What is Cryptojacking? Definition, Types and Prevention

21 Min Read

Cryptojacking is a type of cyberattack where a hacker hijacks a target’s computer or mobile device to mine cryptocurrency without their consent. This malicious activity exploits the victim’s processing power to solve complex mathematical problems necessary to mine digital currencies like Bitcoin or Monero, thereby earning cryptocurrency for the attacker while the victim incurs the costs of electricity and potential hardware damage. Cryptojacking malware can be delivered through phishing emails, malicious websites, or even embedded in seemingly benign applications, running quietly in the background to avoid detection and maximize the attacker’s profits.

Facts about Cryptojacking

Specification Aspect Details
Definition Cryptojacking is the unauthorized use of someone else’s computing resources to mine cryptocurrency.
Attack Vectors
  • Infected websites with malicious scripts
  • Phishing emails with malware attachments
  • Mobile apps with hidden mining code
Targeted Platforms
  • Personal computers
  • Mobile devices
  • Servers and cloud infrastructures
Common Cryptocurrencies
  • Monero (XMR)
  • Bitcoin (BTC)
  • Ethereum (ETH)
Detection Methods
  • Unusually high CPU usage
  • Slower device performance
  • Overheating of devices
  • Unexplained increase in electricity bills
Prevention Strategies
  • Use of ad-blockers and anti-crypto mining extensions
  • Endpoint protection software
  • Regular software updates and patches
  • Network monitoring tools
Impact on Victims
  • Degraded device performance
  • Increased energy costs
  • Potential hardware damage
  • Security risks due to vulnerabilities
Legal Consequences
  • Illegal in many jurisdictions
  • Can lead to criminal charges for unauthorized computer access
Remediation Steps
  • Identify and remove malicious scripts or malware
  • Reset affected systems
  • Update security protocols
Industry Response
  • Development of anti-cryptojacking tools
  • Increased awareness and education campaigns
  • Collaboration between cybersecurity firms and ad networks


How do cryptojacking works?

1. Infection

Cryptojacking begins with the infection phase, where attackers deploy various strategies to install cryptomining malware on the victim’s device. This phase often involves social engineering tactics such as phishing emails, malicious advertisements, or compromised websites. Attackers may also exploit vulnerabilities in software or web applications to deliver the cryptomining script without the user’s knowledge. Once the device is infected, the malware remains dormant until it is triggered to start mining operations. The stealthy nature of the infection process makes it challenging for users to detect the presence of cryptojacking malware, allowing it to spread across networks and infect multiple devices.

2. Execution

After the infection phase, the cryptojacking malware executes on the victim’s device. This involves initiating the cryptomining script, which is designed to run silently in the background to avoid detection. The malware leverages the device’s CPU or GPU to perform complex cryptographic calculations necessary for mining cryptocurrency. Execution strategies may include using fileless malware techniques to reside in the device’s memory, making it harder to identify and remove. The malware is programmed to throttle its resource usage based on the device’s activity, ensuring that it does not significantly impact the user’s experience and remains unnoticed for as long as possible.

3. Mining

During the mining phase, the cryptojacking malware uses the victim’s device to solve cryptographic puzzles required to validate transactions on a blockchain network. This process, known as proof of work, is computationally intensive and requires significant processing power. By harnessing the resources of multiple infected devices, attackers can pool together a large amount of computational power, increasing their chances of solving puzzles and earning cryptocurrency rewards. The mining process runs continuously in the background, consuming the device’s resources, leading to performance degradation, increased electricity consumption, and potential hardware damage over time.

4. Profit

The ultimate goal of cryptojacking is profit. Attackers earn cryptocurrency rewards by successfully mining blocks on the blockchain. These rewards are directly deposited into the attacker’s digital wallet, bypassing the need for the costly mining infrastructure typically required for profitable mining operations. Since the attackers utilize the resources of infected devices, they incur minimal expenses, maximizing their profits. The victims, on the other hand, bear the costs of increased energy consumption and potential hardware wear and tear, all while receiving none of the mining rewards. This illicit profit model has made cryptojacking an attractive and low-risk venture for cybercriminals.

