I wonder if there is second category of attack which is less direct. When you browse a website the client side javascript dedicates a large portion of your computational cycles to tasks such as breaking passwords? The implementation would be not dissimilar to the javascript bitcoing miner.