Cryptojacking - Unauthorized Crypto Mining
About 2 min read
Cryptojacking is a cyberattack that uses the computing resources of someone else's computer or server, without permission, to mine cryptocurrency. Because it secretly consumes the victim's CPU or GPU to send cryptocurrency to the attacker's wallet, it is classified as a type of malware. Its hallmark is a high degree of stealth: unlike ransomware, the damage does not become apparent immediately, and it is not uncommon for it to go undetected for months.
The Rise and Fall of Coinhive (2017 - 2019)
The trigger for the explosive spread of cryptojacking was Coinhive, which appeared in September 2017. Coinhive was a service that could mine Monero in a visitor's browser simply by embedding JavaScript into a website, and it was initially seen as a monetization method to replace advertising. However, cases of site operators embedding the script without visitors' consent became rampant, and security vendors added it to their malware detection targets. As the price of Monero fell and browser-side countermeasures were strengthened, its profitability deteriorated, and Coinhive shut down its service in March 2019. Even after Coinhive ended, however, cryptojacking itself has survived by changing its methods.
Three Infection Routes
Mining software is installed on a device through phishing emails or malicious downloads. It runs automatically when the OS starts and mines constantly in the background. It is often incorporated into a botnet.
JavaScript embedded in a website performs mining in the visitor's browser. It stops when the browser is closed, but there are also techniques that keep it running hidden in a pop-under window.
Leaked API keys or access keys are used to spin up large numbers of AWS, Azure, or GCP instances for mining. The victim is billed for expensive cloud usage fees.
Detection Methods
On a personal device, checking CPU usage in Task Manager or Activity Monitor is the easiest detection method. If a particular process is constantly consuming 50% or more of the CPU, it may be cryptojacking. In an enterprise environment, endpoint security products detect the signatures and behavior of mining software. In a cloud environment, setting up billing alerts and regularly rotating IAM access keys are basic defensive measures.
Comparison with Ransomware
| Aspect | Cryptojacking | Ransomware |
|---|---|---|
| Objective | Theft of computing resources | Encryption of data and ransom demands |
| Stealth | High (unnoticed for long periods) | Low (damage becomes apparent immediately) |
| Nature of damage | Power and performance degradation, cloud bills | Data loss, business disruption |
| Attacker's revenue | Small but steady | Large but with a low success rate |
| Difficulty of detection | High | Low (obvious once encryption begins) |
For attackers, cryptojacking is a "low-risk, low-return" method. Unlike ransomware, it is less likely to attract the attention of law enforcement, and it can generate revenue over a long period while the victim remains unaware. For this reason, there have been reports of attackers who break in by exploiting a vulnerability using mining as a "stopgap" before deploying ransomware.cryptocurrency security books on Amazon are also helpful. See also Cryptocurrency Wallet Security, Ransomware Protection, and Browser Extension Security.
Was this article helpful?