Ad network provider started to perform in-browser coinhive cryptojacking when users visit websites which use this providers ad network service. The typical domains look like this : [az]{8,14}.(bid|com), we call it DGA.popad. Starting from 2017-12, the bar got raised again and we began to see these. DGA.popad domains participating in cryptojacked without end-users acknowledgement. The majority of these. domains are domains as well as porn and downloading services.”]
Source: https://blog.netlab.360.com/who-is-stealing-my-power-iii-an-adnetwork-company-case-study-en/