What Is Crypto-Malware? Cryptojacking Explained

A finance team opens a ticket because their cloud bill tripled overnight. No outage, no data loss, no ransom note. Just compute usage climbing in regions they never deploy to, on instances no one remembers launching. The security team pulls the workloads and finds the same process pegging every core: a Monero miner, running quietly, billing the victim's account for someone else's profit. Nothing was encrypted. Nothing was stolen in the obvious sense. The attacker was simply renting the victim's hardware, and the only reason it got noticed was the invoice.

That is crypto-malware. It is malicious software that hijacks a victim's computing resources, CPU, GPU, or cloud compute, to mine cryptocurrency without consent. The activity is called cryptojacking, and unlike most malware it does not want to be noticed. It does not lock files or pop a demand. It steals processing power and electricity, monetizes them through mining, and tries to stay running as long as possible. This guide covers what crypto-malware is, the terms that get tangled with it, how it works in the browser and on the host, how it differs from ransomware, where it shows up in the cloud, and how defenders detect and prevent it.

What is crypto-malware?

Crypto-malware is malware whose payload is unauthorized cryptocurrency mining. Once it runs on a machine, it uses that machine's processor to perform the mathematical work that mining requires, and the rewards go to the attacker's wallet. The victim gets nothing but a slower system, hotter hardware, and a higher power or cloud bill.

The defining trait is what crypto-malware does not do. It does not encrypt data, exfiltrate it, or announce itself. A successful crypto-malware infection is one you never notice, because every hour it runs undetected is another hour of free mining. That makes it different from almost every other class of malware, which usually has a visible end goal. Here the goal is to be invisible and persistent, a parasite that wants the host alive and working.

The economics explain everything about its behavior. Mining is profitable only at scale and only when the electricity is free, so attackers do not target one machine, they target thousands, and they do not pay for the power, the victim does. A single infected laptop is a rounding error. Ten thousand of them, or a fleet of hijacked cloud instances, is a mining operation funded entirely by other people.

Cryptojacking, cryptomining, and the terms that get confused

The vocabulary trips people up, so pin it down before going further.

Cryptocurrency is digital money that runs on a blockchain, a distributed ledger secured by cryptography rather than a central bank. Bitcoin and Monero are two examples.

Cryptomining is the legitimate process of validating blockchain transactions by solving computational work, and being rewarded with cryptocurrency for doing it. Mining is legal. People do it on their own hardware with their own electricity on purpose.

Cryptojacking is cryptomining done on someone else's hardware without their permission. The computation is identical to legal mining; the theft is in whose resources pay for it. Cryptojacking is the attack.

Crypto-malware is the software that carries out cryptojacking. It is the tool; cryptojacking is the act.

One more distinction matters and is constantly confused: crypto-malware is not the same as ransomware, even though both are sometimes loosely called "crypto" attacks because both touch cryptography or cryptocurrency. Ransomware encrypts your data and demands a payment, usually in cryptocurrency, to unlock it. Crypto-malware mines cryptocurrency using your hardware. One holds your data hostage and wants you to notice immediately; the other steals your compute and wants you to never notice at all.

Why Monero, not Bitcoin

Attackers overwhelmingly mine Monero (XMR), not Bitcoin, and the reason is purely practical.

Bitcoin mining uses the SHA-256 algorithm, which is now dominated by purpose-built ASIC hardware. Mining Bitcoin on a victim's CPU or even a high-end GPU is hopelessly uncompetitive, the hijacked machine would earn effectively nothing against industrial ASIC farms. Hijacked commodity hardware is the wrong tool for Bitcoin.

Monero is built differently. Its proof-of-work algorithm, RandomX, is deliberately ASIC-resistant and optimized for ordinary CPUs. That design choice, meant to keep Monero mining decentralized and fair, is exactly what makes it ideal for cryptojacking: a stolen CPU is a competitive miner. On top of that, Monero is privacy-focused by default, using ring signatures and stealth addresses that make transactions far harder to trace than Bitcoin's public ledger. For an attacker, CPU-mineable plus hard-to-trace is the ideal combination, which is why the open-source miner XMRig (a legitimate Monero miner) is the single most abused tool in crypto-malware.

How crypto-malware works

Crypto-malware comes in two broad forms that differ in where the mining code runs and how persistent it is.

Host-based (binary) cryptojacking. A miner is installed and runs as a process on the machine, often XMRig or a wrapper around it. The malware establishes persistence so it survives reboot, frequently throttles its own CPU use to avoid the obvious slowdown that would get it caught, and kills competing miners it finds already on the host. This is the form that dominates server and cloud compromises, where the machine runs unattended and a persistent process can mine for weeks.

