Cryptojacking is a type of cyberattack where computing resources are used without permission to mine cryptocurrency. This is usually done using code, which can be malware or browser scripts, running in the background and using the device’s CPU or GPU. Monero is among the most commonly mined currencies because it’s anonymous and doesn’t require special hardware for mining.
Running cryptomining software requires electricity and processing power, and by using someone else’s systems, attackers gain a financial advantage. Mining where users allocate their own resources is considered mostly legitimate, but as cryptojacking happens without permission it is generally labeled as unauthorized access, which makes it illegal.
Earlier forms of cryptojacking used scripts in websites. Coinhive, launched in 2017, made it easy for sites to mine cryptocurrency using visitors’ browsers. This was discovered and blocked, so attackers moved to other methods and now they use fileless malware that runs in memory, mining code dropped through malicious ads or extensions, and tools that exploit misconfigured cloud services. The trend moved from short-lived browser events to longer-running and more persistent deployments.
The most common targets are personal devices and browsers, as these are the easiest to infiltrate, but servers and cloud workloads are also an attractive target, being always on and having more capacity. Unmonitored or unpatched IoT and OT systems (like routers or industrial controllers) also fall victim to cryptojackers.
At its core, cryptojacking is mining software on someone else’s machine, sometimes delivered as a simple script in a browser tab, other times as malware that runs it in the background. Cryptocurrencies such as Monero or Dero can be mined on regular hardware and don’t leave much of a trace, which makes them preferred candidates for CPU or GPU hijacking.
In browser-based attacks, the script is usually in JavaScript, but WebAssembly (WASM) has become especially common lately, being faster and harder to detect with scanning tools. There are a few ways to get the script or payload onto the system. Some attacks use compromised websites or online ads that load the code directly in the browser, but phishing emails, software installers, or fake browser extensions are also commonly used for dropping the miner. Misconfigured cloud setups (such as exposed containers, admin consoles, etc.) are another way in.
The implanted code runs as long as the browser tab stays open, although it can also set itself up to persist. For example, fileless miners live only in memory. Cryptojacking can also begin by installing legit mining software that runs without telling the user. Over time, hiding mechanisms evolved into more sophisticated behavior: they often lower CPU usage, pause when the system is in use, or use tricks like scheduled tasks to restart if the system reboots.
The running miner connects to a crypto mining pool so that everything it earns goes straight to the attacker's wallet. There's no immediate damage to the device and the machine continues to “work,” which means that a cryptojacking attack can often go unnoticed for a very long time.
Malware-Based Cryptojacking
The classic way is getting a native miner installed on the target system, which is usually done through trojans, untrusted software downloads, or phishing campaigns. Tools like XMRig are popular because they stick around after reboots and mine in the background. They often disguise themselves as legitimate system processes so that casual checks cannot detect them. This type is generally easier to spot than newer methods, but attackers still use them as they are reliable and give full access to the system.
Fileless / PowerShell-Based Cryptojacking
In this approach, nothing gets written to the hard drive, and the mining code runs directly in memory using built-in system tools like PowerShell or WMI. Although these classic “Living Off The Land (LOTL)” techniques are familiar to most security professionals, their detection is much more difficult this way. WannaMine showed how effective this can be, as it spread through networks via exploits while staying hidden using WMI persistence tricks.
Browser-Based Cryptojacking
Sometimes called “drive-by mining,” this cryptojacking relies on JavaScript or WebAssembly code embedded in websites or ads. It’s enough to visit a compromised website and the mining process begins until you close the tab or browser. Variants have been identified that keep going through hidden pop-under windows. WebAssembly has become popular lately because it's faster and harder to analyze than regular JavaScript. Its appeal is how easy it is to deploy, making it ideal for reaching large numbers of users simultaneously.
Cloud & Infrastructure Cryptojacking
Enterprise infrastructure makes a great target due to their size, and attackers go after misconfigured APIs, poorly secured containers or stolen credentials. Once they're into these powerful cloud resources, miners get deployed across scalable services like Kubernetes clusters or serverless platforms. Minimal upfront costs can bring huge payoffs as miners often go unnoticed until organizations receive their invoices. High-throughput environments are especially vulnerable because extra CPU usage blends into normal operations.
Router / IoT Injection
It is true that individual IoT devices don't have much processing power, but the advantage is that there are millions of them. From routers and smart cameras to TVs and HVAC systems, default passwords or unpatched firmware is all it takes to get them compromised. One device might not contribute much, but together, they form a lucrative mining botnet. Recently, a campaign injected mining code into over 200,000 MikroTik routers, turning regular web traffic into a cryptocurrency pipeline.
