Cryptojacking 101

Explore how cybercriminals exploit cryptojacking to hijack computing resources for cryptocurrency mining, detailing attack methods, impacts, and prevention strategies.

The rapid advancement of computing technologies has led to radical changes in our lives, particularly in the way we use cryptocurrencies for payments, moving away from traditional methods. There are several ways to get cryptocurrencies, such as using credit cards or cash. Learn how the backend of crypto can facilitate hackers in unexpected ways.

Cryptocurrency and unauthorized mining

Cryptocurrencies like Bitcoin allow people to earn coins through mining. This process involves specialized hardware that performs complex mathematical calculations to validate transactions and secure the network.
Mining needs a lot of computing power and uses a significant amount of electricity. For example, a single Bitcoin mining operation can consume as much power as a small city. While mining is legal in most places, cybercriminals take advantage of this by breaking into other people's IT systems to mine cryptocurrencies without permission. They might insert harmful code into websites that take over visitors' browsers for mining, or they may install malware on corporate servers to use their processing power.

This unauthorized mining, called cryptojacking, spreads in different ways. It can come from infected email attachments that install mining software. It may also be installed by visiting compromised websites that run mining scripts or through malware that targets cloud computing resources. Organizations often find their systems running slowly, experiencing unexpected spikes in electricity bills, or facing hardware failures due to constant high-intensity use.

This rapidly growing crime costs organizations millions of dollars every year through increased energy costs, hardware damage and lower system performance.

How does Cryptojacking work?

Cryptojacking involves a secret process where adversaries hijack target computing resources to mine cryptocurrency. It falls under the MITRE ATT&CK T1496 Resource Hijacking attack technique, although it does not explicitly exfiltrate data from the target compromised computer or encrypt files as ransomware does, experienced threat actors often use it as an entry point to move laterally across the compromised IT environment.

Cryptojacking delivers substantial negative impacts on target IT systems. It causes electricity bills to spike dramatically. The process degrades compromised system performance because mining operations consume extensive computing power, leaving legitimate applications struggling for resources. In addition to this, cryptojacking serves as a facilitator for conducting other malicious actions once initial access is established.

Cryptojacking commonly employs JavaScript code that executes within web browsers to mine cryptocurrencies, but the attack surface extends far beyond individual workstations. Adversaries target computer CPUs, GPUs, mobile devices and cloud infrastructure. In serverless environments, attackers abuse API calls or overly broad IAM roles to escalate privileges and distribute mining workloads across different devices. For example, attackers might compromise a company's AWS account and spin up hundreds of EC2 instances for mining, or inject mining scripts into popular websites that unknowingly recruit thousands of visitor devices into their mining operation.

Cryptojacking attack vectors

The first step in any cryptojacking attack is infiltration; hackers employ different attack vectors to infect target computers with cryptojacking code. Here are the most prominent ones:

Phishing

Phishing emails are the preferred vehicle used by hackers to infiltrate with cryptojacking. Threat actors send a phishing email containing a malicious link; once clicked, it will trigger the downloading of a cryptojacking executable code. Email attachments can also be utilized for this purpose, for instance, instead of links, attackers may send infected attachments, such as:

• Infected PDFs (with embedded scripts or links to download malware).
• Microsoft Office documents (Word, Excel) with macros that download cryptojacking scripts.
• ZIP/RAR files containing hidden executables (e.g., invoice.exe masquerading as a PDF).
• JavaScript files (e.g., report.js) that execute mining scripts when opened.

Once the victim interacts with the email, such as clicking a malicious link or opening an attachment, the malware is deployed via:

• Exploiting vulnerabilities (e.g., unpatched Office/PDF readers).
• Social engineering (convincing the user to enable macros or run an executable).
• Silent drive-by downloads (prompt the user to visit a malicious site, which triggers an automatic download).

Visiting malicious websites

Cybercriminals often use infected or malicious websites to install cryptojacking scripts on visitors' computers secretly. For instance, some websites can use your CPU/GPU to mine cryptocurrencies without installing anything on your computer. This can be done via the following methods:

• JavaScript mining scripts – The website contains an embedded JavaScript miner code, when you visit the website, the script runs in your browser, consuming CPU power to mine cryptocurrencies. The mining process ends when the user closes their web browser tab.
• WebAssembly — In this method, the miner runs silently in the background, commonly concealed as legitimate web processes.
• Malvertising — Hackers buy ad space on legitimate sites (such as by using Ad networks like Google AdSense). Now, when someone visits the website housing the ad and loads the page, the ad executes a hidden mining script.  

Misconfigured systems

Misconfigured cloud infrastructure, virtual machines (VMs), servers or containers are considered lucrative targets for hackers looking to deploy cryptojacking malware. When these systems are publicly exposed without proper security controls, attackers can easily exploit them to hijack computing resources for cryptocurrency mining.

