On January 24, 2018, we observed that the number of Coinhive web miner detections tripled due to a malvertising campaign. We discovered that advertisements found on high-traffic sites not only used Coinhive (detected by Trend Micro as JS_COINHIVE.GN), but also a separate web miner that connects to a private pool. Attackers abused Google’s DoubleClick, which develops and provides internet ad serving services, for traffic distribution. Data from the Trend Micro™ Smart Protection Network™ shows affected countries include Japan, France, Taiwan, Italy, and Spain. We have already disclosed our findings to Google.