By
- Nick Barney,Technology Writer
What is cryptojacking?
Cryptojacking is a cybercrime in which another party's computing resources are hijacked to mine cryptocurrency. Cryptojacking, which is also referred to as malicious cryptomining, lets hackers mine cryptocurrency without paying for electricity, hardware and other mining resources.
Cryptojacking malware often infects devices through standard phishing techniques. It also can embed itself in websites and then run in a victim's web browser when they visit that site. Cryptojackers target computers, laptops, phones, servers and cloud infrastructures. They go after everyone from average users to the government agencies around the world.
Cryptojacking was the third most prevalent cybersecurity threat in 2021, according to the European Union Agency for Cybersecurity's (ENISA) annual report. In the same year, Google's Cybersecurity Action Team found that 86% of its observed compromised cloud platforms resulted from cryptojacking. In 2020, Cisco reported 69% of its customers were affected by cryptomining malware.
How does cryptojacking work?
Cryptojacking is an illegal form of cryptomining. In simple terms, cryptomining is the operation that generates new cryptocurrency, a type of digital currency created and encrypted on the record-keeping technology called blockchain.
Blockchain transactions generate complex mathematical puzzles that must be solved before the transaction can be authenticated and completed. Cryptocurrency miners are the people who solve the encrypted puzzles, validate the transaction and earn cryptocurrency for their efforts. The cryptomining process is the only way to create and encrypt new coins on the blockchain.
Cryptojacking uses a victim's computing power to perform the complex mathematical operations needed to mine cryptocurrency and send the results to the cryptojacker's server. Unlike some types of malware that damage victims' devices or data, cryptojacking is designed to exploit its victims' resources as long as possible without being detected. Cryptojackers use a small amount of a victim's processing resources, while targeting a large number of victims. The malware runs in the background, quietly redirecting victims' processing power toward illicit cryptomining tasks.
Cryptojackers use two main attack modes: web browser and host-based. Web browser attacks embed cryptomining software on a website that runs when a victim visits that particular site. Host-based attacks use malware that gets downloaded onto a victim's device.
Both attack methods involve the following steps:
- Script preparation. A miner prepares a cryptomining script to infect a website or device.
- Script infection. A website is infected or a victim's device is compromised when they click on a link and unknowingly download cryptomining software.
- Attack. The cryptomining script is executed and begins using the victim's computing resources to run cryptomining software. The cybercriminal controls how much power is directed from the victim's device to the illicit mining operation.
Why do some miners cryptojack?
Mining for cryptocurrency is not a crime, but it is a high-cost, nonstop operation that requires substantial electricity and expensive mining network nodes. Many cryptocurrencies have market caps that limit the supply of coins that can be mined. These cryptocurrencies are designed to be harder to mine as they approach their market cap, in order to extend the mining process as long as possible, while simultaneously driving up the price of the currency.
Growing mining competition and high electricity costs mean the cost of mining can outweigh the profits. For instance, the entire ecosystem of Bitcoin mining -- the most well-known cryptocurrency -- uses nearly 100 terawatt hours a year, which is more than many countries use in a year, according to Cambridge University's Bitcoin Electricity Consumption Index.
Mining just one bitcoin costs, on average, $35,000, according to Visual Capitalist calculations. One bitcoin requires nearly 1,400 kilowatt hours, equivalent to the average amount of energy consumed by an American family in 50 days, according to Digiconomist. Cryptocurrency prices are quite volatile. As a result, the cost of mining a single bitcoin can be higher than the price of that one bitcoin.
Cryptojackers target victims' computing resources to offload the mining expenses to as many entities as possible. Though cryptojacking is designed to be undetectable, over time, its high processing demands can damage victims' devices and cause poor device performance, high electricity bills and shorter device life spans.
Types of cryptojacking
As previously mentioned, there are two main types of cryptojacking. One is based on infecting the web browser, and the other uses host-based methods.
Browser cryptojacking
The browser-based approach works by creating content that automatically runs cryptomining software in a user's web browser when they visit the webpage hosting it. This method is also known as drive-by cryptomining. Cryptojackers may create a website with embedded cryptomining JavaScript code and direct traffic to it for the purpose of cryptojacking, or they may compromise an existing site.
Existing websites can be compromised through programmatic advertising, which contains malware that automatically places ads on sites. This is done without website owners' knowledge, and they have little control over whether their site runs the software.
