What Is Cryptojacking?

January 14, 2025

Cryptojacking is a cyber threat that revolves around unauthorized cryptocurrency mining at the expense of unsuspecting individuals or organizations. Cryptojacking activities may remain undetected for prolonged periods, giving attackers continued access to hardware without incurring costs.

What is cryptojacking?

What Is the Meaning of Cryptojacking?

Cryptojacking refers to the unauthorized use of computational resources to mine digital currencies like Monero, Ethereum, or other privacy-focused coins. Attackers incorporate malicious scripts or malware into websites, applications, or files, hijacking victimsโ€™ CPU or GPU power to solve cryptographic puzzles and earn digital coins. Performance degradation, elevated energy usage, and system overheating are frequent outcomes.

Cryptojacking is an attractive tactic for cybercriminals because conventional cryptocurrency mining demands substantial infrastructure expenses, from specialized hardware (ASICs or GPUs) to power usage. By leveraging unsuspecting hosts, cryptojackers sidestep these costs entirely, offloading both equipment and utility bills onto the victim.

Is Cryptojacking Illegal?

Cryptojacking is illegal in most jurisdictions because it relies on non-consensual exploitation of computing resources. Legislators compare cryptojacking to malware deployment, unauthorized system access, or computer fraud. Cybercriminals who participate in cryptojacking are subject to prosecution under statutes covering unlawful access, unauthorized modification of data, and theft of computational services. Penalties vary according to regional regulations, but offenders often face significant fines, asset seizure, or imprisonment.

Law enforcement agencies track cryptojacking campaigns through collaborative efforts with cybersecurity vendors. Technical evidenceโ€”such as digital signatures of cryptomining malware, domain registrations for mining pools, or data from compromised infrastructuresโ€”helps authorities pinpoint the individuals or groups orchestrating large-scale attacks.

The global nature of cryptocurrency makes enforcement and attribution challenging, yet international cybercrime task forces continue to refine their approaches to address cryptojacking incidents.

How Does Cryptojacking Work?

Here are the popular methods cybercriminals use to initiate cryptojacking:

  • Malware infections. Attackers often bundle cryptomining payloads with Trojan droppers, malicious executables, or counterfeit software updates. Victims unwittingly launch these packages, triggering background cryptomining. Certain strains persist by modifying system registries, injecting startup scripts, or disabling security processes to ensure uninterrupted mining.
  • Browser-based scripts. Web browser-based cryptojacking relies on malicious JavaScript snippets embedded on compromised websites or through malicious advertising (malvertising). The code immediately starts mining once the userโ€™s browser loads the webpage, consuming CPU resources until the user navigates away or closes the tab. Persistent variants may spawn pop-under windows that continue operating even after the primary tab is closed.
  • Drive-by downloads. Drive-by downloads involve forcing unplanned downloads when users visit infected websites or click on deceptive pop-ups. Attackers exploit outdated browser plugins, unpatched content management systems, or unsecured browser settings to initiate file downloads containing cryptomining modules.
  • Exploits and vulnerabilities. Exploits target system or network flaws, such as weak SMB (server message block) configurations or unpatched operating systems. Attackers leverage known vulnerabilities like EternalBlue or BlueKeep to execute cryptomining code remotely and propagate automatically across corporate networks or data centers.
  • Phishing and email campaigns. Phishing attacks distribute cryptojacking malware by persuading individuals to click malicious links or open infected attachments. Attackers frequently impersonate reputable brands or trusted parties, tricking recipients into inadvertently triggering the cryptomining payload.

Types of Cryptojacking

There are several methods of cryptojacking, each leveraging different methods for distribution, persistence, and resource consumption.

File-Based Cryptojacking

This method relies on deploying traditional malware files onto a victimโ€™s system. Here are the characteristics of file-based cryptojacking:

  • Malicious executables. Attackers wrap cryptomining components in deceptive installers or Trojanized software updates.
  • Persistence mechanisms. The malware may configure scheduled tasks, modify registry entries, or tamper with startup scripts to relaunch automatically.
  • Obfuscation techniques. Techniques such as code packing or encryption hide the mining functions, preventing quick detection by antivirus engines.
  • Resource management features. Some malware adjusts mining intensity in real time to avoid generating alerts or noticeable performance slowdown.