For individuals, the most noticeable effect is reduced performance, as mining scripts can drive CPU usage above 70% even when nothing else appears to be running. The device slows down, batteries drain unusually fast, and hardware operates at higher temperatures, which makes fans run almost nonstop. This sustained load leads to accelerated wear on CPUs and GPUs, increasing the chance of failure or repairs. One estimate suggests that for $1 of cryptocurrency mined, the victim may lose up to $53 in system resources, especially considering that power bills can also rise if there are multiple connected or always-on devices.
Performance issues are a big problem, but what makes cryptojacking especially worrisome is that it signals a security failure. A miner running on your device is clear proof that an attacker found a way in. On personal devices, this could lead to future malware or lost data. In business environments, this raises the prospect of having an intruder who moves laterally, as a minor breach becomes a platform for much more damaging intrusions.
At the enterprise level, the effects scale quickly: a single misconfigured cloud instance or leaked credential can lead to hundreds of containers or virtual machines being infected with miners. Auto-scaling environments can quietly burn through compute resources, and before the illicit activity is detected, victims might face six-figure cloud bills. High CPU usage is usually expected in many workloads, making cryptojacking harder to notice. The result is that operations slow down, and SLAs get missed; in addition to financial loss, there is also disruption to productivity and trust.
Legally speaking, in most jurisdictions, cryptojacking qualifies as unauthorized access. Because it happens without consent, it is considered theft under laws such as the CFAA in the U.S. or the UK’s Computer Misuse Act.
One of the early cases targeted the LA Times. A Coinhive script ended up in a JavaScript file stored on an open Amazon S3 bucket. It ran quietly for nearly two weeks. Only about $24 worth of Monero was mined, but the hit to the outlet’s reputation was a lot bigger. Tesla had its own incident around the same time. Attackers found an open Kubernetes console and used it to launch miners across the company’s AWS environment. Coinhive scripts, meanwhile, were showing up on thousands of websites until the service finally shut down in 2019.
Some attacks go beyond websites. In one case, a European water utility found cryptomining malware inside its SCADA control systems. It caused monitoring failures and required emergency response. These kinds of attacks can hit more than the power bill. They disrupt critical infrastructure.
Elsewhere, attackers aim for volume. Routers, webcams, and smart TVs aren’t powerful, but there are millions of them. All it takes is a weak password or old firmware. Lightweight miners can run for months before anyone notices.
New techniques keep showing up. WebAssembly is now used in browsers to get around blockers and mine faster. Fileless cryptojacking is another method. The miner runs entirely in memory using PowerShell or WMI, so it never even touches the disk. These are harder to find and can go undetected until systems slow down or someone gets surprised by a big cloud bill.
Recognizing cryptojacking is based on identifying subtle but consistent patterns across endpoints, networks, and infrastructure, indicators that might seem unrelated at first but which together signal unauthorized mining.
On devices, sustained resource strain is common, manifested through high CPU usage when idle, unusually fast battery depletion, and systems running hot (watch for fans spinning constantly).
Network behavior can reveal even stealthy mining activity if we look for unusual outbound traffic, especially persistent connections to unknown domains or IPs tied to mining pools. DNS queries to suspicious or obfuscated domains and traffic on non-standard ports, often used by mining protocols like Stratum, are another indication of hidden activity.
In cloud infrastructure, cryptojacking can trigger unexpected compute cost spikes or auto-scaling even when usage patterns haven’t changed. To flag mining activity that blends with legitimate activity, it is helpful to carefully monitor dashboards that show sustained resource consumption during normal workload.
Detection tools are key to finding these patterns, and modern anti-malware solutions can help catch known miner signatures. To detect fileless processes running in memory, behavioral analytics that comes with high-performance EDR or XDR platforms can be an effective safeguard. For catching emerging or zero-day mining tactics that evade traditional methods, machine learning models trained on baseline activity can quickly surface anomalies. Cloud Security Posture Management (CSPM) solutions are another way to detect misconfigurations and quickly identify resource abuse.
Remember that a single alert is rarely a clear sign of cryptojacking. Therefore, always correlate indicators such as system strain, network noise, and infrastructure anomalies that are hard to ignore.
Cryptojacking needs a layered defense that covers all major entry points - endpoints, networks, cloud systems, and user activity.
Endpoint & Browser Controls
Start by securing endpoints, which are often the first to be targeted. Use modern anti-malware or next-generation antivirus that can detect cryptominer signatures and unusual CPU usage from unauthorized processes. Add script blockers and reputable ad-blockers to stop in-browser mining attempts, and regularly check browser extensions for anything suspicious. If practical, disable JavaScript on untrusted sites to prevent mining scripts from running - just note that this can break some website features.
