and we have headlines which claim that crypto checking is now the next new thing, and oh my God, the world is going down and everything. But we were wondering, is this really the case? Like, how often does this happen, this crypto checking?

Do they actually make profits this way? So what we need is a way to detect this in the wild. So what I wanted to do was visit a lot of websites and check if I kind of find indications that they're using a cryptocurrency miner. And I didn't just want to look at CoinHive,

but actually find them in general, so also modificated versions of it. And before we go into that, I want to add a small disclaimer, like not all mining is evil, right? So we see here screenshots of two services which actually ask you before they perform their currency mining in your browser.

So this would be okay for us, we ignore these, right? When we talk about crypto checking, what I mean is mining that starts automatically and without your explicit consent. So all others are basically fine for us, right? So we don't detect them.

And this offmine even is run by the same guys as CoinHive, so they noticed that a lot of ad blockers wanted to block them and they started the second service, offmine, where they ask you first. But from what we've seen, it's not used very often and also a lot of ad blockers still block that also.

And now the thing is, I don't want to say all mining is evil because it could be interesting as an alternative for ads or trackers or even for captures, if you imagine you have to provide a proof of work instead of a capture for an API that's throttled or something. So there's potential there, but sadly what we've seen

is mostly people trying to profit from it directly by starting a miner in the form of crypto checking. So how could we detect this? So we could do some blacklists, right? So we start with the CoinHive script and if you see that, we know it's pretty sure, crypto miner, but then we see that people are starting to host these as jQuery or player.js

or something like that. So this doesn't really help us, right? So we don't do a well-based blacklist. We could look for known strings, but people are just obfuscating their miner, right? So this doesn't really help us either.

So as kind of expected, the static detection of miners is not really that interesting and also not working perfectly well. So what we've done instead is execution traces. So this is from the Chrome's profiler. It's a built-in tool in the DevTools of your browser or maybe of another browser. And you don't really have to understand

what's going on here. I've visited Google and they execute a lot of JavaScript. You basically see the functions, which calls another function, another function, and so on. And after a while, the page has loaded and nothing much is happening right here. After a while, it just stops. So you don't have to understand this, but rather look at the difference. This is a cryptocurrency mining page.

And what we see here is eight threads. So I couldn't expand them all because it wouldn't fit the screen, but these bars here are basically the same as these expanded bars here. So we see eight different threads, which are concurrently executing the same function, which is conveniently called hash,

which calls into a web assembly. Yeah, that's really suspicious, I would say, because this function is called over and over again. And as long as you stay on the page, it will be called more often as long as you stay. So this in eight threads in parallel is really a strong indicator for a cryptocurrency mining. So we use this and some other indicators

to get our results, but we did this back in May. So May this year, we did this data collection, but I also have two slides about updated results from this month, or rather today. So we looked at the Alexa Top One Million. This is just a list of a million websites

which are rather popular. And we found about 2,500 websites which had an active miner. So we just visited the front page. That was the reason why we probably missed a lot of them. And there might be various other reasons, but it's just so you get an estimate. So we found about one in 500 websites

had such a crypto checking script actively. And then we made a small plot about, is this more in the popular pages or in the less popular pages? And you have to know that the Alexa rank one is Google, so a low number is popular. So these are the most popular pages, and they also had the most mining scripts.

But we still see that there's also miners in the lower or less popular ranks of the Alexa, right? So there's a slight trend towards here, but there's still a lot going on here. Then we wanted to know what are these websites, and we don't want to visit 2,500 websites, so we used a service by Symantec.

They have some website categories for you. So not every page actually had a category attributed to that, and some had multiple, but just a rough estimate. We found that entertainment and pornography is kind of unsurprisingly most popular for crypto checking.

And this makes sense intuitively because if you're on a website which shows you videos or a whole movie, then it's really worthwhile for the website owner because you stay for a very long time, right? So remember, the miner is only active during the time which the tap is open in your browser.

And so what this means is you're kind of distracted like I was just, because you watching a movie and it plays sound and you don't really notice what your computer is doing, like the fence might spin up, and this is what happens during cryptocurrency miners

because they use a lot of your CPU, but if you're watching a movie, you might not care because you have explosions all around your ears. So now the question is, do they earn significant amount of money? So if you take the top 10 popular pages,

so the top 10 most popular pages which had a miner, and they had on average about 400,000 visitors which stayed for roughly six minutes, these are also again very rough estimates because it's very hard to get these numbers. There are some services like SimilarWeb which can give you some insight, but it's unclear how accurate this is. And we found that they could earn at that time

about 180 dollars, I did in euros actually, but this is really the top end. So an average website in the Alexa top one million which is still not your new personal homepage, but it's kind of popular, but not really popular, had about 25,000 visitors,

and they could only earn about five euros a day. And this is very generous still because we didn't actually, we assumed that nobody has an ad blocker and we didn't really calculate how many users are mobile on mobile devices because they also have a much lower hash rate. So there are a lot of things that could go wrong,