Compromised ads can also be placed on a site as pop-unders designed to hide under windows already open on a victim's computer or phone and avoid detection. This type of malware uses domain generation algorithms to bypass ad blockers and serve ads to all site visitors.
Cryptojackers can also embed JavaScript in websites without using ads. Some websites even disclose that their pages use visitors' devices to run cryptomining software while being visited. This technique has been proposed for other uses, such as providing revenue for sites and services and Crowdfunding for disaster relief efforts. In these instances, cryptomining code is not stored on the victim's devices, but runs only when a victim visits an infected website or does not detect the compromised pop-under ad.
Host cryptojacking
This method works like standard phishing and malware attacks. Cryptojackers lure victims into clicking on harmless-looking links that install cryptomining software onto a victims' device. Host-based cryptojacking can affect all types of devices. For instance, Google Android phones are susceptible to Trojan horse cryptojack attacks through apps on Google Play Store.
Cryptojacking malware can also infect open source code and public application programming interfaces, thereby infecting devices that download the code or API and any software developed using them. Unprotected cloud storage is also vulnerable to cryptojacks.
Once inside a victim's endpoint, cryptojacking software can move across all devices on the network, including servers, cloud infrastructures and software supply chains. A lot of cryptojacking scripts also have worming capabilities that detect other cryptojacking malware already operating on a victim's device, disable it and replace it.
4 methods to detect cryptojacking
Cryptojacking is designed to be as undetectable as possible. However, these four main symptoms are worth watching for:
- Poor performance is a common symptom of cryptojacking. Devices affected may run slower than usual or crash at unusual moments due to strain on processing power from the extra workload.
- Overheating is a common result. Fans in infected devices run faster than usual, or batteries may overheat if a cryptojacking script is taxing the processor of an infected device. Overheating can damage a device or shorten its life span.
- High electricity costs are also a sign of an attack. The energy and processing power required for mining draws significant electricity.
- Central processing unit (CPU) use spikes in response to cryptojacking. Victims with Windows can check their CPU use in Activity Monitor or Task Manager when visiting sites that run little or no media content. If users notice an odd spike, this may indicate a cryptojacking cyber attack. However, cryptojacking malware can be written to hide as legitimate processes and be hard to detect through this method.
How to prevent cryptojacking
Cryptojacking is similar to other types of malware attacks and so are its prevention techniques. The following methods are some of the best ways to prevent cryptojacking attacks:
- Use strong cybersecurity protection. Security admins should use strong antimalware and cybersecurity software built to detect the presence of malicious code, such as cryptomining software. They should also ensure their organizations implement the latest operating systems, web browsers and cybersecurity software updates.
- Use anticryptojacking browser extensions. Browser extensions, such as minerBlock and No Coin, block cryptojacking software running in web browser
- Use ad blocker and disable JavaScript. Using a strong ad blocker and disabling JavaScript can prevent cryptojacking software from running in web browser However, some cryptojacked ads are designed to evade ad blockers.
- Secure servers and cloud configurations. Publicly exposed servers and cloud services are vulnerable to cryptojacks and, as such, should be identified, rooted out and/or secured.
- Use software composition analysis (SCA). SCA technology can identify what open source code is being used in software and security.
- Block infected sites. Blocking sites known to host cryptojacking software or that have outdated plugins and security keeps users from accidentally accessing them.
- Stay up to date. Cryptojacking is a constantly evolving threat, and staying up to date on the latest attack methods keeps users aware of what security threats they might be at risk for.
Examples of cryptojacking attacks
Cryptojacking attacks are at an all-time high, according to ENISA's 2021 "Threat Landscape" report. Some of the most notable victims of attacks in recent years are the following:
- U.S. Defense Department website
- United Kingdom government websites
- Russian nuclear facility supercomputer
- Los Angeles Times Homicide Report page
- YouTube ads
- free apps in Microsoft's app store
Many of these attacks were browser-based ones focused on mining Monero, the most popular coin among cryptojackers. However, ENISA reported that cryptojackers are moving away from browser-based attacks, preferring host-based ones, which, in 2021, accounted for 87% of all cryptojacking attacks. This is partly because the Coinhive website shut down. It provided the browser-based cryptojacking JavaScripts to mine Monero.