Types of cryptojacking attacks

1. Browser-Based Cryptojacking

Browser-based cryptojacking occurs when cybercriminals embed malicious cryptomining scripts into websites or ads. When users visit these compromised sites or click on the ads, the script automatically executes and uses the visitor’s computing power to mine cryptocurrency. This type of attack does not require the user to download or install anything, making it particularly stealthy and difficult to detect. The script runs as long as the webpage is open in the browser, silently mining cryptocurrency and potentially slowing down the user’s device and consuming more electricity without their knowledge.

2. System-Based Hijacking

System-based hijacking, often referred to as host-based cryptojacking, involves the installation of malware on the victim’s computer or network. This malware operates in the background, using the system’s resources to mine cryptocurrency. The infection can occur through phishing emails, malicious downloads, or exploiting system vulnerabilities. Unlike browser-based cryptojacking, system-based attacks require the malware to be installed on the device, which can lead to more persistent and controllable mining by the attacker. This method can significantly degrade system performance and security.

3. Cloud-Based Hijacking

Cloud-based hijacking targets organizational cloud infrastructures to exploit their significant processing power for cryptomining. Attackers gain access to cloud services by stealing API keys or by exploiting misconfigured cloud services. Once they have access, they can commandeer the vast resources of cloud servers to mine cryptocurrency, leading to substantial financial costs for the affected organization due to increased CPU usage and associated charges. This method is particularly lucrative for attackers due to the high amount of resources available in cloud environments.

4. File-Based Cryptojacking

File-based cryptojacking involves the victim unknowingly downloading a cryptomining script disguised as a legitimate file. This can occur through phishing emails, malicious websites, or compromised software downloads. Once executed, the script installs itself on the system and begins mining cryptocurrency using the device’s resources. This type of attack can be particularly dangerous as it allows the cryptojacking malware to persist on the device, continuously mining until it is detected and removed, potentially causing long-term performance degradation and increased wear and tear on the device.

5. Mobile Device Cryptojacking

Mobile device cryptojacking targets smartphones and tablets by embedding cryptomining scripts in apps or websites optimized for mobile devices. Users may download an infected app from a third-party app store or visit a compromised website that triggers the mining script. Due to the generally lower processing power of mobile devices compared to PCs, the impact on performance, battery life, and device overheating can be significant. This type of cryptojacking is particularly insidious as it can operate unnoticed for long periods, exploiting the mobile device’s resources for the attacker’s gain.

High profile examples of cryptojacking

1. Facebook Messenger (2018)

In 2018, a Google Chrome extension named FacexWorm targeted Facebook Messenger users. This malware exploited social engineering tactics by sending fake YouTube links through Messenger. When clicked, these links directed users to a fraudulent site that prompted them to download a Chrome extension. This extension was designed to hijack Facebook accounts and propagate the malware further while also deploying cryptomining scripts to mine cryptocurrency using the resources of the infected computers.

2. Tesla’s Cloud Breach (2018)

Tesla’s cloud environment was compromised in 2018 when hackers accessed its Amazon Web Services (AWS) account. The attackers exploited an unsecured Kubernetes console to deploy cryptocurrency mining malware. This incident highlighted significant security vulnerabilities in cloud configurations and raised concerns about the potential for sensitive data exposure. However, Tesla responded swiftly, stating that no customer data was compromised and the breach was contained quickly.

3. GitHub and GitLab Auto-DevOps Feature Misuse (2020)

In 2020, cybercriminals exploited the Auto-DevOps features in GitHub and GitLab to carry out cryptojacking attacks. By hijacking the powerful CI/CD (Continuous Integration/Continuous Deployment) environments provided by these platforms, attackers were able to use the extensive computational resources available to mine cryptocurrencies illicitly. This misuse of trusted development platforms highlighted the need for better security practices in DevOps environments.