Misconfigured systems are considered particularly vulnerable due to:

• Still use default or weak credentials — Many cloud instances, VMs, and containers are deployed with default usernames/passwords (e.g., admin:admin, root:password).
• Unprotected remote access — Some systems allow attackers to access them remotely without authentication, such as SSH (22), RDP (3389), Kubernetes (6443), Docker (2375/2376).
• Over-permissive cloud storage & APIs — For example, publicly accessible S3 buckets, Azure blob storage, or misconfigured Kubernetes clusters can be exploited by hackers to execute cryptojacking scripts.
• Outdated or unpatched software — Unpatched vulnerabilities in Docker, Kubernetes or cloud management tools allow remote code execution. For example, Log4j (CVE-2021-44228) has been used to deploy miners.

Compromised web browser extensions

Web browser extensions or add-ons are small software programs used to add customization features to current web browsers. There are different types of web browser extensions such as those blocking ads, password manager add-ons, and those that increase user productivity such as taking screenshots of the screen or changing default browser colors and themes.

Threat actors can exploit vulnerable browser add-ons to insert cryptojacking code. Even the most secure web browser extensions can be exploited if developers do not follow best cybersecurity practices when designing their add-ons.

Attackers employ various methods to compromise extensions. They might purchase legitimate extensions from developers and inject malicious code through updates, effectively turning trusted tools into mining platforms. For instance, several popular Chrome extensions with millions of users have been compromised this way, suddenly causing users' computers to slow down as hidden mining scripts are activated. Adversaries also create fake extensions that mimic popular ones, tricking users into installing mining malware disguised as productivity tools.
 

Compromised JavaScript libraries

Code written in JavaScript can be easily infected with cryptojacking code. Threat actors use this technique to infect safe JavaScript libraries, so all developers using the same library in their software development become infected with cryptojacking code. 

Insider threat

Insider threats, whether from negligent employees or malicious actors, pose a significant risk for cryptojacking infections. Employees with access to company systems may unknowingly or intentionally install cryptocurrency miners.

For instance, non-tech-savvy employees may install pirated programs from the internet, the keygen or crack used to activate the pirated version of the software may contain a hidden miner that installs upon executing the installer. 

On the other hand, a disgruntled employee may install miners on company resources to exploit them for mining cryptocurrencies without the company's permission. It is worth noting that some employees may install such a miner on company computers as an act of revenge.

How to prevent Cryptojacking

There are different mitigation measures to stop cryptojacking attacks, some for individual users and others for businesses.

Regular users (personal devices)

• Use remote browser isolation (RBI) to avoid accidental downloads and installations. Track adversary attempts and threats in an RBI-powered platform.
• Install anti-browser cryptojacking add-ons. There are many extensions for this purpose, such as: uBlock Origin (blocks ads and miners) and MinerBlock (blocks browser-based cryptocurrency miners).
• Disable unnecessary JavaScript using web browser extensions such as NoScript (Firefox) or disable JS on untrusted sites.
• Keep the operating system current and all installed software, including browser add-ons, up to date.
• Use an antivirus and anti-malware program and keep them up to date.
• Constantly monitor CPU/GPU usage. On Windows, use Task Manager or Activity Monitor (Mac) for suspicious processes.
• Do not install pirated software and avoid visiting websites that host and distribute pirated content, such as Torrent websites.

For organizations:

• Have a remote browser isolation-first browsing model for employees
• Install endpoint detection and response (EDR) on all endpoint devices.
• Use application whitelisting to allow only authorized applications to run on your computers.
• Use networking monitoring tools, such as Splunk and Wazuh, to detect unusual traffic to mining pools.
• End user cybersecurity training, especially in the area of detecting phishing emails and other forms of social engineering attacks.
• Prevent employees from installing software on end users devices without prior permission from the IT department.
• Configure firewalls to block connections to common mining pools' ports such as port 3333, 4444, 5555.
• Ensure your organization's content management system (CMS), such as WordPress or Joomla, is current. The same thing applies to all installed CMS plugins.
• Use web application firewalls to protect your website.
• Scan your website for malware regularly to discover any injected miners.
• Disable unused ports and services.

Cryptojacking is a constant and evolving threat that takes advantage of the basic setup of modern computing environments. As more people adopt cryptocurrency and mining operations get more complex, organizations and individuals need to stay alert against these resource-stealing attacks.

The financial impact goes beyond just electricity costs; it also includes hardware damage, loss of productivity, and chances for skilled threat actors to move laterally within compromised IT environments. Using strong security measures, such as monitoring endpoints and educating employees, offers vital protection against this rising cybercrime. Using remote browsing isolation and tracking threats in a tailor-made digital investigations platform is key.

Regularly checking security practices and keeping up with new cryptojacking methods will be crucial for maintaining resilience against these stealthy attacks. To learn more about how to protect yourself and your investigation with Silo, request a demo today.