What Is Cryptojacking? How It Works and Detection

In its November 2021 Cloud Threat Horizons report, Google's security team noted that when an attacker compromised a cloud instance, mining software was downloaded within 22 seconds in 58 percent of cases. Not a backdoor, not a data grab. A miner, running almost before anyone could notice the box was even breached. The attacker did not want the data on those instances. They wanted the CPU.

That is cryptojacking: the unauthorized use of someone else's computing resources to mine cryptocurrency. It is theft of compute, not data. The attacker pays nothing for the hardware or the electricity, pockets the mined coins, and counts on the victim never looking closely at a slightly slower server or a slightly higher bill. This article covers what cryptojacking is as an attack, where it runs, how an incident actually unfolds, the signs a defender can act on, and how to detect and stop it.

What is cryptojacking?

Cryptojacking is mining cryptocurrency on hardware you do not own and were not given permission to use. The math is identical to legitimate mining. The crime is in whose processor, and whose power bill, pays for it.

It helps to separate the act from the tool. Cryptojacking is the activity, the unauthorized mining itself. The malicious software that carries it out, the miner and its persistence and delivery machinery, is usually called crypto-malware. This article is about the attack: what it does, why it is attractive, and how it shows up in an environment. The miner is just the instrument.

The defining trait of cryptojacking is that it does not want to be seen. Most attacks have a moment of impact you cannot miss: a ransom note, a defaced page, a leaked database. Cryptojacking has none. A successful campaign is one nobody notices, because every hour it runs undetected is another hour of free mining on someone else's dime. The attacker's whole strategy is to keep the host alive, working, and unaware.

The economics drive everything. Mining only pays at scale and only when the electricity is free, so an attacker does not want one machine, they want thousands, and they never want to pay the power bill. A single hijacked laptop earns almost nothing. A fleet of hijacked cloud instances, or ten thousand infected endpoints, is a profitable mining operation funded entirely by its victims.

Where cryptojacking runs

Cryptojacking shows up in three places, and the difference matters for how you find it.

In the browser. Mining JavaScript runs inside a visitor's browser while a page is open, using the visitor's CPU. Nothing is written to disk, and closing the tab stops it. This was popularized by Coinhive, an in-browser Monero mining service that sites could embed but that was overwhelmingly abused, injected into compromised sites and malicious ads to mine off unsuspecting visitors. Coinhive shut down in March 2019 after a Monero hard fork and a steep drop in the coin's price made it unprofitable, which cut browser-based cryptojacking sharply. The technique never fully disappeared, but it is no longer where the money is.

On the host. A miner is installed and runs as a process, typically XMRig or a wrapper around it. It establishes persistence so it survives reboot, often throttles its own CPU use to avoid an obvious slowdown, and frequently kills any competing miners it finds already running. This is the form that dominates server compromises, where a machine runs unattended and a quiet process can mine for weeks.

In the cloud. This is where the highest-value campaigns now live, and where the attack changes character. A compromised cloud account can spin up enormous compute on demand, that compute is billed to the victim, and stolen credentials let an attacker launch mining instances across regions faster than anyone reviews the invoice. Attackers get in through exposed and misconfigured services: leaked credentials, internet-facing management APIs, and unprotected container interfaces, with exposed Docker daemons and Kubernetes APIs as favorite targets. The speed is the point. Google's Cloud Threat Horizons reporting found mining software deployed within seconds of compromise, and tracked actors like TeamTNT and Kinsing that scan the internet for misconfigured cloud and container infrastructure and turn it into a mining fleet.

The shift from the browser to the host and cloud is the story of the last several years. SonicWall's Capture Labs recorded 1.06 billion cryptojacking hits in 2023, a sharp jump over the prior year, but the more important change is qualitative: the threat moved off the browser tab and onto servers and cloud workloads, where it runs longer and pays more.

How a cryptojacking attack works

However it runs, a cryptojacking attack follows a recognizable chain. The steps are the same whether the target is a laptop, a server, or a cloud tenant.