Network & Infrastructure Hardening
At the network level, deploy DNS sinkholes to block known mining domains and configure firewalls to stop traffic on ports used by mining pools, like 3333 and 4444. Use IDS/IPS tools to catch abnormal traffic patterns and set up whitelist rules to prevent unauthorized connections. Keep routers and IoT firmware up to date and isolate parts of the network to stop threats from spreading. Website admins should also scan for unauthorized JavaScript or file changes that could turn a legitimate site into a cryptomining source.
Cloud & Container Posture
Secure your cloud setups by applying least-privilege access rules and keeping admin consoles and APIs hidden from public access. Use CSPM tools to find misconfigurations before attackers do. For containers, scan images before use and set up runtime rules that block mining software or unauthorized code. Keep an eye out for unusual compute spikes or sudden increases in cloud costs - these could be signs of hidden mining.
Policy & User Practices
Good policy is just as important as good tools. Apply the least-privilege rule to users and services, and only allow signed code to run - adding process whitelisting where you can. Keep all systems, browsers, and cloud images on auto-update to fix known issues quickly. Train users to recognize phishing since many miners are delivered through fake emails or downloads. Ask them to report strange behavior like system slowdowns or, on phones, rapid battery drain - both are signs that cryptojacking might be happening.
Enterprise-Grade Safeguards
For organizations, add extra layers like Endpoint Detection and Response (EDR), or use Security Information and Event Management (SIEM) rules to spot anomalies, as well as regular penetration testing to stay ahead of new threats.
In confirmed cases of cryptojacking, act fast: disconnect compromised systems or network segments to block communication with mining pools and stop the spread. To find and stop all malicious processes, use system tools to find the hidden miners or watchdog scripts (small programs or processes that restart it if it’s stopped or killed).
Remove all persistence mechanisms, which are usually scheduled tasks, cron jobs in Unix-like systems, rogue browser extensions, etc. In cloud environments, exposed API keys should be revoked immediately and check for new accounts the attacker may have created.
When forensic analysis is needed, capture volatile memory before rebooting. A full system scan is highly recommended to remove malware remnants and also to make sure settings like power modes or CPU throttling haven't been changed. This is also a good time to rotate all affected credentials, including cloud tokens. If it wasn't already in place, enforce strong password hygiene because this is a vulnerability that can lead to re-infection.
Next, figure out how the breach happened. Was it through a vulnerability, misconfiguration, or credential misuse? Fix it: patch, tighten config, and reimage if necessary. Make sure your EDR, XDR, or SIEM rules are tuned to detect repeat activity. Use this as an opportunity to update your response plan and close any gaps the attack revealed.
Bitdefender’s GravityZone platform offers multi-layered protection against cryptojacking, from shutting down coin miners on endpoints to catching abuse in cloud workloads before it drains resources.
Visibility is the first requirement, and Risk Management shows misconfigured and unpatched systems that miners primarily target. Proactive Hardening and Attack Surface Reduction (PHASR) adds dynamic control by blocking abuse of common tools like PowerShell or WMI.
On the prevention side, Patch Management closes the entry points early, but if mining scripts get through, Advanced Threat Control and Fileless Attack Defense block them based on behavior.
Network Attack Defense watches for suspicious outbound traffic (such as to known mining pools) and flags lateral movement that might be a spreading worm.
For cloud and hybrid environments, GravityZone brings in Cloud Workload Security and CSPM+ to find misconfigurations and lock down access. Containers needn’t be ignored, and Security for Containers helps isolate and neutralize threats inside workloads.
If the signs are subtle, Extended Detection and Response (XDR) and GravityZone Endpoint Detection and Response (EDR) connect the dots across systems. Sandbox Analyzer can analyze suspicious files in a controlled environment so that persistent scripts like cron jobs or rogue registry entries can be found and removed.
For teams that don't have the bandwidth or in-house expertise to handle every threat, Bitdefender's MDR service provides real-time monitoring, and swift response by experienced analysts.
By definition, cryptojacking doesn’t steal data, but its simple presence indicates a security breach has occurred: if an attacker could sneak in a miner, they might also drop other malware, for example, a spyware or credential stealer. Some cryptojacking campaigns have used the same access to amplify attack by harvesting passwords or spreading further into a network. In other words, the miner itself doesn’t poke around files, but the door it came through could remain open to even more serious threats.
The difference comes down to consent and visibility, as all legitimate browser mining asks for permission. Usually, a pop-up or notice explains what's happening, why it's being done, and offers user controls (like setting CPU usage). This mining stops when you close the tab or opt out. Malicious cryptojacking runs quietly in the background and may keep going even after you leave the site.
Yes, as long as it’s done with clear, informed consent. Browser-based mining can be legal, and some websites have used it as an alternative to having ads. They asked visitors if they’re willing to let the site use some of their CPU power while browsing. To make it legal, users must be told what’s happening and given the chance to say no or stop it anytime.