4. Linux and IoT devices (2023)

In 2023, a significant increase in cryptojacking attacks targeting Linux systems and IoT devices was reported. Attackers specifically chose these platforms due to their often weaker security configurations and the ability to operate under the radar. By exploiting these devices, cybercriminals could harness their processing power to mine cryptocurrencies without detection, demonstrating the evolving nature of cryptojacking threats and the continuous vulnerability of connected devices.

5. Government Websites Cryptojacking (2018)

In 2018, numerous government websites across the globe were compromised to run cryptojacking scripts. This widespread attack affected sites by embedding malicious JavaScript code that mined cryptocurrencies using the computing resources of visitors to these websites. The incident served as a critical wake-up call about the security of public sector websites and the need for improved protective measures against such pervasive online threats.

6. Make-A-Wish Foundation Website Compromise (2018)

The Make-A-Wish Foundation’s website was compromised in 2018 when it was injected with a cryptojacking script. This script utilized the site’s visitor’s processing power to mine cryptocurrency, unbeknownst to the users. The breach was part of a larger campaign that targeted vulnerable websites with poor security configurations, exploiting them for financial gain through unauthorized cryptocurrency mining.

7. YouTube Ads (2018)

In January 2018, YouTube users were exposed to ads containing cryptojacking scripts. These ads were served through the Google DoubleClick ad network and were designed to mine cryptocurrencies by exploiting the processing power of the viewers’ devices. This incident highlighted the vulnerabilities within ad networks and the need for enhanced security measures to prevent such malicious advertising practices.

8. Docker Hubs Targeted (2021)

In 2021, Docker Hub repositories were targeted by attackers who used them to distribute images containing cryptojacking malware. These Docker images, once pulled and run by unsuspecting users, activated cryptomining scripts that siphoned off computational resources to mine cryptocurrency. This attack underscored the importance of verifying third-party software and the potential risks associated with containerized application platforms.

9. ProxyShellMiner Exploit (2023)

The ProxyShellMiner exploit of 2023 involved attackers leveraging vulnerabilities in Microsoft Exchange servers to deploy cryptocurrency mining malware. This sophisticated attack not only allowed cybercriminals to mine cryptocurrency but also exposed sensitive corporate data. The incident demonstrated the critical need for timely patching of known vulnerabilities and reinforced the ongoing challenges in protecting enterprise environments from emerging cyber threats.

Methods to detect cryptojacking

1. Decreased Performance

One of the primary indicators of cryptojacking is a noticeable decrease in device performance. This symptom is often the first clue for users that something is amiss. Cryptojacking scripts consume significant computational resources, leading to slower response times and reduced efficiency in executing regular tasks. Users might experience delays in typing, slow loading of applications, and sluggish internet browsing speeds. This degradation in performance is due to the cryptomining scripts running in the background, which heavily utilize the device’s processor and memory without the user’s consent.

2. Overheating

Overheating is a common consequence of cryptojacking because the unauthorized mining operations push the device’s hardware to its limits. As the cryptomining script runs, it causes the CPU and GPU to work harder than usual, generating excessive heat. This not only leads to potential hardware damage but also triggers cooling fans to run at higher speeds, often louder than normal. Prolonged overheating can shorten the lifespan of the device and cause sudden shutdowns to prevent heat-induced damage.

3. High Electricity Costs

Cryptojacking significantly increases a device’s energy consumption as it requires substantial computational power to mine cryptocurrencies. This surge in power usage can lead to unusually high electricity bills for unsuspecting victims. The continuous and intensive use of CPU and GPU resources for mining operations means that devices draw more power than under normal operation, which can be particularly noticeable in organizational settings where multiple devices may be affected.

4. High Central Processing Unit (CPU) Usage

An unusual spike in CPU usage is a telltale sign of cryptojacking. Cryptomining scripts are designed to maximize the use of a device’s processing power to solve complex mathematical problems required to mine cryptocurrencies. Monitoring tools like Windows Task Manager or macOS Activity Monitor can reveal high CPU usage even when the device is not running any demanding applications. Such anomalies suggest that cryptomining scripts could be operating in the background, consuming resources stealthily.

