What is cryptojacking?

Hackers use cryptojacking code (a type of malware) to produce and collect valuable cryptocurrency without incurring any associated costs. Essentially, they trick their victims into spending their own resources without reaping any of the rewards. Cryptojacking is a growing threat within the cybersecurity landscape. According to the 2024 Sonicwall Cyber Threat Report, cryptojacking incidents rose by 659% in 2023. 

The resources to mine cryptocurrency can be expensive. Successful cryptojacking attacks effectively force their unaware victims to incur the costs of the cryptocurrency mining process, while the cryptojacker collects the profits.

Cryptojacking attacks can be carried out over the web, through browser-based cryptojacking scripts (often embedded in JavaScript code on a webpage), or through cryptojacking malware delivered as apps or as trojan-style viruses through social engineering or phishing attacks. Desktops, laptops, servers, smartphones and other mobile devices infected with cryptojacking code or cryptojacking software often suffer from dramatically reduced performance, resulting in operational downtime on top of higher electricity bills.   

Cryptojacking is different from other types of cybercrime. Whereas cyberthreats like data exfiltration or ransomware attacks typically seek to steal or commandeer user data, cryptojacking code effectively steals processing power and electricity. Cryptomining malware is designed to inject targets with subtle malicious code designed to evade detection for as long as possible.   

• Cryptojacking in practice: Cryptojacking attacks, sometimes referred to as malicious cryptomining, attempt to commandeer users’ computing devices or virtual machines (VMs). Cryptojacking works by secretly leaching processing power from unsuspecting victims to mine digital currencies. Cybercriminals collect any generated cryptocurrency profits, while victims foot the bill.  

• Cryptojacking impact: Victims of cryptojacking suffer increased electricity costs and decreased system performance, which can damage hardware and lead to overheating. Successful attacks can compromise a victim’s data privacy and create other cyberthreats. 

• Cryptojacking vulnerabilities: Attack vectors include web pages, web browsers, browser extensions and plug-ins, Internet of Things (IoT) devices, email and other messenger-type apps. Mining malware can infect most types of popular operating systems. Hackers have even targeted major software and service providers, such as Microsoft and YouTube.     

• Cryptojacking defense: Recommended methods for defending against cryptojacking attacks combine endpoint detection and response (EDR), content disarm and reconstruction (CDR) and antivirus solutions, regular task manager and CPU usage monitoring, supply chain audits, ad blockers, script blocking, staff training and real-time threat detection.  

Cryptocurrency is a type of digital asset that has no physical representation but can be exchanged for goods and services like traditional fiat currency. A main innovation of cryptocurrencies is the ability to send funds directly between parties without the need for intermediaries. Cryptocurrencies are created by using blockchain technology.

A blockchain is like a virtual ledger that records all the transactions made by using a specific blockchain system. Cryptocurrency blockchains are often open source, allowing anyone to examine the underlying code.

In addition to cryptocurrency, blockchain systems are also useful for other applications that need to track and validate any type of records. Furthermore, private blockchains can be employed by systems that are tracking sensitive information. 

• Blockchain: A blockchain is a shared, immutable digital ledger, used to record and track transactions within a network and providing a single source of verified truth. 

• Cryptocurrency: Cryptocurrency is a digital asset generated by decrypting encrypted blocks of code stored on a blockchain. Units of cryptocurrency are often called coins or tokens, and they are used as compensation for users who trade computing and energy resources to decrypt coins and validate blockchain transactions.

• Miners: Cryptominers (or just miners) are the users who run the cryptomining software that generates new tokens and validates on-chain transactions. 

What makes a blockchain so powerful is decentralization. A public blockchain, such as the one used by Bitcoin, is not stored at any one single source. Instead, the blockchain is duplicated over any number of nodes—disparate computer systems each running cryptomining software that monitors and verifies the validity of the shared blockchain.

When a transaction is made over the blockchain, a certain threshold of nodes must validate the transaction before it is written into the overall ledger. This process assures that each transaction is legitimate and solves common digital currency problems like double spending or fraud. Although the identities of individual users might be anonymous, all the transactions on a public blockchain are public knowledge available to anyone with access.

In the case of cryptocurrency, the blockchain also stores some tokens, or coins. These coins are encrypted in complicated math problems called hash blocks. To generate a new coin, users on the blockchain system must devote their compute resources to decrypting each hash. This process is called cryptomining and typically requires tremendous amounts of processing power. Users who use their own resources to generate new coins and validate the transactions of other users are referred to as miners.

