Cryptojacking – What is it, and how does it work? | Malwarebytes (2024)

All about cryptojacking

Cryptojacking (also called malicious cryptomining) is an online threat that hides on a computer or mobile device and uses the machine’s resources to “mine” forms of onlinecurrency known ascryptocurrencies. Malicious cryptominers often come through web browser downloads or rogue mobile apps.Cryptojacking can compromise all kinds of devices, including desktops, laptops, smartphones, and even network servers.

Like most other malicious attacks on the computing public, the motive is profit, but unlike many threats, it’s designed to stay completely hidden from the user. To understand the mechanics of the threat and how to protect yourself against it, let’s begin with a bit of background.

What are cryptocurrencies?

Cryptocurrencies are forms of digital money that exist only in the online world, with no actual physical form. They were created as an alternative to traditional money, and gained popularity for their forward-looking design, growth potential, and anonymity. One of the earliest, most successful forms of cryptocurrency, Bitcoin, came out in 2009, and gained mainstream recognition in the years following.

Bitcoin’s success inspired dozens of other cryptocurrencies that operate in more or less the same way. You may be familiar with names like Ethereum or Dogecoin, for instance. Today, people all over the world use cryptocurrencies to buy things, sell things, and make investments.

Two words—“cryptography” and “currency”—combine to form “cryptocurrency,” which is electronic money, based on the principles of complex mathematical encryption. All cryptocurrencies exist as encrypted decentralized monetary units, freely transferable between network participants. Or put more simply, cryptocurrency is electricity converted into lines of code, which have a real monetary value.

Units of cryptocurrency (called “coins”) are nothing more than entries in a database. In order to perform a transaction that alters the database, one must meet certain conditions. Think of how you track your own money in a bank account. Whenever you authorize transfers, withdrawals, or deposits, the bank’s database updates with your new transactions. Cryptocurrencies work in a similar way, but with a decentralized database.

Unlike traditional currencies, cryptocurrencies like bitcoin aren’t backed by a specific government or bank. There is no government oversight or central regulator of cryptocurrency. It is decentralized and managed in multiple duplicate databases simultaneously across a network of millions of computers that belong to no one person or organization. What’s more, the cryptocurrency database functions as a digital ledger. It uses encryption to control the creation of new coins and verify the transfer of funds. All the while, the cryptocurrency and its owners remain completely anonymous.

The decentralized, anonymous nature of cryptocurrencies means there is no regulating body that decides how much of the currency to release into circulation. Instead, the way most cryptocurrencies enter circulation is through a process called “cryptocurrency mining.” Without going too in depth, the mining process essentially turns computing resources into cryptocurrency coins. At first, anyone with a computer could mine cryptocurrency, but it quickly turned into an arms race.

Today, most miners use powerful, purpose-built computers that mine cryptocurrency around the clock. Before long, people started to look for new ways to mine cryptocurrency, and cryptojacking was born. Instead of paying for an expensive mining computer, hackers infect regular computers and use them as a network to do their bidding.

How do people use cryptocurrencies?

Cryptocurrency owners keep their money in virtual “wallets,” which are securely encrypted with private keys. In a transaction, the transfer of funds between the owners of two digital wallets requires that a record of this exchange be entered into the decentralized public digital ledger. Special computers collect data from the latest Bitcoin or other cryptocurrency transactions about every 10 minutes and turn them into a mathematical puzzle. There, the transaction-within-a-puzzle awaits confirmation.

Confirmation only happens when members of another category of participants, called miners, independently solve the complex mathematical puzzles that prove the transaction’s legitimacy, thereby completing the transaction from the owner of one wallet to another. Typically, an army of miners toils away on the puzzle simultaneously in a race to be the first with the puzzle proof that authenticates the transaction.

The miner who first solves the encrypted problem receives a reward, usually some amount of new cryptocoin. This approach was specially conceived as an incentive for those who sacrifice the time and computing power of their computers to maintain the network and create new coins. Because the complexity of the puzzle calculations has steadily increased over time (and particularly for Bitcoin), miners found that even high-end PCs with a powerful processor could not mine profitably enough to cover the costs involved.