1. Gain access. The miner reaches the target through a familiar route: a phishing email with a malicious attachment or link, a compromised website or malicious advertisement serving a drive-by script, an exploited unpatched internet-facing service, or an exposed and misconfigured cloud or container management interface.
2. Execute the miner. The mining code starts, as a process on the host or as a script in the browser. Host and cloud variants establish persistence so the miner restarts on boot and survives a cleanup that misses it.
3. Connect to a mining pool. The miner reaches out to a cryptocurrency mining pool, almost always over the Stratum protocol, and begins contributing computational work credited to the attacker's wallet. This outbound connection is the single clearest network signal the attack produces.
4. Mine and stay quiet. The miner consumes CPU or GPU cycles, often capping usage to avoid the obvious slowdown that would get it caught, and keeps going. There is no further objective. The longer it runs unnoticed, the more it earns.

MITRE ATT&CK catalogs this behavior as Resource Hijacking, technique T1496, under the Impact tactic (TA0040). The technique now has four sub-techniques; cryptojacking maps specifically to T1496.001, Compute Hijacking, and cloud campaigns also touch T1496.004, Cloud Service Hijacking. Naming the behavior turns a vague "the server feels slow" into a specific, detectable pattern a SOC can hunt for.

One detail separates cryptojacking from most malware: there is no step five. There is no exfiltration, no encryption, no lateral spread that the operation requires. The attack reaches its goal the moment the miner connects, and then it simply persists. That is what makes it easy to dismiss and dangerous to ignore.

Why cryptojacking is a real problem, not a nuisance

The instinct is to treat a miner as a minor annoyance: it slows things down, you kill the process, you move on. That underrates it on two fronts.

First, the direct cost is real. Cryptojacking steals processing power, electricity, and hardware lifespan, and in the cloud it steals money directly, because the attacker's mining runs on compute billed to the victim. A miner left running across a fleet of cloud instances can produce a five- or six-figure bill before anyone connects the spend to an intrusion. The attacker keeps the coins; the victim keeps the invoice.

Second, and more important, a miner is proof of a foothold. The same initial access that dropped a miner, stolen credentials, an exposed API, an unpatched service, is access that can drop ransomware or steal data tomorrow. The attacker is, for now, choosing the quiet payday. A cryptojacking infection is not the worst thing that could be happening in your environment; it is evidence that the worst thing is possible. Treat the miner as the warning it is.

How to detect cryptojacking

Cryptojacking hides, but mining is computationally expensive and chatty by nature. It cannot hide the work it does or the connection it depends on. Detection lives in those two places.

• Resource usage. Sustained, abnormally high CPU or GPU utilization, especially on a host that should be idle or a process with no business consuming it, is the classic signal. On laptops and workstations it surfaces as overheating, constant fan noise, and sluggishness. Throttled miners are quieter but still leave a steady, unexplained baseline of usage that a good performance baseline will expose.
• The cloud and power bill. In the cloud, the bill is the smoke detector. Unexpected compute spend, instances in regions you do not use, and usage that maps to no deployment are often the first and clearest sign. On-premises, an unexplained jump in electricity use points the same way.
• Network connections to mining pools. Miners must talk to a pool. Outbound connections to known mining-pool addresses and DNS lookups for mining-pool domains, frequently over the Stratum protocol, are high-fidelity indicators. Watching egress and DNS catches the miner whether or not you ever recover its binary.
• Process and behavioral signals. A new persistent process pegging the CPU, a known miner binary like XMRig on disk or in memory, or a workload spawning mining processes are exactly the patterns behavioral tooling is built to flag. Cloud security monitoring and endpoint detection catch this where signature antivirus alone may miss a repacked miner.

The throughline: signatures catch the miners you already know, but the behavior, the pegged CPU, the Stratum connection, the cloud spend that maps to nothing, catches the attack regardless of which family delivered it.

How to prevent cryptojacking

Prevention is mostly the same hygiene that stops any intrusion, weighted toward the exposures cryptojackers scan for.

