At first glance a CoinHive crypto miner being serviced by a website whose URL contains the string’ ICO’ might not seem so strange.

But when you know that ICO in this case stands for the UK’s Information Commissioner’s Office — aka the national personal data protection and privacy watchdog, whose URL( https :// predates both Bitcoin and the present hysterium for token auctions — well, the extent of the cryptojacking insurance snafu quickly becomes apparent.

Nor is the ICO the only website or authority website caught performing cryptocurrency mining malware to visitors on every sheet they inspected. Thousands of places were settlement via the same plugin.

Security researcher Scott Helme flagged the questions via Twitter yesterday, having been initially alerted by another protection professional, Ian Trump.

Helme marked the source of the infection to an accessibility plugin, called Browsealoud, created by a UK company announced Texthelp.

The web screen reader software was being used on composes of UK government websites — but too further afield, including on authority websites in the US and Australia.

So when an attacker introduced a crypto mining script into Browsealoud’s JavaScript library some 4,000 websites — a large number of them taxpayer money and/ or subsidized — were co-opted into illegal crypto mining … Uh, oopsie…