In-browser cryptojacking. Mining JavaScript is injected into a web page, and it runs in the visitor's browser for as long as the tab is open, mining on the visitor's CPU. Nothing is written to disk; close the tab and it stops. This was popularized by Coinhive, a browser-based Monero mining service that legitimate sites could embed but that was overwhelmingly abused, injected into compromised sites and malicious ads to mine off unsuspecting visitors. Coinhive shut down in March 2019 after a Monero algorithm change and price drop made it unprofitable, which cut browser-based cryptojacking sharply, though the technique did not disappear.

However it runs, the chain is recognizable.

1. Delivery. The miner reaches the target through a familiar route: a phishing email with a malicious attachment or link, a compromised website or malicious advertisement (malvertising) serving a drive-by script, an exploited unpatched internet-facing service, or, increasingly, an exposed and misconfigured cloud or container management interface.
2. Execution. The mining code starts, either as a process on the host or as script in the browser. Host-based variants establish persistence so they restart on boot.
3. Connect to a mining pool. The miner connects to a cryptocurrency mining pool, usually over the Stratum protocol, and begins contributing computational work under the attacker's wallet. This outbound connection to a pool is one of the clearest network signals the malware produces.
4. Mine and stay quiet. The miner consumes CPU or GPU cycles, often capping usage to stay under the radar, and keeps going. There is no further objective. The longer it runs unnoticed, the more it earns.

MITRE ATT&CK catalogs this behavior as Resource Hijacking, technique T1496, under the Impact tactic (TA0040). The cryptomining case specifically maps to the sub-technique T1496.001, Compute Hijacking. Mapping the activity to a named technique turns a vague "the server is slow" into a specific, detectable behavior.

Crypto-malware vs. ransomware

Both are common malware payloads and both involve cryptocurrency, so they get conflated. Operationally they are opposites, and the contrast is the fastest way to understand crypto-malware.

The practical lesson runs both ways. Crypto-malware's stealth is its strength, which is exactly why it often goes undetected for months while ransomware is found within minutes of detonation. And the same initial access that drops a miner today can drop ransomware tomorrow. A cryptojacking infection is proof an attacker has a foothold and is, for now, choosing the quiet payday. Treat it as the warning it is, not as a minor nuisance.

Crypto-malware in the cloud

Cryptojacking found its perfect environment in the cloud, and that is where the highest-value campaigns now concentrate. The reasons are structural. Cloud accounts can spin up enormous compute on demand, that compute is billed to the victim not the attacker, and a compromised set of credentials can launch mining instances across regions far faster than anyone reviews the bill.

Attackers get in through exposed and misconfigured services: leaked or stolen cloud credentials, internet-facing management APIs left open, and unprotected container and orchestration interfaces, exposed Docker daemons and Kubernetes APIs being favorite targets. Once inside, they create compute and start mining, and the speed is the point. Google's Cloud Threat Horizons reporting has documented cryptominers being deployed in compromised cloud projects within minutes of the resources being created, and tracked dedicated cryptojacking actors who use stolen credentials to spin up mining compute across hijacked tenants.

Named operations make the threat concrete. TeamTNT built its reputation targeting exposed Docker and Kubernetes deployments to mine cryptocurrency and steal cloud credentials. Kinsing and LemonDuck similarly hit exposed Linux services and containers to drop miners. These are not browser nuisances; they are automated campaigns that scan the internet for misconfigured cloud and container infrastructure and turn it into a mining fleet. MITRE ATT&CK added a dedicated sub-technique, T1496.004 Cloud Service Hijacking, reflecting how central the cloud has become to resource-hijacking attacks.

How to detect crypto-malware

Crypto-malware hides, but mining is computationally expensive and noisy by nature, so it cannot hide the resource consumption or the network connection it depends on. Detection lives in those two places.

• Resource usage. Sustained, abnormally high CPU or GPU utilization, especially on a host that should be idle or on a process with no business consuming it, is the classic signal. On laptops and workstations this shows up as overheating, constant fan noise, and sluggish performance. Throttled miners are quieter but still produce a steady, unexplained baseline of usage.
• The cloud and power bill. In the cloud, the bill is the smoke detector. Unexpected compute spend, instances in unused regions, and usage that does not map to any deployment are often the first and clearest indicator of a mining infection. On-premises, an unexplained jump in electricity use points the same way.
• Network connections to mining pools. Miners must talk to a pool. Outbound connections to known mining-pool addresses, and DNS lookups for mining-pool domains, are high-fidelity indicators. Monitoring egress traffic and DNS for these destinations catches the miner whether or not you have its binary.
• Process and behavioral signals. A new persistent process consuming heavy CPU, a known miner binary like XMRig on disk or in memory, or a workload spawning mining processes are exactly the patterns that behavioral tooling flags. Endpoint detection and response and cloud workload monitoring are built to catch this where signature antivirus alone may not.

The throughline: signatures catch the miners you already know, but the behavior, the pegged CPU, the Stratum connection to a pool, the cloud spend that maps to nothing, catches the infection regardless of which family it is.