Solving crypto hashes and validating transactions can be expensive, both in terms of hardware and electricity costs. Coins are a payment for miners who foot the cost of hardware and energy. Decrypting an entire hash block requires far more resources than validating a transaction. This means that transaction verification is compensated at a smaller rate, calculated as a proportional percentage of the value of the transaction correlated to the resources required. 

A legitimate cryptocurrency mining operation can incur major operational expenses in the form of high electricity costs and expensive hardware. An example can be graphics processing units (GPUs) designed for improved processing power and efficiency beyond what a standard central processing unit (CPU) can offer. However, while some cryptocurrencies like Bitcoin require extreme amounts of energy and computing power, other currencies, such as Monero, require far less. 

A successful cryptojacker might be able to commandeer the CPUs (or any type of processor) of many victims. They can effectively steal unused CPU cycles and use them to perform cryptomining calculations, sending any gained coins to their own anonymous digital wallet. In aggregate, many slower processors can still generate a significant amount of cryptocurrency. A cryptojacker might accomplish this directly (by infecting a target’s computer with malware) or indirectly (by siphoning processor cycles while a user visits an infected website). 

There are three main types of cryptojacking that can be used effectively, either independently or as a hybrid approach. More advanced types of cryptojacking code can behave like a worm virus, infecting connected resources and mutating its own code to evade detection. These are the three types of cryptojacking:

• Browser-based cryptojacking: This type of cryptojacking runs directly in a web browser and doesn’t require the victim to install any additional software. By simply browsing a website injected with malicious cryptojacking code, a victim’s computer resources can be diverted to surreptitious cryptomining. 

• Host-based cryptojacking: Host-based cryptojacking refers to cryptojacking malware that has been downloaded onto a target’s device or system. Because this type of cryptojacking requires users to download and store software, it can be easier to detect. However, it can also work around the clock, creating higher energy consumption and greater resource drain. 

• Memory-based cryptojacking: Memory-based cryptojacking is harder to detect and is rarer than browser or host-based cryptojacking. This type uses advanced techniques like code injection and memory manipulation to use RAM for cryptomining in real time without leaving any evidence. 

Depending on the type of attack, most cryptojacking incidents follow a similar four-stage process.

The first phase of a cryptojacking attack revolves around exposing a target to malicious code. For a cybercriminal to commit cryptojacking, they must find a method to introduce some type of cryptojacking script into the victim’s system.

This might look like a phishing email that tricks a target into downloading a cryptomining program, or it can be as innocuous as a JavaScript-enabled ad on a reputable website. 

The deployment stage begins once malicious code has entered the target’s system. During this phase, the cryptomining script begins to run in the background, drawing as little attention to itself as possible. The longer a cryptojacking script goes unnoticed, the more profitable it can be.

The “best” cryptomining scripts are designed to misallocate as much processing power as they can without noticeably impacting a target's system performance. While deploying a script that draws relatively low computing power is in the cryptominer’s best interest because it helps them avoid detection, cryptojacking codes are greedy by nature. They often hog resources at the expense of broader system performance and higher energy expenses. 

Once the deployment stage is complete, the mining stage begins. After a successful deployment, cryptojacking code will begin using the target’s computing resources to mine cryptocurrency. They do that by either solving complicated cryptographic hashes that generate new coins or by verifying blockchain transactions to earn cryptocurrency rewards. 

All these rewards are sent to a digital wallet controlled by the cryptojacker. Victims of cryptojacking have no way to claim the cryptocurrency generated by the resources they pay for.

Cryptocurrency is harder to track than traditional types of assets. While some coins are more anonymous than others, it can be impossible to recover any currency mined through cryptojacking. Even though transactions made on public blockchains are public knowledge, tracing ill-gotten crypto to identifiable cybercriminals is difficult. And decentralized finance (DeFi) tools can make tracking cryptojackers even harder. These tools allow cryptocurrency holders to pool crypto resources into tools like finance pools that function like traditional investment opportunities, paying dividends without having to withdraw initial capital. While these tools are designed for and used by many legitimate investors, bad actors can take advantage of the decentralized nature of crypto to cover their tracks. 

Infiltration is always the first step in any cryptojacking attack. Cryptojacking is a dangerous form of cybercrime because there are many ways for hackers to deliver cryptojacking code. Some ways a hacker might infiltrate a target victim’s system include:

• Phishing: A phishing email can contain a link that triggers a malware download. A victim might click a link to view what appears to be a digital gift certificate but actually contains malware, unknowingly installing malicious cryptomining software without realizing they’ve been misled. 