• Patch and close exposed services. Cryptojacking leans heavily on unpatched internet-facing services and open management interfaces. Patch promptly, and never leave Docker daemons, Kubernetes APIs, or remote-access services reachable from the internet without authentication.
• Harden cloud accounts. Enforce least privilege, protect and rotate credentials, require multi-factor authentication, and set billing and usage alerts so anomalous compute spend triggers a fast response instead of a surprise invoice.
• Filter delivery. Block malicious sites and ads, use email authentication and spam filtering to cut phishing, and apply browser controls or extensions that block known cryptomining scripts.
• Baseline and monitor. Establish normal CPU and compute usage so deviations stand out, and watch DNS and outbound traffic for mining-pool connections. The work and the pool are the two things the miner cannot hide.
• Deploy behavioral detection. Endpoint and cloud workload monitoring that flags unexpected high-resource processes and known miner behavior catches what slips past prevention.

Layered, these do more than block cryptojacking. They close the weak credentials, unpatched services, and open APIs an attacker would otherwise use for ransomware or data theft. The miner is often the cheapest possible signal that those holes exist.

Frequently Asked Questions

What is cryptojacking?

Cryptojacking is the unauthorized use of someone else's computing resources, such as a CPU, GPU, or cloud compute, to mine cryptocurrency without consent. The mined coins go to the attacker, while the victim is left with slower hardware, higher electricity or cloud costs, and usually no obvious sign of compromise. Unlike most attacks, cryptojacking tries to stay hidden rather than announce itself.

How does a cryptojacking attack work?

The attacker gains access through phishing, a malicious script, an unpatched service, or an exposed cloud or container interface, then runs a mining program on the victim's hardware. The miner connects to a cryptocurrency mining pool, usually over the Stratum protocol, and contributes computational work credited to the attacker's wallet. It then keeps mining as quietly as possible, often throttling its own usage, because the longer it runs unnoticed the more it earns.

How do I know if I have been cryptojacked?

The most common signs are sustained high CPU or GPU usage, overheating and constant fan noise, sluggish performance, and a process consuming heavy resources for no clear reason. In the cloud, the clearest signal is an unexplained jump in compute spend or instances running in regions you do not use. Outbound connections to cryptocurrency mining pools and DNS lookups for mining-pool domains are also strong indicators.

Is cryptojacking illegal?

Yes. Mining cryptocurrency is legal when you use your own hardware and electricity. Cryptojacking is mining on resources you do not own and were not authorized to use, which is unauthorized access and theft of computing resources under computer-misuse and fraud laws in most jurisdictions. The computation is the same as legal mining; the lack of consent is what makes it a crime.

Why do cryptojacking attacks target the cloud?

Cloud accounts can spin up large amounts of compute on demand, and that compute is billed to the victim rather than the attacker. Stolen credentials or an exposed management API let an attacker launch mining instances across regions faster than anyone reviews the bill, so the cloud offers scale and free electricity in one place. Exposed Docker and Kubernetes interfaces are common entry points, and miners are often running within seconds of a compromise.

Why does cryptojacking matter if no data is stolen?

Cryptojacking steals real value: processing power, electricity, hardware lifespan, and, in the cloud, direct billing for compute the attacker uses. More importantly, an active miner proves an attacker has a working foothold in your environment. They are choosing the quiet payday for now, and the same access can be used to deploy ransomware or steal data next, which is why a cryptojacking infection should be treated as a serious breach rather than a minor annoyance.

The bottom line

Cryptojacking is the quiet attack. Its goal is unauthorized cryptocurrency mining, it steals compute and electricity instead of data, and its entire strategy is to avoid the attention other attacks invite. It runs in the browser, on hosts, and increasingly in the cloud, where exposed APIs and stolen credentials let attackers mine on someone else's bill at scale and within seconds of breaking in.

For a defender the work is concrete. Close the exposures cryptojackers scan for, patched services, locked-down APIs, protected credentials, and watch the two things mining cannot hide: the resource it burns and the pool it calls. The CPU pegged at full, the Stratum traffic, the cloud bill that maps to nothing, those are the tells. And the miner you find is also a warning, because the foothold that fed it can feed something far worse.