Browser-Based Cryptojacking

Browser-based cryptojacking primarily leverages web scripting technologies to harness computing power. Here is how this method differs from file-based methods:

  • No direct installation. Attackers do not need to install files on the victimโ€™s machine. JavaScript runs immediately when a user visits an infected page.
  • On-the-fly execution. The mining process stops once the tab or window closes unless specialized pop-under or persistent scripts keep running.
  • User interaction requirements. Generally requires the victim to access a compromised site or ad.
  • Challenging attribution. The malicious scripts often come from third-party ad networks or hidden iFrames, complicating the investigation into the true source.

Cloud Cryptojacking

Cloud cryptojacking targets virtualized environments and exploits modern deployment practices. Here is an overview:

  • Access through stolen credentials. Attackers log in to cloud platforms using leaked or weak credentials, creating large instances optimized for cryptomining.
  • Misconfigurations and over-privileged accounts. Poorly governed identity and access management allow attackers to escalate privileges and spawn unlimited containers or virtual machines.
  • High financial impact. The victim organization foots the bill for inflated infrastructure usage.
  • Advanced persistence. Some attackers integrate container-level modifications, script injections in Docker images, or cryptominers hidden in ephemeral workloads that are difficult to detect.

IoT Cryptojacking

IoT cryptojacking capitalizes on the typically minimal security posture and limited resources of connected devices:

  • Lightweight malware. Attackers develop mining scripts optimized for low-power chips found in IoT environments.
  • Botnet potential. Large swarms of infected IoT devices collectively generate mining income at scale.
  • Limited security controls. Legacy protocols, infrequent firmware updates, and default credentials leave IoT devices exposed.
  • Long-term deployment. IoT cryptominers often remain running until device failure or a significant firmware update, as owners rarely monitor resource usage.

Examples of Cryptojacking Attacks

Below is a list of real-life cryptojacking incidents that illustrate how attackers infiltrate systems, manipulate configurations, and leverage resources.

Teslaโ€™s Public Cloud Cryptojacking

In 2018, security researchers discovered that attackers had compromised Teslaโ€™s Amazon Web Services (AWS) environment. The attackers infiltrated an unsecured administrative console and installed cryptomining software on misconfigured Kubernetes instances. Stealth measures included concealing the mining pool address behind Cloudflare services, making it more difficult to detect. Teslaโ€™s engineers eventually noticed unusual resource usage, leading to an internal investigation that revealed the cryptojacking incident.

The Pirate Bay Browser-Based Miner

The Pirate Bay, a torrent index site, was found running a Coinhive script that harnessed user CPU power for cryptomining. Site operators initially implemented the script without notifying visitors, prompting pushback from the user community over the unannounced resource use. The incident garnered widespread media attention, sparking debates on whether running cryptomining scripts could serve as an alternative to traditional online advertising models.

YouTube Ads Serving Cryptojacking Code

In early 2018, malicious advertisements displayed on YouTube carried hidden JavaScript miners. Attackers purchased ad space and obfuscated cryptomining payloads within seemingly innocuous advertisements. Viewers who encountered these ads experienced a spike in CPU usage, indicating that cryptomining code was executed within their browsers. Googleโ€™s security teams ultimately blocked the offending ads and removed associated advertiser accounts.

Browser-Based Cryptojacking in Starbucks Wi-Fi

In 2017, customers in a Starbucks location complained of sudden CPU spikes while connected to the coffee shopโ€™s free Wi-Fi. Investigation showed that a malicious script was inserted into the networkโ€™s authentication portal, causing visitorsโ€™ devices to mine cryptocurrency in the background. The internet service provider running the Starbucks hotspot eventually removed the script after security experts publicized the issue.

How Do You Detect Cryptojacking?

Here are the methods to spot cryptojacking indicators:

  • System performance analysis. Extended periods of high CPU or GPU usage during off-peak hours are potential clues that cryptomining is taking place. Automated monitoring tools, including real-time performance dashboards, can isolate anomalies that deviate from established norms.
  • Network traffic monitoring. Cryptojacking relies on outbound connections to mining pools or attacker-managed servers. You can use network flow logs, intrusion prevention systems, and threat intelligence filters to detect suspicious connections. Unusual spikes in DNS queries to unknown domains or mining pools are strong indicators of cryptojacking activity.
  • Security tool scanning. Endpoint protection solutions often include dedicated signatures or heuristics tailored to cryptomining malware. Regular antivirus scans, host-based intrusion detection systems (HIDS), and endpoint detection and response (EDR) platforms help identify suspicious processes. Frequent updates to these tools are necessary to capture emerging cryptojacking variants.
  • Browser inspection. When cryptojacking is browser-based, checking open tabs or developer consoles provides evidence of malicious scripts. Unauthorized scripts embedded in website source code, unusually high CPU usage tied to a specific tab, or browser extensions with questionable permissions are common indicators of a cryptojacking script.
  • Log and event correlation. Centralized log management solutions, such as SIEM platforms, correlate events from multiple sources (operating systems, network appliances, and security tools). Analysts who apply correlation rules that focus on anomalous process launches, newly created user accounts, or repeated failed login attempts can uncover cryptojacking attempts.

