What is Cryptojacking?

Table of Contents 5 sections

What is Cryptojacking?

Cryptojacking is the unauthorized use of a victim's computing resources to mine cryptocurrency for the attacker's financial benefit. Unlike ransomware, which demands payment directly, cryptojacking operates covertly, silently hijacking CPU and GPU processing power to solve the complex mathematical puzzles required by proof-of-work cryptocurrency networks. The mined coins are deposited directly into the attacker's cryptocurrency wallet, while the victim bears the cost of electricity, hardware wear, and degraded system performance without receiving any benefit or even being aware of the activity.

The rise of cryptojacking paralleled the cryptocurrency boom of 2017-2018, when the soaring value of coins like Monero made even small-scale mining profitable. Monero is the cryptocurrency of choice for most cryptojacking operations because its mining algorithm (RandomX) is specifically designed to run efficiently on standard CPUs rather than requiring specialized mining hardware, and its built-in privacy features make transactions untraceable. While cryptocurrency prices have fluctuated since then, cryptojacking remains a persistent threat because it requires minimal effort from attackers and provides a steady stream of passive income.

How Cryptojacking Works

Malware-based cryptojacking involves installing cryptocurrency mining software directly on the victim's device. The malware is typically delivered through phishing emails, malicious downloads, compromised software packages, or exploitation of unpatched vulnerabilities. Once installed, the mining software runs as a background process, often configured to limit CPU usage to avoid detection by staying below thresholds that would cause noticeable performance degradation. The malware persists across reboots using various persistence mechanisms and communicates with mining pools to receive work assignments and submit completed hashes.

Browser-based cryptojacking uses JavaScript code embedded in websites to mine cryptocurrency using the visitor's browser. When a user visits a compromised or malicious website, the mining script runs automatically and continues as long as the browser tab remains open. This approach requires no malware installation and leaves no traces on the victim's system after the browser tab is closed. While the original Coinhive service that popularized browser mining has shut down, numerous alternatives continue to operate. Attackers inject mining scripts into legitimate websites by exploiting vulnerabilities in content management systems, third-party advertising scripts, or CDN services.

Cryptojacking Targets

Cloud infrastructure and servers are prime cryptojacking targets because they offer vastly more computing power than individual devices. Attackers compromise cloud instances by exploiting misconfigured security groups, stealing API keys from code repositories, or exploiting vulnerabilities in web applications. A single compromised cloud account can spin up dozens of high-powered instances dedicated to mining, generating substantial cryptocurrency while the victim receives an enormous and unexpected cloud computing bill. Major cloud providers have reported that cryptojacking is one of the most common outcomes of cloud account compromises.

IoT devices, containers, and Kubernetes clusters are increasingly targeted by cryptojacking campaigns. Poorly secured Docker instances with exposed APIs, misconfigured Kubernetes dashboards, and IoT devices with default credentials all provide easy entry points. Cryptojacking worms like Kinsing and TeamTNT actively scan the internet for these vulnerable targets, automatically compromising and enlisting them into mining operations. WordPress sites are also targeted through plugin vulnerabilities, with attackers injecting mining scripts into the site's pages to harness the computing power of every visitor's browser.

Detecting Cryptojacking

The most visible symptom of cryptojacking is unexplained performance degradation. Devices may run significantly slower than normal, fans may spin at maximum speed constantly, and battery life on laptops and mobile devices may decrease dramatically. Server-based cryptojacking manifests as unexpectedly high CPU utilization that persists even during periods of low legitimate traffic. Cloud environments may show unusual spikes in computing resource consumption and associated costs.

Network monitoring can detect cryptojacking by identifying connections to known mining pool addresses and the characteristic traffic patterns of mining protocols such as Stratum. Endpoint detection tools can identify known cryptomining binaries and suspicious process behavior such as a web server process consuming excessive CPU. For browser-based cryptojacking, monitoring browser performance and using developer tools to inspect running scripts can reveal mining activity. Organizations should establish baseline resource utilization metrics so that anomalies caused by cryptojacking can be quickly identified and investigated.

Preventing Cryptojacking

Preventing malware-based cryptojacking follows the same principles as defending against any malware: keep all software patched, deploy endpoint protection solutions, enforce least privilege access controls, and provide security awareness training to help users avoid phishing and malicious downloads. For cloud environments, implementing strong identity and access management, securing API keys, monitoring for unauthorized instance creation, and setting up billing alerts are essential measures to detect and prevent cloud-based cryptojacking.

Browser-based cryptojacking can be mitigated by deploying ad blockers and script-blocking browser extensions that prevent unauthorized mining scripts from executing. Content Security Policy (CSP) headers restrict which scripts can run on web pages, preventing injected mining code from executing even if an attacker manages to compromise the site. For WordPress administrators, keeping core, plugins, and themes updated, implementing file integrity monitoring, and regularly scanning for unauthorized code changes help prevent attackers from injecting mining scripts. Network-level controls that block connections to known mining pools provide an additional layer of defense across all devices on the network.