What is cryptojacking?
Cryptojacking is when an attacker hijacks your processing power to mine cryptocurrency for their own benefit. This can occur either on a computer you own and control on-premises or on virtual machines in the cloud.
Cryptojacking uses malicious code embedded in websites or malware installed on your device to exploit your resources without your knowledge. This slows down devices, blocks legitimate users from accessing your resources, and could also leave you with sky-high cloud costs. There are many other potential negative repercussions for businesses and individuals, from loss of data privacy to the inability to keep using affected systems.
To understand what cryptojacking is and how to prevent it, let’s take a look at a few basic facts about cryptocurrency.
How attackers use cryptojacking scripts to mine cryptocurrency
Cryptojacking scripts, written in server-side languages such as JavaScript and PHP, target web browsers to silently hijack computing resources for cryptocurrency mining. Attackers embed these scripts in compromised websites or malicious ads, tricking unsuspecting users into launching them. Once activated, the script leeches CPU power for as long as the browser remains open, even running in the background through infected extensions.
In a recent example, Wiz discovered an exploit that exposed Selenium Grid servers (used for web testing) to install cryptominers. These servers lacked security by default and could be fully controlled if exposed online. The attackers used Selenium’s built-in capabilities to run malicious scripts that installed a modified XMRig miner while trying to stay hidden. This was the first known case of this type of attack.
Cryptojacking code: Embedding hidden cryptomining scripts in systems
Attackers may use a variety of methods to install cryptojacking malware on your system. For example:
A phishing email may contain a malicious link that downloads the cryptomining code onto your device.
Attackers discover a misconfigured VM or container that is publicly exposed and gains remote unauthenticated access.
If you open a web application with an open port, this may expose you to cryptojacking code infection.
An infected browser extension may install cryptojacking software on your device.
You might download an infected file from a compromised JavaScript library.
An attacker might use compromised credentials to access your cloud services environment and start using your account to install cryptomining software on virtual machines.
An attacker might compromise your cloud-based LLM (LLM jacking) and use it to install cryptojacking code.
Attackers using cryptojacking code may use sophisticated means to avoid detection. For example, hackers may change the names of code functions to make them harder to recognize using normal means (code obfuscation), or they may create code that can mutate into new versions while running (polymorphic code).
Despite such defenses, security professionals can use a variety of techniques to neutralize and prevent cryptojacking code in business environments:
Automated scanning, patching, and updates can help mitigate the latest cryptojacking vulnerabilities.
Cryptojacking code must communicate with cryptomining services, which are often known actors, so firewalls and system log analysis aided by EDR and CDR tools can intercept suspicious communication.
Distribution denial of service (DDoS) protection methods can thwart attempts to consume excessive resources.
Cryptojacking malware
Unlike other types of malware, cryptojacking malware won’t necessarily shut down your computer or destroy your data. Threat actors deploying cryptojacking malware generally want everything functioning in tip-top shape.
That said, standard cryptojacking malware will almost certainly compromise your device’s performance. Mining crypto ties up the CPU so that it’s too busy to handle legitimate requests. In the cloud, this could also lead to the creation of additional instances to handle what is perceived as extra load, potentially driving cloud costs into the stratosphere.
Advanced cryptojacking techniques, such as proof-of-storage cryptojacking malware, won’t have the physical side effects and impact on computing power but could seriously drive up cloud bills, scaling up storage to major proportions without your knowledge or consent.
As with many other types of malware, the most common vector for cryptojackers is social engineering—tricking a user into clicking a link that will, in turn, download and install the malicious cryptojacking application.
Why is cryptojacking a major cloud cybersecurity threat?
At first glance, cryptojacking may seem like a less serious threat than much of what’s out there today. Yet the repercussions for the organization can be serious:
Spiraling costs: Hidden mining increases resource costs and your overall cloud services spend.
Performance problems: Stolen processing power slows devices, harming individual and organizational productivity. Cryptojacking decreases the efficiency and speed of genuine computing workloads, affecting legitimate users like employees, customers, and end users.
Privacy and security risks: Since cryptojacking malware has already gained access to your environment, it can simplify lateral movement to help attackers achieve other goals, like stealing sensitive data.
Other attacks: Attackers may take advantage of the access they have already gained to your environment to introduce other types of malware, causing additional harm, such as exfiltration of confidential end-user or employee data.