Miners stepped up their game by adding sophisticated video cards, sometimes multiple cards, to handle the burdensome calculations. Eventually, miners who wanted to stay competitive ramped up to building huge farms of computers with dedicated hardware for mining cryptocurrencies on a commercial scale. That is where we are today: serious cryptocurrency players invest big money into a high-stakes battle against other miners in order to solve the puzzle first and claim their reward.

Scaling up to this massive effort is a hugely expensive arms race, requiring a lot of processing power and electricity to increase miners’ chances of being profitable. For instance, before China shut down cryptocurrency farms in that country, monthly electrical bills reportedly reached $80,000.

What is cryptojacking?

Cryptojacking is a scheme to use people’s devices (computers, smartphones, tablets, or even servers), without their consent or knowledge, to secretly mine cryptocurrency on the victim’s dime. Instead of building a dedicated cryptomining computer, hackers use cryptojacking to steal computing resources from their victims’ devices. When you add all these resources up, hackers are able to compete against sophisticated cryptomining operations without the costly overhead.

If you’re a victim of cryptojacking, you may not notice. Most cryptojacking software is designed to stay hidden from the user, but that doesn’t mean it’s not taking its toll. This theft of your computing resources slows down other processes, increases your electricity bills, and shortens the life of your device. Depending on how subtle the attack is, you may notice certain red flags. If your PC or Mac slows down or uses its cooling fan more than normal, you may have reason to suspect cryptojacking.

The motivation behind cryptojacking is simple: money. Mining cryptocurrencies can be very lucrative, but turning a profit is now next to impossible without the means to cover large costs. To someone with limited resources and questionable morals, cryptojacking is an effective, inexpensive way to mine valuable coins.

How does cryptojacking work?

Cryptojackers have more than one way to enslave your computer. One method works like classic malware. You click on a malicious link in an email and it loads cryptomining code directly onto your computer. Once your computer is infected, the cryptojacker starts working around the clock to mine cryptocurrency while staying hidden in the background. Because it resides on your PC, it’s local—a persistent threat that has infected the computer itself.

An alternative cryptojacking approach is sometimes called drive-by cryptomining. Similar to malicious advertisingexploits, the scheme involves embedding a piece of JavaScript code into a web page. After that, it performs cryptocurrency mining on user machines that visit the page.

In early instances of drive-by cryptomining, web publishers caught up in the bitcoin craze sought to supplement their revenue and monetize their traffic by openly asking visitors’ permission to mine for cryptocurrencies while on their site. They posed it as a fair exchange: you get free content while they use your computer for mining.

If you’re on, say, a gaming site, then you probably will stay on the page for some time while the JavaScript code mines for coin. Then when you quit the site, the cryptomining shuts down too and releases your computer. In theory, this isn’t so bad so long as the site is transparent and honest about what they’re doing, but it’s hard to be sure the sites are playing fair.

More malicious versions of drive-by cryptomining don’t bother asking for permission and keep running long after you leave the initial site. This is a common technique for owners of dubious sites, or hackers that have compromised legitimate sites. Users have no idea that a site they visited has been using their computer to mine cryptocurrency. The code uses just enough system resources to remain unnoticed. Although the user thinks the visible browser windows are closed, a hidden one stays open. Usually it’s a pop-under which is sized to fit under the task bar or behind the clock.

Drive-by cryptomining can even infect your Android mobile device. It works with the same methods that target desktops. Some attacks occur through aTrojanhidden in a downloaded app. Or users’ phones can be redirected to an infected site that leaves a persistent pop-under. There’s even a Trojan out there that invades Android phones with an installer so nefarious, that it can tax the processor to the point that the phone overheats, makes the battery bulge, and essentiallyleaves your Android for dead. So there’s that.

You might think, “Why use my phone and its relatively minor processing power?” But when these attacks happen en masse, the greater number of smartphones out there adds up to a collective strength worth the cryptojackers’ attention.

