What Is Cryptojacking? Hidden Cryptocurrency Mining Threats
Understand how cryptojacking secretly uses victims' devices to mine cryptocurrency — detection methods, real-world attacks, and how to protect your systems.
The Silent Theft of Computing Power
Cryptojacking is a form of cybercrime in which attackers secretly use victims' computing resources to mine cryptocurrency without their knowledge or consent. Unlike ransomware, which announces its presence immediately, cryptojacking operates silently in the background — the only symptoms may be a slower device, higher electricity bills, and reduced hardware lifespan. By 2023, cryptojacking attacks had increased over 300% compared to the previous year, making it one of the fastest-growing cyber threats.
The economics are straightforward: cryptocurrency mining requires significant computational power and electricity. By distributing the workload across thousands of compromised devices, attackers avoid infrastructure costs while generating passive income from mined coins.
How Cryptojacking Works
Infection Methods
- Malicious scripts in websites — JavaScript miners embedded in compromised or malicious web pages run in visitors' browsers (browser-based mining)
- Malware installation — Trojanized software, phishing emails, or exploit kits install persistent mining software on endpoints
- Cloud infrastructure compromise — Attackers gain access to cloud accounts (AWS, Azure, GCP) and spin up mining instances using the victim's billing
- Supply chain attacks — Mining code injected into legitimate software packages or Docker images
- Insider threats — Employees using corporate infrastructure for personal mining operations
Mining Process
Once active, the mining software connects to a mining pool, receives computational tasks (typically Monero's RandomX algorithm, chosen for its CPU-friendly design and privacy features), solves proof-of-work puzzles, and submits solutions for cryptocurrency rewards directed to the attacker's wallet.
Types of Cryptojacking
| Type | Mechanism | Persistence | Detection Difficulty |
|---|---|---|---|
| Browser-based | JavaScript runs while page is open | Non-persistent (stops when tab closes) | Moderate — CPU spike visible |
| File-based malware | Executable installed on system | Persistent — survives reboot | Hard — disguised as legitimate process |
| Cloud-based | VMs spun up in compromised accounts | Persistent until discovered | Hard — buried in cloud billing |
| IoT-based | Mining on routers, cameras, NAS devices | Persistent — rarely monitored | Very hard — minimal monitoring |
Notable Cryptojacking Campaigns
| Campaign | Year | Method | Impact |
|---|---|---|---|
| Coinhive | 2017–2019 | Browser-based JavaScript miner | Embedded on thousands of sites; shut down 2019 |
| WannaMine | 2018 | EternalBlue exploit + fileless malware | Spread rapidly across enterprise networks |
| Tesla cloud hack | 2018 | Unsecured Kubernetes dashboard | Attackers mined using Tesla's AWS account |
| Docker Hub images | 2020 | Malicious container images | Millions of pulls before removal |
| Log4Shell mining | 2021–2022 | Log4j vulnerability exploitation | Massive campaign across vulnerable Java apps |
Detection Methods
- CPU monitoring — Sustained high CPU usage (80–100%) during idle periods indicates mining activity
- Network analysis — Connections to known mining pools (port 3333, 45700) or Stratum protocol traffic
- Endpoint detection and response (EDR) — Behavioral analysis identifies mining process patterns
- Browser extensions — Tools like No Coin or minerBlock detect and block JavaScript miners
- Cloud billing alerts — Unusual compute cost spikes may indicate compromised instances
Prevention and Protection
- Keep software and systems patched to prevent exploitation of known vulnerabilities
- Deploy ad-blockers and anti-mining browser extensions for end users
- Implement network monitoring and DNS filtering to block mining pool connections
- Use cloud security posture management (CSPM) to detect unauthorized instances
- Monitor container registries and validate image integrity before deployment
- Educate employees about phishing and suspicious downloads
Cryptojacking vs. Other Threats
Unlike ransomware, which causes immediate disruption, cryptojacking's damage is gradual — shortened hardware life, increased energy costs, degraded performance, and potential security implications of the initial compromise vector. Organizations often discover cryptojacking only after months of operation, by which time the attacker has already profited significantly while the victim bears the infrastructure costs.
As cryptocurrency values fluctuate and mining difficulty increases, cryptojacking remains attractive to cybercriminals because it requires minimal interaction with victims, generates passive income, and carries lower legal risk than more aggressive attack types like ransomware or data theft.
Related Articles
cybersecurity
How Encryption Works: Symmetric, Asymmetric, and the Math Behind Digital Security
A comprehensive explanation of how encryption works — symmetric and asymmetric encryption, the mathematics of public-key cryptography, TLS/HTTPS, end-to-end encryption, and how encryption protects data in the modern digital world.
8 min read
cybersecurity
How Two-Factor Authentication Works: Security, Types, and Why It Matters
A comprehensive guide to two-factor authentication (2FA) — how it works, the different types (SMS, authenticator apps, hardware keys, passkeys), the security tradeoffs between them, and why enabling 2FA is one of the most important security steps anyone can take.
8 min read
cybersecurity
How Zero-Day Exploits Work
An in-depth look at zero-day exploits covering how vulnerabilities are discovered, traded, weaponized, and defended against in cybersecurity.
8 min read
cybersecurity
What Is Malware? Types, Threats, and Protection
Learn what malware is, the major types of malicious software including viruses, worms, ransomware, and trojans, how malware spreads, and how to protect against it.
8 min read