also people could just boycott your site if they noticed that there's cryptocurrency miner going on, maybe somebody posted on Reddit or something, so then they stop visiting your website. So there are a lot of reasons why you probably earn less money than that. But in case you're wondering, is this game over for the smaller websites? Not exactly, so we were wondering

maybe a lot of small websites belong to the same guy or are working together, and then it could be interesting again, like if you have hundreds of these small websites, maybe there's some money to make. So we tried to track this money, but if you know a bit about Monero, or if you look into it, then you notice that this thing is infeasible

because unlike Bitcoin, Monero has a lot more privacy stuff involved. So the payments are untraceable, you can't really link transactions, you don't even know how much money is in a particular wallet from the outside without having a special access key. They use a lot of fancy cryptography, which I don't know anything about,

but they have these ring signatures and one-time keys derived from another key and muddling factors, and it's crazy. So you can't do anything, right? You can't track money in Monero, basically. And the next problem is, we don't even know the wallet addresses, right? So we would need the wallet address, and then we still couldn't do anything, but we can't even do that.

So with CoinHive, for example, remember there was the side key, and the side key was just an ID that CoinHive then later maps to a wallet where they pay out the money. But we are not running CoinHive, so we don't know which side key gets paid out to which wallet address. And also the side key, as the name implies, is intended to be unique for each side. So if people are running multiple sides,

then they could just use multiple side keys, and we from the outside wouldn't know that they actually mine for the same account. But also people make mistakes, so we only found 570 side keys on 830 sides, so obviously some side keys were used multiple times. In fact, one of them was used 55 times

on different websites. And in this picture, you can see a cluster of 21 pages, which had the same side key. And then one of these pages actually had a second miner with another side key, which linked it to these five other pages. So this page maybe was infected twice.

We don't really know that's the problem, right? Because even these 21 sides with the same side key, we don't know if they have the same owner, or if they were hacked with the same exploit, or by the same guy, or same campaign. So we know these belong together, and that the same person gets all the money from these 21 sides,

but we don't know if it's intentional or not. And this case with this one side, which had two miners on it, which doesn't really make sense, kind of indicates that there was some hack involved. But again, we don't really know from the outside, which is kind of sad. There was a last thing we could do, which is probably the most easy of them all. And this is using web artifacts,

which means we look at the mining script. So we look at the URL of the script, and if you see the same script over and over again, or the same web socket backend, then it could be that they belong together. But the problem is that these pools, right? So if you see crypto Coinhigh, for example, multiple times, we don't know anything. But on the other hand, there are private pools,

which don't have a public website, so there's nothing to register. And then we kind of can conclude that they have to be run by the same people, right? So for example, we use the scripts, or rather the hashes of the JavaScript miners, and we cluster them in this picture here.

And the biggest, obviously, is Coinhigh, as expected. So there's this huge block here. Basically means there were about 700 or so scripts, which were exactly the same. And then there's another block. We called it Advisestat, because that was the URL of that miner. So we were wondering, there were 311 sites,

which had this miner. But when I visited the web page, it just said 403 forbidden. So there's nothing really there. So why are there so many web pages which use that miner if there's nothing there, like it kind of has to be run by those guys, right? Nobody in their own mind would come up

with the exact URL of the script, and then just include it if you can't register on that page. So we looked into a few of those pages, and then we saw that all of them had such a banner. So we noticed that they all were run by a free Ukrainian hosting service, and they included this banner on all their web pages in the top.

And it even got translated into German when I visited it. So via this banner, and over certain hops of other domains which were all registered through privacy protect and whoisguard and such stuff. So you can't really find out who registered these domains. But over this chain, they finally include it

from advisors that the mining script. And the script itself and the socket communication was also obfuscated like I've shown before. And the miner was only active on the very first visit. After that, it said a cookie and never mined again, or never on the same day mined again, right? So they were really stealthy about that.

But on the other hand, this kind of dampened their profits because if you visit the front page and you click a link and the miner stops, then okay, you have maybe a few seconds of mining. I don't know. But they had 300 sites, so if you put all this together, they made a bit more money, but it can't be much, right? So these were results from May.

But now you might be wondering, this is actually a different chart. This is now the Monero exchange rate. And so when we did our study, we were around here, where Monero had worth about $225 for one XMR.

And today they're at about $50. So this means actually the numbers you've seen before, you have to divide them by four or by five, somewhere in between. And this means if you round it down, then basically you make one euro a day with the average website.

And kind of expected, you can expect that that means people stopped mining, right? Because I only, I did this actually today, this graph, and I found that only 300 miners were active currently. And interestingly, we also see that

in the most popular bin, we now see a rather larger percentage amount. So the first bar here is actually 25% of the total, and in May it was 14%. So the more popular pages still do that, while a lot of the smaller ones stop, because if you are here, you're really not gonna make any money at all.