5. Slow Network

Cryptojacking can also affect network performance. Since cryptomining involves constant communication with cryptocurrency networks, it can consume significant bandwidth, resulting in a slower internet connection for other legitimate uses. Users might notice that web pages load slower than usual or that streaming services buffer more frequently. Monitoring network traffic can help identify unexpected spikes that could indicate the presence of cryptojacking activities.

6. Battery Dies Faster

For mobile devices and laptops, one of the effects of cryptojacking is a rapid drain on the battery. The intensive computational tasks required for mining deplete battery power much faster than normal operations. Users may observe that their device’s battery life diminishes quicker than expected, even with minimal active use. This symptom, combined with other signs like overheating and performance degradation, can help confirm the presence of cryptojacking.

7. Unusual Network Traffic

Cryptojacking can generate unusual network traffic patterns. Since the mining process requires constant connectivity to cryptocurrency networks, there may be noticeable increases in data transfers even when the device is supposed to be idle. Tools that monitor and analyze network traffic can detect these anomalies, such as frequent large uploads or downloads, which are atypical for the user’s normal internet usage. This sign is particularly useful for IT professionals in detecting cryptojacking within corporate networks.

Best practices for preventing cryptojacking

1. Use a Good Cybersecurity Program

Implementing a robust cybersecurity program is crucial in defending against cryptojacking. This includes installing antivirus software that can detect and prevent malicious activities, including unauthorized cryptomining. Regular updates and patches for your operating system and applications are essential to close security loopholes that could be exploited by cryptojackers. A comprehensive cybersecurity solution not only detects cryptojacking attempts but also helps in removing any malicious software that might have been installed on your system.

2. Be Alert to the Latest Cryptojacking Trends

Staying informed about the latest cryptojacking trends is vital for timely and effective prevention. Cybercriminals continually evolve their methods to bypass security measures, so understanding their new tactics can help you stay one step ahead. Regularly updating your knowledge through trusted cybersecurity news sources and attending relevant webinars or training can provide insights into the latest cryptojacking schemes and preventive technologies.

3. Use Browser Extensions Designed to Block Cryptojacking

Installing browser extensions specifically designed to block cryptojacking can significantly enhance your browser’s security. Extensions like No Coin, minerBlock, and Anti Miner are effective tools that help detect and block cryptomining scripts running in the browser. These extensions work by blacklisting known cryptomining domains and detecting unusual behavior in scripts loaded into the browser.

4. Use Ad Blockers

Ad blockers are useful in preventing cryptojacking scripts from being delivered through malicious ads. By blocking potentially harmful ads, you reduce the risk of inadvertently clicking on a cryptojacking script. Some ad blockers also have the capability to detect and block scripts embedded in ads that are designed to use your device’s processing power to mine cryptocurrency.

5. Disable JavaScript

Disabling JavaScript on your browser can stop many cryptojacking scripts from executing, as these scripts often rely on JavaScript to run. However, be aware that this might also affect the functionality of websites that use JavaScript for legitimate purposes. If disabling JavaScript broadly is too restrictive, consider using a script management tool that allows you to enable JavaScript only on trusted sites.

6. Block Pages Known to Deliver Cryptojacking Scripts

Implementing web filtering solutions that block access to websites known for cryptojacking can prevent such scripts from loading. Maintaining a blacklist of malicious websites and regularly updating this list based on the latest threat intelligence is a proactive way to safeguard your devices from cryptojacking.

7. Use Software Composition Analysis (SCA)

Software Composition Analysis (SCA) tools are essential for identifying vulnerabilities in the software supply chain that could be exploited for cryptojacking. These tools analyze the components of your software to detect any embedded cryptomining scripts or other vulnerabilities. Regular scans with SCA tools help ensure that your software remains secure from emerging cryptojacking threats.

8. Avoid Suspicious Websites

Educating yourself and your network users to recognize and avoid suspicious websites is a key line of defense against cryptojacking. Many cryptojacking scripts are hosted on websites that offer pirated content or are otherwise of dubious legality. Avoiding these websites and downloading content only from reputable sources can significantly reduce the risk of encountering cryptojacking.

Share This Article