Plus, cryptojacking profits are often funneled back into other cybercrime activities, broadening the scale of the harm malicious actors are able to achieve.
The Cloud Threat Landscape
A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques
Explore
Three types of cryptojacking
These are the most common ways attackers can steal your resources to make money through cryptojacking:
| Method of Attack | How it works | How its different | Impact |
|---|---|---|---|
| 1. Browser-based cryptojacking | Runs directly in the browser, no software install required | Malicious code loads right in the browser on a website, using your browser’s resources to solve complex math problems for cryptocurrency mining |
|
| 2. Host-based cryptojacking | Malware infects the device, using your processing power (CPU/GPU) to mine cryptocurrency | Persistent files left on system may make detection easier |
|
| 3. Memory-based cryptojacking | Uses complex techniques like code injection and memory manipulation to access and manipulate RAM (memory) | Operates in real time almost entirely within RAM, leaving no trace |
|
Some cryptojacking malware may also use a hybrid approach that takes advantage of browser and host.
How does cryptojacking work? Anatomy of a cryptojacking attack
Most cryptojacking attacks follow a fairly standard methodology:
An attacker creates crypto-mining software and hides it in a website, within application code, or behind an innocuous-seeming link.
A victim connects, unknowingly downloading the software.
The software silently uses the victim's CPU or other resources to mine cryptocurrency by solving cryptographic “puzzles” and reaping rewards in cryptocurrency. Rewards accumulate in the attacker’s crypto wallet, and the cryptojacking persists until it’s detected—which could be a very long time.
Advanced cryptojacking malware may also use “worm” abilities to spread laterally throughout the environment, infecting connected resources. This maximizes gains for the attacker while multiplying the potential damage within your organization.
Your 5 best defenses against cryptojacking
1.Deploy modern cybersecurity protection
Today’s protection must include endpoint detection and response (EDR) for all physical devices, along with cloud detection and response (CDR), which monitors, detects, and provides response capabilities for all cloud-based resources. As part of your overall approach to security, EDR should restrict unauthorized scripts, using ad blockers if possible, and block access to sites based on reputation.
In addition, CDR streamlines security in cloud environments, giving you deep visibility across VMs, containers, serverless functions, and your entire infrastructure. That means you can pinpoint threats quickly and set up automated responses that save work for your team, like quarantining workloads or network isolation, ensuring nothing falls through the cracks.
2. Keep software and systems regularly updated
Patching should be the cornerstone of your organization’s proactive defense against cryptojacking, ideally incorporating automation to cut the IT team’s workload. Patch management identifies and installs software updates to fix vulnerabilities and bugs, along with other improvements such as performance enhancements and new features. Cryptojacking often takes advantage of software vulnerabilities, including long-standing vulnerabilities, so choose a modern patching solution that helps you prioritize so your most sensitive assets are patched first.
3. Monitor CPU and GPU usage for anomalies
Because cryptojacking by its nature consumes excessive resources, monitoring for sudden, unexplained spikes in CPU or GPU activity can help you detect cryptojacking scripts running in the background. Set up an automated alert system to notify security teams when your monitoring system detects abnormal resource consumption exceeding a designated threshold. Deploy DDoS protection tools to shut down resource overconsumption.
4. Block cryptojacking scripts in web browsers
To stop cryptojacking scripts from running on web browsers, install browser extensions that block cryptomining, such as MinerBlock, NoCoin, or uBlock Origin. Most cryptojacking scripts use JavaScript, so disabling JavaScript on untrusted websites can reduce browser-based cryptojacking vulnerability.
5. Audit third-party applications and dependencies
Infected software supply chains can introduce cryptojacking malware into your system. Keep your supply chain clean of hidden cryptojacking code by only using trusted software repositories. Routinely scan third-party libraries, plugins, and open-source dependencies before deployment. Remove outdated or untrusted browser extensions or applications that attackers could exploit.
6. Keep an eye on cloud costs
Regularly monitor your cloud spend to avoid unpleasant surprises caused by cryptojacking. In one case, Microsoft analysis identified $300,000 in excess compute fees. Unexpected surges in compute or storage fees can indicate unauthorized resource utilization. Cloud cost management tools and spending alerts can help you flag anomalies early on, ensuring that you can take corrective action and avoid potential losses.