Some cybersecurity pros point out that, unlike most other types of malware, cryptojacking scripts do no damage to computers or victims’ data. But stealing CPU resources has consequences. Sure, slower computer performance might just be an annoyance for an individual user. But for larger organizations that might have suffered many cryptojacked systems, there are real costs. Electricity costs, IT labor costs, and missed opportunities are just some of the consequences of what happens when an organization is affected by drive-by cryptojacking.

How prevalent is cryptojacking?

Over the past several years, cryptojacking has become a fairly common threat type, surging in popularity in 2017 and 2018. In February 2018, Malwarebytes Labs published thatmalicious cryptomining had become the most common detection typesince September 2017. In October 2017, Fortune suggested thatcryptojacking is the next major security threat. In the first quarter of 2018, we saw a 4,000 percent increase in detections of Android-based cryptojacking malware.

During this time, the cryptojackers continued to up their game, invading increasingly powerful hardware. One example is an incident where criminals cryptojacked the operational technology network of aEuropean water utility’s control system, degrading the operators’ ability to manage the utility plant. In another instance from the same report, a group of Russian scientists allegedly used the supercomputer at their research and nuclear warhead facility to mine Bitcoin.

More recently, while other types of malware have increased in prevalence and made international headlines (ransomwarein 2021, for instance), cryptojacking has become somewhat of a mainstay threat type. In our 2021 State of Malware Report, we noted thatBitCoinMinerremained the top business threat for Windows computers, and for consumers, Mac computers in particular saw an increase incryptocurrency stealers/miners.

While cryptojacking may not be making as many headlines as it did in 2017 and 2018, it remains a relatively low-risk way for threat actors to make money off of other people’s resources, so it’s important to protect your devices from this type of threat.

How do I protect myself from cryptojacking?

Whether you’ve been cryptojacked locally on your system, or through the browser, it can be difficult to manually detect the intrusion after the fact. Likewise, finding the origin of the high CPU usage can be difficult. Processes might be hiding themselves or masking as something legitimate in order to hinder you from stopping the abuse. As a bonus to the cryptojackers, when your computer is running at maximum capacity, it will run ultra slow, and therefore be harder to troubleshoot. As with all other malware precautions, it’s much better to install security before you become a victim.

One obvious option is to block JavaScript in the browser that you use to surf the web. Although that interrupts the drive-by cryptojacking, this could likewise block you from using functions that you like and need. There are also specialized programs, such as “No Coin” and “MinerBlock,” which block mining activities in popular browsers. Both have extensions for Chrome, Firefox, and Opera. Opera’s latest versions even have NoCoin built in.

However, our suggestion is to avoid a purpose-built solution and look for a more comprehensive cybersecurity program.Malwarebytes Premium, for example, protects you from more than just cryptojacking. It also preventsmalware,ransomware, andmany other online threats. Whether attackers try to use malware, a browser-based drive-by download, or a Trojan (likeEmotet), you’re protected against cryptojacking.

In a threat landscape that’s constantly morphing, staying safe from the latest menaces like cryptojacking is a full-time job. WithMalwarebytes Premium, you’ll have the means to detect and clean up any kind of intrusion and ensure your computer resources remain yours alone.

(For further reading, see “How to protect your computer from malicious cryptomining” by Pieter Arntz.)

Cryptojacking news

• Cold wallet, hot wallet, or empty wallet?
• Cryptomining containers caught coining cryptocurrency covertly
• Fake Trezor app steals more than $1 million worth of crypto coins
• New Mac cryptominer Malwarebytes detects as Bird Miner runs by emulating Linux
• Cryptojacking in the post-Coinhive era
• Drive-by cryptomining campaign targets millions of Android users
• How to protect your computer from malicious cryptomining
• Persistent drive-by cryptomining coming to a browser near you
• A look into the global drive-by cryptocurrency mining phenomenon
• A look into Drupalgeddon’s client-side attacks
• The state of malicious cryptomining
• Bank robbers 2.0: digital thievery and stolen cryptocoins