How to Prevent Cryptojacking?

Preventing cryptojacking demands a blend of software updates, configuration management, and user education. Below is an introduction to essential measures that strengthen defenses against cryptomining attacks.

1. Implement Software and Firmware Updates

Security patches and firmware upgrades counteract vulnerabilities that cryptojackers exploit. Automated patch management ensures all environmentsโ€”on-premises, cloud, or mobileโ€”remain current. Outdated systems lack protection against publicly disclosed exploits used for cryptojacking deployment.

2. Use Browser Extensions or Script Blockers

Script-blocking extensions, privacy-focused add-ons, and built-in browser features (like disabling JavaScript for untrusted sites) significantly reduce exposure. Ad-blockers configured to block known cryptomining URLs further mitigate potential attacks that rely on malicious ad scripts.

3. Strengthen Email and Web Filters

Advanced email filtering, sandboxing attachments, and real-time URL scanning block phishing emails or links to compromised websites. Organizations often adopt DNS filtering solutions that intercept attempts to resolve malicious domains, preventing cryptojacking sites from being loaded.

4. Enhance Endpoint Protection

Next-generation antivirus and EDR solutions offer behavioral analysis and memory scanning for cryptomining patterns. Some products throttle or terminate processes that show traits consistent with cryptominers, such as continuous high CPU usage unrelated to known legitimate operations.

5. Secure Cloud Environments

Securing cloud platforms involves strong identity and access management (IAM), network segmentation, container security, and workload scanning. System administrators should integrate resource usage alerts that notify teams of abnormal spikes in CPU usage. Logging and monitoring at scale can thwart cryptojacking in Kubernetes or Docker ecosystems.

6. Educate Personnel

Phishing, social engineering, and malicious attachments remain the primary delivery mechanisms for cryptojacking malware. Regular cybersecurity training highlights tactics used by adversaries, instructing employees to examine email sources and avoid clicking suspicious links or enabling macros in unknown files.

How to Remove Cryptojacking?

Here is how to neutralize cryptojacking infections:

Identify the Source of Infection

Use system scans, network logs, and performance metrics to track down cryptomining processes. Investigations may reveal malicious executables, scripts, or suspicious user accounts created by attackers. Identifying patient-zero devices helps you understand the initial attack vector and contain further spread.

Terminate Malicious Processes

Terminating active mining sessions is crucial to minimizing ongoing damage. Isolate infected machines from the network, killing cryptojacking processes using operating system commands, security software consoles, or manual service terminations. Immediate containment helps block attackers from controlling the compromised endpoints.

Remove Malicious Files or Scripts

File-based cryptojacking often deposits executables or dynamic libraries in hidden directories. Locate these using forensic tools, hash-based searches, or antivirus scans. Once identified, delete or quarantine the malicious objects. Browser-based cryptojacking may require uninstalling extensions, clearing caches, or removing injected code from site templates.

Rebuild or Restore Compromised Systems

Reimaging affected devices ensures a thorough cleansing of any persistent cryptojacking components. Critical servers typically rely on up-to-date backups to restore operations swiftly. Confirm the integrity of backup images or snapshots prior to re-deploying them in production environments.

Strengthen Security Controls

Cryptojacking incidents highlight areas of inadequate security posture. Refine your patching cadence, harden configurations, and restrict administrative privileges. To prevent cryptojackers from re-establishing a foothold, regularly review your firewall rules, network segmentation policies, and intrusion prevention settings.

Continuous Monitoring and Testing

Routine vulnerability assessments, penetration testing, and centralized log reviews are vital for anticipating new cryptojacking tactics. Employ real-time threat intelligence and anomaly detection systems that flag suspicious patterns. Ongoing audits ensure that previous loopholes remain patched, significantly reducing cryptojacking risks over the long term.

Nikola
Kostic
Nikola is a seasoned writer with a passion for all things high-tech. After earning a degree in journalism and political science, he worked in the telecommunication and online banking industries. Currently writing for phoenixNAP, he specializes in breaking down complex issues about the digital economy, E-commerce, and information technology.