As he notes, this is already happening; among other things, there's cryptocurrency malware that hijacks your browser to do mining.
So that's what Dorsey did — very successfully. Within about three hours, his code (experimental, not malicious, apart from surreptitiously chewing up processing resources) was running on 117,852 web browsers, on 30,234 unique IP addresses. Adtech, it turns out, is a superb vector for injecting malware around the planet.
Some other fun details: Dorsey found that when people loaded his ad, they left the tab open an average of 15 minutes. That gave him huge amounts of compute time — 327 full days, in fact, for about $15 in ad purchase. To see what such a botnet could do, he created one to run a denial-of-service attack (against his own site, just to see if it worked: It did pretty well). He got another to mine the cryptocurrency Monero, at rates that will be profitable if Monero goes much higher.
The most interesting experiment was in writing an adtech-botnet to store and serve Bittorrent files, via Webtorrent. That worked pretty well too: He got 180,175 browsers to run his torrent file in 24 hours, with a 702 Mbps upload speed for the entire network.
All told, this is yet another reason to run an adblocker:
The techniques that I've demonstrated in this post are less of an exploit and more a feature of how the web inherently works. As a result, the steps that can be taken to defend yourself against the type of abuse I'm proposing are somewhat limited. My first suggestion is please, please, please BLOCK ADS. If you've somehow made it all the way to 2018 without using an ad blocker, 1) wtf… and 2) start today. In all seriousness, I don't mean to be patronizing. An ad blocker is a necessary tool to preserve your privacy and security on the web and there is no shame in using one. Advertising networks have overstepped their bounds and its time to show them that we won't stand for it.
Blocking ads defends you from the distribution mechanism that we discussed in this post, but you are still vulnerable to code that is hosted by CPU greedy websites themselves, like The Pirate Bay. The best suggestion that I have for defending against these threats at the moment is to diligently monitor your computer's CPU usage as you browse, responding to CPU spikes and irregularities as you deem fit. Its a good habit to get into to have your system monitor open during regular computer operation so that you can observe CPU and network usage of your machine at an application level.