How to prevent crypto-malware

Prevention is mostly the same hygiene that stops any malware, with extra weight on the cloud and on closing the exposures cryptojackers scan for.

• Patch and close exposed services. Crypto-malware leans heavily on unpatched internet-facing services and exposed management interfaces. Patch promptly, and never leave Docker daemons, Kubernetes APIs, or remote-access services open to the internet without authentication.
• Harden cloud accounts. Enforce least privilege, protect and rotate credentials, require multi-factor authentication, and set billing and usage alerts so anomalous compute spend triggers a fast response instead of a surprise invoice.
• Filter delivery and browser-based mining. Block malicious sites and ads, use email authentication (SPF, DKIM, DMARC) and spam filtering to cut phishing delivery, and use browser controls or extensions that block known cryptomining scripts.
• Monitor resources and egress. Baseline normal CPU and compute usage so deviations stand out, and monitor DNS and outbound traffic for mining-pool connections. The thing the miner cannot hide is the work it does and the pool it talks to.
• Deploy behavioral detection. Endpoint and cloud workload monitoring that flags unexpected high-resource processes and known miner behavior catches infections that slip past prevention.

Layered, these do not just block crypto-malware. They close the same exposures, weak credentials, unpatched services, open APIs, that an attacker would otherwise use to drop ransomware or steal data. The miner is often the cheapest signal that those holes exist.

Frequently Asked Questions

What is crypto-malware?

Crypto-malware is malicious software that hijacks a victim's computing resources, such as CPU, GPU, or cloud compute, to mine cryptocurrency without consent. The mined coins go to the attacker, while the victim is left with slower hardware, higher electricity or cloud costs, and no obvious sign of compromise. The activity it performs is called cryptojacking, and unlike most malware it tries to stay hidden rather than announce itself.

What is the difference between crypto-malware and ransomware?

Ransomware encrypts your data and demands a payment to unlock it, so it announces itself immediately. Crypto-malware quietly mines cryptocurrency using your hardware and tries never to be noticed, because every hour it runs undetected is more profit. Both can involve cryptocurrency, which causes the confusion, but ransomware attacks your data while crypto-malware steals your compute. The same initial access that drops a miner can also drop ransomware later.

Why does crypto-malware mine Monero instead of Bitcoin?

Bitcoin mining is dominated by specialized ASIC hardware, so mining it on a hijacked CPU or GPU earns almost nothing. Monero's RandomX algorithm is deliberately ASIC-resistant and CPU-friendly, which makes stolen commodity hardware a competitive miner. Monero is also privacy-focused by default, with features that make transactions hard to trace. CPU-mineable plus hard-to-trace is the ideal combination for an attacker, which is why XMRig, a Monero miner, is the most abused tool in crypto-malware.

How do I know if my computer has crypto-malware?

The most common signs are sustained high CPU or GPU usage, overheating and constant fan noise, sluggish performance, and a process consuming heavy resources for no clear reason. In the cloud, the clearest signal is an unexplained jump in compute spend or instances running in regions you do not use. Outbound connections to cryptocurrency mining pools and DNS lookups for mining-pool domains are also strong indicators.

Is cryptojacking the same as crypto-malware?

They are closely related but not identical. Cryptojacking is the act of mining cryptocurrency on someone else's hardware without permission. Crypto-malware is the software that carries out that act. In practice the terms are often used interchangeably, but precisely, crypto-malware is the tool and cryptojacking is the attack it performs.

Why is crypto-malware a serious problem if it does not steal data?

Even though it does not encrypt or exfiltrate data, crypto-malware steals real value: processing power, electricity, hardware lifespan, and, in the cloud, direct billing for compute the attacker uses. More importantly, an active miner proves an attacker has a foothold in your environment. They are choosing the quiet payday for now, and the same access can be used to deploy ransomware or steal data next, which is why a cryptojacking infection should be treated as a serious breach, not a minor annoyance.

The bottom line

Crypto-malware is the quiet malware. Its payload is unauthorized cryptocurrency mining, it steals compute and electricity rather than data, and its whole strategy is to avoid the attention that ransomware actively seeks. It favors Monero because RandomX makes a stolen CPU a viable miner and Monero's privacy makes the proceeds hard to trace, and it runs either as a persistent binary on a host or as script in a browser. The cloud is now its richest hunting ground, where exposed APIs and stolen credentials let attackers mine on someone else's bill at scale.

For a defender the work is concrete. Close the exposures cryptojackers scan for, patched services, locked-down APIs, protected credentials, and watch the two things mining cannot hide: the resource consumption and the connection to a pool. The CPU pegged at 100 percent, the Stratum traffic, the cloud bill that maps to nothing, those are the tells. And the miner you find is also a warning: the foothold that fed it can feed something worse.