Trending keywords: security, cloud, container,


What is Cryptojacking?


Cryptojacking is the unauthorized use of a computer or device to mine cryptocurrency. This is typically done by installing malware on a victim’s device that uses its processing power to mine for cryptocurrency without their knowledge or consent. Cryptojacking can have a significant impact on a victim’s device, as it can slow down performance and increase energy consumption. This will impact the bottom line since it acts as a parasite sucking resources from the victim and/or company.

Cryptojacking is a growing problem, and cryptojacking techniques are becoming more sophisticated as the underlying value of cryptocurrency increases. Organizations should take steps to protect themselves by keeping their devices and software up to date and being cautious when clicking on links or downloading files that have not been scanned.

What Is the main goal of Cryptojacking?

The primary goal of cryptojacking is to earn quick and easy money anonymously. It’s difficult, though not impossible, to unmask and identify potential attackers due to the transparency of the blockchain. This should not be relied upon, but rather, processes should be put in place to detect cryptojacking and stop it before it starts.

Victims of cryptojacking aren’t always these big faceless corporations, but can be anyone using a computer – even you. Crowdsourcing devices is another technique used to leverage a large number of connected devices like smartphones, tablets, and smart home devices to mine cryptocurrency. So rather than taking the approach to find one computer with massive compute power, attackers are using thousands of devices to collectively mine cryptocurrency.

Cryptominers and how they relate to Cryptojacking

Cryptojackers use malware to infiltrate a victim’s device and use its processing power to mine for cryptocurrency. The malware is often embedded in websites or apps and is deliberately hidden so that it can be silently downloaded and installed by the victim. Once the malware is installed, it uses the device’s processing power to solve complex mathematical problems that require huge amounts of processing power and energy to confirm transactions on the blockchain. The cryptojackers are then rewarded with cryptocurrency for being the first to solve these transactions and make the confirmation. This cryptocurrency is then sent to the virtual wallet of the attacker, thus enabling the attacker to profit at the victim’s expense.

Cryptomining and its rise in popularity

Cryptomining has become a hot topic as the values of cryptocurrencies rise over time. As profits surge, so does the supply of people and companies who want to make money mining cryptocurrency. The increase in supply combined with increases in difficulty over time to confirm transactions on the blockchain (i.e. mine cryptocurrencies) has led to a digital gold rush with lots of entities competing over the same rewards. With this increase in competition comes an increase in methods to obtain large amounts of compute power illegitimately through the use of cryptojacking.

How does Cryptojacking work?

Before explaining how cryptojacking works, it’s important to understand how cryptomining works. Cryptomining is the process of using computer power to solve complex mathematical equations in order to validate transactions on the blockchain network and earn rewards in the form of cryptocurrency. Machines that do the mining require very expensive hardware and consume a significant amount of energy – which costs money. Attackers reason that they do not need the large capital investment to buy the machines to mine the cryptocurrency, but rather leverage the resources of companies who can afford it.

Cryptojacking works by embedding malicious code into a network of devices, and when executed, it begins using the victim’s resources to mine for cryptocurrency. The mined coins are then sent to the attacker’s wallet, which represents a form of value that can be traded for real currency (such as U.S. Dollars).

Real examples of cryptojacking

When mining cryptocurrency, it’s all about the processing power. So naturally, more powerful computers will yield better results. With this in mind, a Russian nuclear scientist was identified in 2018 as illegally using a supercomputer at the Federal Nuclear Center to mine Bitcoin. Even though he had legitimate access to that supercomputer, he illegally profited from his country’s resources.

Another example of cryptojacking occurred in 2017 when the official website of the U.S. Federal Communications Commission (FCC) was hacked by embedding some rogue javascript in the comment section so that it would use visitors’ computers to mine cryptocurrency. This went undetected for several days until it was stumbled upon by a security researcher.

In 2018, a malicious ad was placed on the website of the Showtime Network. This ad contained a cryptomining script that used visitors’ computers to mine cryptocurrency. This script was live for several weeks before it was discovered and removed due to the major performance issues reported by users who visited Showtime’s website.

Or a closer example, in 2022, a threat actor used several cloud and continuous and deployment (CI/CD) service providers for an extensive and active cryptomining operation.

Low Risk, High Reward

As discussed earlier, cryptojacking is considered low risk and high reward because it is highly unlikely that enough resources will be spent trying to follow the money on the blockchain, which will eventually lead to the identity of the attacker. If we compare this to other forms of cybercrime, such as stealing personal information or hacking bank accounts, the amount of effort involved and the ability to monetize based on that effort highly favors cryptojacking.

Additionally, once the method and payload have been developed and deployed, it’s easy to replicate this to other potential victims and scale out earnings to make even more money.

How to detect Cryptojacking

Luckily, cryptojacking is relatively easy to detect and can be caught in several ways:

  • Ensure that you have antivirus software installed and that it’s up to date.
  • Monitor resource usage over time.
    • For example, if a server or computer is usually at 40% CPU usage, then one day it’s at 90% sustained, it’s time to start digging deeper.
  • Identify and stop unknown tasks running on a server or computer.
  • Identify and block any unusual network activity going to and from that computer or server.
  • Leverage browser extensions that identify and block mining scripts that are trying to steal your computer’s resources.
  • Develop and maintain a strong monitoring and security strategy using good monitoring tools (if you’re an organization).

Alerting on unusual behavior

Companies may be more susceptible to attackers because they have the resources available to generate a good profit in a short period of time. Knowing this, it’s important for security teams to have a monitoring platform that can index logs, then correlate and fire alerts anytime it sees signs of problems like cryptojacking. This can be achieved by trending server utilization over time and establishing a baseline or expected value, then alerting anytime the real value falls outside of the expected value.

Cloud provider security tools

With the rise of cloud-based technologies come cloud-based security capabilities. If we look at the big three (i.e. AWS, Azure, and GCP), they all offer some form of security capabilities to help detect cryptojacking quickly. Some examples include:

  • CloudTrail and CloudWatch: These services can be used to monitor network activity and detect unusual patterns that may be due to cryptojacking.
  • VPC Flow Logs: These logs allow you to track network traffic and detect unusual or unwanted connections that could be caused by cryptojacking malware.
  • Cloud-Native Antivirus Software: Antivirus software that was designed for the cloud.
  • Security Center: AWS and Azure Security Center provide recommendations on security and can detect and alert on potentially malicious activities.
  • Stackdriver for GCP: Stackdriver is a logging and monitoring service that allows you to monitor your GCP resources in real time. It allows for custom alerts that can detect cryptojacking.

How to prevent Cryptojacking

While there may not be one sure tactic that you can use to defend yourself or your company resources against cryptojacking, it is important to develop a security strategy that is layered. Common techniques you can use include:

  • Keep your operating systems and software up to date. This removes known exploits that attackers can use to plant malicious software on your systems.
  • Exercise caution when downloading software from untrusted sources.
  • Use network firewalls.
  • Install browser extensions that can identify potential threats and stop them before they can be carried out (i.e. NoScript).
  • Educate users. Don’t allow users to introduce unnecessary risks into your environment.


In conclusion, cryptojacking is a rapidly growing form of cybercrime that is becoming increasingly prevalent as the value of cryptocurrency surges. The minimal effort involved combined with the lack of transparency and ability to easily scale, replicate, and monetize makes this type of cybercrime valuable to attackers who seek to exploit it. Luckily, there are several ways to catch this malicious activity and stop it before it causes significant financial harm. Be careful about what you download, keep an eye on performance, and ensure that you keep your software up to date to make it harder for would-be attackers.