What is cryptojacking and how does it work?

A collection of various coins with cryptocurrency logos embedded onto them
(Image credit: Shutterstock)

Cryptojacking is when a hacker uses a victim’s desktop or laptop to generate cryptocurrency. This happens when the victim unwittingly installs a malicious code that enables a cyber criminal to access their device.

This can happen when a victim clicks on an unknown link on a webpage or phishing email. The cyber criminal then uses this malware, known as a coin miner, to mine cryptocurrencies.

Cryptocurrencies are digital currencies, so the hacker only needs malware and a victim’s device to mine them.

How does cryptojacking work?

Cyber criminals have several means to get a victim's computer to start mining cryptocurrency.

The first is to deceive victims into loading crypto mining code onto their PCs, often through a phishing email.

The victim gets a legitimate-looking email that urges them to click on a link. The link then runs a script on the computer that mines cryptocurrencies in the background unbeknownst to the victim.

The second method is to place a script on a website or an ad delivered to several websites. When a victim visits an affected website or clicks on an infected ad, the script automatically runs.

Either way, code is not stored on the victim’s device; all it does is run complex mathematical problems and sends the results to a server under the cyber criminal’s control.

Some scripts have worm-like abilities, so they can infect more devices on the same network, maximizing returns for the hacker. This also makes it more difficult to remove.

According to security researchers at AT&T, such worms can also change their scripts to run in different computer architectures, such as x86, x86-64 and aarch64. Hackers loop through different scripts until one works. Then a cron job ensures the script will have persistence on a device or kill off the script if it gets detected.

Cryptomining scripts can also check if other competing crypto mining malware has been cryptojacking a device. If it detects other scripts, it can disable them to run its script instead.

Why is cryptojacking a problem?

Cryptojacking seems like a victimless crime, as no damage is done to a victim’s computer and no data is stolen.

What is stolen is the resources available to a computer in terms of CPU or GPU cycles. Using computing power in this way is criminal and done without the knowledge or consent of the victim to benefit the hacker who then makes money from this activity.

While an individual may be annoyed with a slower computer, enterprises may incur costs arising from help desk tickets and IT support time in finding and fixing problems with slow computers. It can also result in much higher electricity bills for companies affected.

Cryptojacking is a recent phenomenon compared to other cyber crime, as it rose to prominence in 2017 when Bitcoin’s value was increasing rapidly.

One of the first cryptojacking services was Coinhive. This was a collection of JavaScript files offering website owners a means to earn money from their visitors. In March 2019, Coinhive ended its services forever, but other versions still exist on the internet.

The number of attacks appears to follow the value of cryptocurrency. According to an Enisa report, there was a 30% year-on-year increase in the number of cryptojacking incidents in 2020.


X-Force Threat Intelligence Index

Top security threats and recommendations for resilience


The same report said Monero (XMR) was the cryptocurrency of choice for 2019 cryptojacking activities because of its focus on privacy and anonymity. This means Modero transactions cannot be traced. Also, Monero designed its proof-of-work algorithm to make mining viable with a standard CPU instead of specialized hardware. This ASIC-resistant mining algorithm makes it perfect for machines infected with cryptojacking malware.

Overall, cryptojacking is popular because it doesn’t need a connection to a command-and-control server operated by the hacker. It can also go undetected for a very long time, so hackers can make money anonymously without fear of law enforcement knocking on their doors.

Another motivation is money — cryptojacking is cheap. According to a report from Digital Shadows, kits to get you started in cryptojacking cost as little as $30. In one campaign, hackers made as much as $10,000 per day from crypto mining.

What are some real-life examples of cryptojacking?

In 2019, several apps that were secretly mining cryptocurrency with the resources of whoever downloaded them were ejected from the Microsoft Store. Potential victims would find the apps through keyword searches within the Microsoft Store. When downloaded, the apps also downloaded cryptojacking JavaScript code to mine Monero.

In 2018, cryptojacking code was found hidden within the Los Angeles Times' Homicide Report page. This also mined Monero.

Another high-profile victim of cryptojacking was Tesla. An investigation by cyber security firm Redlock found that hackers had infiltrated Tesla’s Kubernetes console which was not password protected. They installed mining pool software and configured the malicious script to connect to an “unlisted” or semi-public endpoint.

In 2018, Trend Micro observed a group of hackers it called Outlaw trying to run a script in one of Trend Micro’s IoT honeypots. By the end of the same year, the hackers had over 180,000 compromised hosts under their control.

In 2020, Palo Alto Networks discovered a cryptojacking scheme that used Docker images to install cryptomining software on victims’ systems. The cyber criminals inserted code within Docker images to avoid detection. The infected images helped criminals mine cryptocurrency worth an estimated $36,000.

What are some known cryptojacking malware?

There are quite a few examples of cryptojacking malware. Some examples include:

  • Smominru: This cryptojacker compromises Windows machines using an EternalBlue exploit and brute-force on various services, including MS-SQL, RDP, Telnet, and many others.
  • Badshell: This uses fileless techniques and hides in Windows processes.
  • Coinhive: This was a legitimate website monetization tool but is the world’s largest cryptojacking threat.
  • MassMiner: This is a cryptocurrency-mining malware that has been spotted using worm-like capabilities to spread through multiple exploits.

How do you know if you are a victim of cryptojacking?

Cryptojacking is virtually undetectable in most cases. However, there are a few signs that your computer could be a victim, including the computer heating up, making loud fan noises, draining batteries faster than usual, decreased performance, shutting down due to lack of available processing power.

You should consider closing and blocking any website suspected of running cryptojacking scripts if you see these symptoms. You should also update or delete any questionable browser extensions.

Can you prevent your devices from being a victim of cryptojacking?

Prevention is always better than cure, and there are a few things users can do to prevent their machines from succumbing to a cryptojacking incident.

Among them is installing an ad-blocker, as most of them can prevent cryptojacking scripts. You should also keep your systems updated with the latest software and patches for your operating system and all applications — particularly web browsers. Many attacks exploit known flaws in existing software.

Organizations can make a list of URL/IPs of infected cryptojacking sites and domains of crypto-mining pools to block. They can also implement network system monitoring to identify excessive resource usage.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.