• Misconfigured systems: Misconfigured virtual machines (VMs), servers or containers that are publicly exposed are an open invitation to hackers seeking to gain unauthenticated remote access. Once inside, installing cryptojacking software is trivial work for experienced cybercriminals. 

• Compromised web applications: Accessing a web application with unsecured ports, even from a trusted or otherwise well-meaning provider, can expose a victim’s system to cryptojacking code.

• Infected browser extensions: Browser extensions, also known as add-ons or plug-ins, are relatively small software programs used to improve and customize a user’s web browsing experience. Extensions like ad-blockers or password managers are available for most, if not all, popular web browsers (such as Google Chrome, Microsoft Edge, Mozilla Firefox and Apple Safari). While most extensions are safe, even well-known and widely used extensions can be compromised with cryptojacking code injected by devious actors. While a reputable extension developer is inclined to follow cybersecurity best practices, in a constantly evolving cyberthreat environment, hackers are constantly targeting and occasionally infiltrating even the most reliable developers. Using techniques like zero-day exploits, hackers can inject cryptojacking software into software from the most trusted developers. Even easier, hackers can make their own knock-off versions of extensions designed to trick users into downloading malware instead of a well-vetted, useful extension. 

• Compromised JavaScript: Code written in JavaScript is susceptible to cryptojacking. Hackers can upload or infect a seemingly safe JavaScript library, achieving infiltration when an unwitting victim downloads compromised code.    

• Insider threats: Insider threats, such as a disgruntled or poorly trained employee or a threat actor with stolen credentials, are also common attack vectors for cryptojacking. 

• Cloud-based attacks: Networked cloud computing systems exponentially increase attack vectors for cybercriminals, and cryptojacking is no exception. The recent and continued surge in cloud-based artificial intelligence (AI) applications, such as large language models (LLMs), creates even more opportunities for cryptojacking attacks that can infiltrate just one node and spread throughout an entire network.

For individuals, running cryptomining software in the background on computers used for other tasks isn’t profitable. However, at a scale, these small gains can add up. Cryptojacking can be profitable when successful hackers are able to infect many individual systems. Especially because cryptohackers aren’t paying hardware or energy costs. 

Generally, because cryptomining is such a resource-intensive procedure, legitimate cryptominers almost always use dedicated, top-of-the-line hardware for their operations. While some enterprise or even consumer-grade hardware is capable of cryptomining, best practices do not recommend devoting anything less than 90% of compute resources to mining operations. 

While the costs associated with creating and operating a dedicated cryptomining rig have led hobbyists to mine on their mainline hardware, doing so rarely generates significant yields. And the profits from such activities are often deeply undercut by not only the cost of the additional energy consumed performing the intensive mining computations, but also wear and tear on expensive hardware. 

For businesses and large organizations, the costs of cryptojacking are even greater, including operational slowdown and potential data privacy violations. Major impacts of cryptojacking for business include the following.

Cryptojacking attacks are designed to run in the background, remaining hidden and unknown for as long as they can. As such, cryptojacking codes can be hard to detect. However, there are a few tell-tale signs that a system might be infected with malicious cryptomining software:

• Unexplained increased energy consumption: Because cryptomining software draws so much energy, sudden and unexplained spikes in energy expenditures can indicate unauthorized cryptomining. 

• Device overheating: Cryptomining causes hardware to run hot. When system hardware is overheating, or simply engaging fans and cooling systems more, it can be a symptom of a cryptojacking attack. 

• Unexplained slowdowns: Cryptojacking drains computer resources, leading to slower overall operations. Systems struggling to complete normal compute tasks is a common sign of cryptojacking.

• High CPU usage: When investigating a potential cryptojacking attack, one indicator is higher than normal CPU usage while running otherwise undemanding operations. 

Defending against cryptojacking requires a holistic approach that is, fortunately, congruent with many other leading cybersecurity strategies for general security hygiene. The following are common and effective defense measures:

• Rigorous personnel training: As is often the case with any cyberthreat, human error is the most persistent and potentially damaging attack vector. Training and education around phishing attacks, safe browsing and file-sharing practices is a critical first line of defense against cryptojacking. 

• EDR and CDR solutions: Because cryptojacking requires an infected system to communicate with bad actors, common antivirus tools that can scan software for known signs of cybercrime can be effective against cryptojacking.

• Disabling JavaScript: Because JavaScript is such a ripe attack vector for cryptojacking, disabling all JavaScript can be an effective defense.