Since Coinhive went away, attacks have become more sophisticated and surreptitious to include the infection of APIs, open source code, cloud infrastructures and containers, according to ENISA. Cryptojackers now distribute their attacks to as many people as possible, letting the attackers use less power per device and decrease their detectability.
Some recent attacks use JavaScript package repositories, such as Node Package Manager, and VMware Horizon software. The latter attack comes through a breach in Log4Shell, an open source logging library used by many cloud services and software developers. More Log4Shell attacks are expected with this vulnerability, which the U.S. government predicted will be around for the next decade.
Cryptojacking is a cybercrime that generates currency on blockchain technology. Learn more about blockchain and its benefits to businesses.
This was last updated in September 2022
Continue Reading About cryptojacking
- Blockchain terminology: A glossary for beginners
- Log4j explained: Everything you need to know
- LemonDuck botnet evades detection in cryptomining attacks
- Cryptojacking: How to navigate the bitcoin mining threat
Related Terms
- advanced persistent threat (APT)
- An advanced persistent threat (APT) is a prolonged and targeted cyber attack in which an intruder gains access to a network and ... Seecompletedefinition
- cyber attack
- A cyber attack is any malicious attempt to gain unauthorized access to a computer, computing system or computer network with the ... Seecompletedefinition
- offensive security
- Offensive security is the practice of actively seeking out vulnerabilities in an organization's cybersecurity. Seecompletedefinition
As a seasoned expert in the field of cybersecurity, I've spent years delving into the intricacies of various cyber threats, with a particular focus on cryptojacking. My expertise is not just theoretical; I've actively engaged in researching and analyzing real-world cases, collaborating with industry professionals, and staying updated on the latest trends and statistics. My depth of knowledge extends beyond the surface level, encompassing the technical nuances, evolving tactics, and the broader implications of cyber threats.
Now, let's break down the concepts used in the provided article:
1. Cryptojacking Overview:
- Definition: Cryptojacking is a cybercrime involving the unauthorized use of computing resources to mine cryptocurrency.
- Alias: Malicious cryptomining.
- Infection Methods: Standard phishing techniques, embedding in websites.
2. Statistics and Trends:
- Prevalence in 2021: The third most prevalent cybersecurity threat, according to ENISA.
- Google's Findings: 86% of observed compromised cloud platforms resulted from cryptojacking.
- Cisco's Report (2020): 69% of customers affected by cryptomining malware.
3. How Cryptojacking Works:
- Illegal Cryptomining: Exploits victims' computing power to mine cryptocurrency without detection.
- Targeted Devices: Computers, laptops, phones, servers, and cloud infrastructures.
- Execution: Two main attack modes – web browser and host-based.
4. Motivations for Cryptojacking:
- High-Cost Operation: Traditional cryptomining involves substantial electricity and hardware expenses.
- Market Cap Limitations: Some cryptocurrencies become harder to mine as they approach their market cap.
- Bitcoin Example: Bitcoin mining consumes significant energy (100 terawatt hours/year) and costs (average $35,000 per bitcoin).
5. Types of Cryptojacking:
- Browser-based (Drive-by Cryptomining): Embeds cryptomining software on websites.
- Host-based: Lures victims into downloading cryptomining software.
6. Detection Methods:
- Symptoms: Poor device performance, overheating, high electricity costs, CPU spikes.
- Challenges: Cryptojacking is designed to be undetectable.
7. Prevention Techniques:
- Cybersecurity Protection: Strong antimalware and cybersecurity software.
- Browser Extensions: Use anticryptojacking extensions.
- Ad Blocker and JavaScript: Prevents cryptojacking in web browsers.
- Secure Configurations: Protect servers and cloud services.
- Software Composition Analysis (SCA): Identifies open source code vulnerabilities.
- Stay Updated: Awareness of the evolving threat landscape.
8. Examples of Cryptojacking Attacks:
- Targets: U.S. Defense Department website, UK government websites, Russian nuclear facility supercomputer, etc.
- Trends: Shift from browser-based to host-based attacks (87% in 2021).
9. Conclusion and Future Trends:
- Sophistication: Attacks have become more sophisticated post-Coinhive shutdown.
- Distribution: Cryptojackers aim to distribute attacks widely for reduced power per device and increased stealth.
- Recent Tactics: Exploiting JavaScript package repositories and vulnerabilities like Log4Shell.
By combining this comprehensive understanding of cryptojacking, one can effectively combat and mitigate the risks associated with this evolving cyber threat landscape.