7. Train employees on phishing and avoiding suspicious links/attachments
Educating employees on social engineering tactics like phishing can significantly reduce the risk of cryptojacking infection. However, it’s important not to rely solely on this line of defense given the increasing sophistication of malware attacks. Beyond ensuring that employees are equipped to identify suspicious communications and sites, be sure to minimize attack surfaces. The principle of least privilege (PoLP) grants only essential permissions to users, software, and devices, reducing the potential impact of breaches. And remember to regularly remove unused accounts to further tighten security.
8. Implement real-time monitoring and threat detection
One of the hallmarks of cryptojacking malware is that it can remain hidden for long periods of time, staying under the radar of many threat detection systems while it continues generating profits for attackers. That’s why real-time threat detection is crucial. An effective CDR solution will incorporate behavioral analytics, identifying anomalies in your organization’s patterns of cloud server use—for example, in system logs, network traffic, and commands—with the goal of stopping crypto mining before it impacts your business.
Real-world cryptojacking examples
Cryptojacking analysis provides insight into the methods attackers use, the risks they represent, and defenses that counter them effectively. Some of the most important real-world cryptojacking examples include:
Cloud cryptomining: In 2023, Wiz Research discovered cryptomining activity targeting cloud workloads, using file hosting services to spread open-source mining malware, detected automatically by the Wiz Runtime Sensor and neutralized through follow-up action by the Wiz team.
CoinHive: From 2017 to 2019, the CoinHive cryptomining service provided webmasters with JavaScript code in return for a share of cryptojacking revenue, infecting YouTube ads and becoming one of the most successful cryptomine platforms until antivirus software and ad blockers made their business unprofitable.
JenkinsMiner: In 2017, a Monero cryptocurrency mining trojan called JenkinsMiner started targeting the Jenkins open-source automation server, leveraging weak validation methods to infect servers and generating $3.4 million before Jenkins released a fix.
Tesla: In 2018, shortly after news of JenkinsMiner broke, security firm RedLock received a $3,000 bug bounty for reporting that attackers had used similar methods to gain access to Tesla's Amazon Web Services (AWS) account through a Kubernetes console lacking password protection, which Tesla fixed within hours of receiving the report.
The future of cryptojacking: What organizations need to know
Cryptojacking continues to grow in popularity as blockchain and cryptocurrency grow more popular, and attackers continue to develop new methods. Here are some of the key trends organizations and security professionals will see going forward:
Cloud-based cryptojacking: Attackers increasingly target cloud computing environments, Kubernetes clusters, and containerized workloads to scale up cryptocurrency mining profits.
IoT cryptojacking and edge cryptojacking: As attacks move to the cloud, cryptojackers are expanding into the Internet of Things, using cryptojacking scripts and malware to target smart devices, industrial IoT systems, and even automobiles.
Advanced cryptojacking detection evasion techniques: Newer cryptojacking malware attempts to evade detection by using methods such as polymorphic code, fileless execution, and encrypted communication channels.
Cryptojacking malware integrated with ransomware and multi-purpose malware: For maximum impact, cryptojackers have started to combine cryptomining with data theft, ransomware encryption, and remote access trojans (RATs).
Cryptojacking-as-a-service (CJaaS): Cybercriminals on the dark web are providing cryptojacking services that enable even low-skilled attackers to launch attacks easily.
AI-powered cryptojacking detection: Security teams are applying AI-driven behavioral analytics in real time to identify unusual CPU spikes, unauthorized cryptomining scripts, and cryptojacking code.
Defend against cryptojacking with CNAPP
Wiz is a cloud security platform that proactively identifies and remediates vulnerabilities and misconfigurations that cryptojacking malware could exploit to gain a foothold. On top of this the CDR capabilities can identify and remediate even the most advanced malware.
As a cloud native application protection platform (CNAPP), Wiz empowers your organization to stay ahead of attackers and secure your cloud environments in several ways:
Unmasking hidden cloud risks based on your critical and most exposed assets
Prioritizing real threats, not CVEs, using Wiz’s “toxic combinations” score that’s based on real impact to your business
Putting an end to alert fatigue with clear, with high efficacy detections and remediation guidance
Wiz gives you centralized control for all security, and it’s scalable and agentless—meaning there’s never anything to install. Plus, you’ll get seamless integrations and AI insights. See for yourself. Get a demo and experience the simplicity and security Wiz brings to your entire cloud environment.
Get your cloud risk score
Get a quick gauge of cloudsec posture to assess your security posture across 9 focus areas and see where you can do better.
Begin assessment
FAQs