Then that heuristic is your evidence in court. If it's a good heuristic, you win the case. If it's a bad heuristic, you lose the case.

"Your Honor, we banned this person's website because his web page contained the word 'bitcoin' more than 5 times" will not hold up.

"Your Honor, we banned this person's website because it contains a bitcoin miner script. See, here is the script, and it matches the hash value found in these other attacks" hopefully holds up.

> Needing concrete evidence in every case means that an enormously higher amount of malicious resources will not be flagged.

Giving everyone a fair trial just doesn't scale. It costs too much.