Okay, so this already concludes my talk. Thank you all for listening, and I'm free for questions. We're gonna stop the talk. Those of you that have questions, please stand up behind the microphones,

and those of you leaving, please do so quietly so we have the Q and As. There is a question from microphone number two. Hi, did you look into open source CMS and their plugins? So for example, it could be the approach to put some mining script into a popular WordPress plugin, and although it would be only for each page,

like maybe 10 visitors per day, it might be in hundreds of websites and maybe be valuable through this. I've heard about that story, but we didn't really look into the spreading factors, because for us from the outside, it's very hard, like we can't really tell was that website hacked,

or was the miner there intentionally? So yeah, we could try all possible known exploits currently, but that's kind of a slippery slope if I have to attend the hack, or if I have to check if the website is actually vulnerable. So we didn't conclude anything there, right? So we just, is there a miner active?

And we don't look further into that, right? So we can't tell if it's the website owner, or if it was a hacker. So there's nothing to conclude there, sadly, from the outside at least. We have a couple of more questions. Please, if you're leaving, leave quietly. We have a question from microphone number one. Yes, there's libraries like WebGL,

which lets you run code through your graphic cards. Would it be possible through something like to mine directly on the graphics card? I've seen a prototype implementation of that, but it was no longer maintained,

and I didn't really try if it actually works. So for Monero, there's an interesting angle, but if you're mining Monero anyways, you don't really gain that much by that. And also, you have to remember, most of your visitors probably don't have really the gaming PC, so you could put a lot of effort

into creating a GPU miner, but then you kind of lose out on all the people who are running laptops, and don't really have a dedicated graphics card, but still a very decent CPU. So I guess it's just not worth further amount of visitors who are running good modern graphics cards. I've spotted a question on microphone number five.

There's one from the internet as well. Please don't be shy. We have plenty of time for questions, so stand up behind the microphones. Signal Angel, what does the internet want to know? Thank you. How could a user prevent crypto checking in the browser besides of blocking JavaScript completely?

There are certain countermeasures I actually prepared this slide beforehand, and then I removed it from the talk and I noticed that there are only about 300 miners left. So the problem with this detection I've shown you with the execution traces is that it involves a lot of runtime overhead.

So if you have this profile on all the time, you slow down all the websites which don't have a miner, so that doesn't really make sense for me. But there are some extensions, like we tried three of them, a miner block, nocoin, which are two extensions, and the third is basically just a special list for ad blockers, which you can subscribe to,

which is specialized for mining scripts. And these are the number of miners that they detected from the set of the 2,500 we found. So they still miss a lot, but it's kind of expected because they used this static list, which I've shown. They kind of work, but the problem is that they miss some.

On the other hand, the overhead is lower. So if you're really concerned about that, you can, then the most practical thing to do is install such an extension. Yeah. We have a question from microphone number five. Did the person move away?

We have a question from microphone number four. Would there be a way that you could put a crypto miner in a browser extension so that it runs on every webpage as long as the browser is opened? Totally, yeah. With extensions, you can inject arbitrary code

into the page, so at least if you have this permission. So it would totally make sense to create such an extension, but you also have kind of the problem that if someone reports it, then it can be easily removed from the store of extensions. So yeah, it's an interesting approach,

but you kind of don't have as much control as if you hosted on the site your own, right? And you also need this permission to inject the scripts, and that means basically you already have control over all the sites that your user is visiting, so that would be a problem anyways, right?

So you already, that's the thing again, you kind of, you need to trick the user to not install malware, but install a malicious extension, and the real crypto checking basically, which I've shown you about, is the more easier variant where you just need somebody to visit your webpage. So the bar is much, much lower, right?

So that's the advantage here. We have a question from microphone number one. Have you seen anything like a popover or an iframe or something that would allow it to live beyond when you close the tab? No, no, we haven't seen that. So pop under would work, yes.

A normal iframe, no, because if you close the page that is gone, but yeah, pop under would really make sense. Now, maybe someone is using that, but like I said, we did this automatic detection, but which means we could visit a lot of websites, but on the other hand, certainly we might have missed out on those special techniques or something which you only would find

if you really look manually into all the pages. But the pop under totally makes sense, yeah, because it says active in the background behind all the tabs. We still have time for questions. So if you are sitting in your seat thinking, hmm, do we have time for my question, please get up and move over to one of the microphones.

We have five of them, two in the back, one on the way on the side and two up front. And the Signal Angel tells me the internet has a question. Yes, could LibreJS work against this? Sorry, come again. LibreJS, could it work against this?

I actually don't know what it's doing, so sadly I can't tell you if it would work against it. Perhaps the internet can rephrase the question while we take question from microphone number two. Yes, you said that one way of detecting it was that it was using eight cores simultaneously

for a long period of time, but wouldn't web pages like Netflix or sites with online games look the same way? Yeah, especially with games, you have a point for, but you have to remember that we didn't really look into whether the CPU is used a lot,

but rather whether a single function in all the code of the website, if a single function was executed over and over again. So we really checked if the same function here and the same function here and the same function here. Obviously, there are also kind of workarounds. If you know that I detected this way, then you can write your code to do it another way,

but currently we just did this. And for a game, you could imagine that there's a central update loop, which basically draws all the sprites and such, but do you really need to execute this update loop in eight threads in parallel? I would say it's unlikely, but surely we can have some false positives.

That's true. We could have. Good, if there are no more further questions and Marius does not have anything more to add, then please thank Marius for an excellent talk.