What is cryptojacking? How it works, signs, and prevention

Most cyberattacks target something obvious: your files, your money, your data. Cryptojacking is different. It quietly steals your computing power and leaves you with the bill.

Attackers hijack your device's processing power to mine cryptocurrency, then collect the rewards while you absorb the costs in higher energy use, slower hardware, and components that wear out faster than they should. It is a gradual, stealthy attack rather than an obvious disruption, which is exactly why it's so easy to miss.

This guide explains how cryptojacking works, what to look for on your device, and the practical steps that prevent it.

What is cryptojacking?

Cryptojacking is a cyberattack in which malicious actors use someone else’s device to mine cryptocurrency without permission. Mining involves running enormous numbers of hash calculations to help validate blockchain transactions in proof-of-work cryptocurrencies. Miners get paid for that work, but the work itself is expensive in both hardware and power. Cryptojackers solve that problem by stealing the hardware and power from someone else.

Monero is the coin of choice for most cryptojacking campaigns today for two reasons. First, it mines efficiently on ordinary CPUs and doesn’t require specialized application-specific integrated circuit (ASIC) hardware. Second, its privacy-focused architecture makes tracing the proceeds back to an attacker difficult.

You don’t need to own or trade cryptocurrency to become a target of cryptojacking. As long as your device connects to the internet and has a CPU, you’re a potential target. It’s an attack that can affect desktops, laptops, smartphones, cloud infrastructure, and even Internet of Things (IoT) devices.

How does cryptojacking work?

A typical cryptojacking attack follows a simple pattern:

1. Infiltration: The attacker compromises a device, browser, server, or cloud environment and installs a mining script or malware.
2. Execution: The script runs in the background, siphoning CPU power to solve complex cryptographic puzzles.
3. Mining and collection: As your device solves these puzzles, it generates "blocks" of data for a blockchain. The rewards (new coins) are sent directly to the attacker’s anonymous digital wallet.

Unlike ransomware, cryptojacking is designed to stay hidden for as long as possible. The longer it runs undetected, the more profitable it becomes.

Cryptojacking vs. other cyber threats

Compared to other cyber threats, cryptojacking is unique, given that it focuses on stealth and stealing resources rather than extortion or data destruction.

A worthwhile nuance on the botnet comparison: in practice, large cryptojacking campaigns are botnets. Smominru, for example, infected over 500,000 Windows machines and earned attackers an estimated 8,900 Monero before being disrupted. The label depends mostly on what the botnet is used for.

Types of cryptojacking attacks

Cryptojacking attacks come in several forms, depending on how the malicious code (miner) gets there in the first place and where the mining activity runs. Regardless of how it arrives, the result is the same: your CPU runs flat out, your hardware gets hot, and your electricity bill creeps up.

Host-based cryptojacking

In host-based cryptojacking, crypto-mining malware is installed directly onto a device. This can happen through phishing emails, fake software downloads, malicious browser extensions, or exploited vulnerabilities.

Once installed, the malware quietly starts mining cryptocurrency in the background. Most aim to run for as long as possible, though more sophisticated ones throttle their CPU use or pause when the user is active to avoid being noticed. Some malware also installs persistence mechanisms to survive reboots.

Browser-based cryptojacking

Browser-based cryptojacking, sometimes called drive-by cryptomining, is when a JavaScript or WebAssembly miner runs in your browser while you’re on a page. Attackers inject these scripts into legitimate websites via malicious ads, compromised content management system (CMS) plugins, unsecured content delivery networks (CDNs), or compromised web plugins.

Browser-based attacks are less common than they used to be, and the mining activity usually stops once you close the browser tab.

Cloud cryptojacking

Cloud cryptojacking has become one of the most damaging forms of the attack. Attackers target cloud infrastructure, Kubernetes clusters, exposed Docker APIs, and continuous integration/continuous delivery (CI/CD) environments. They gain access through publicly accessible Docker services, misconfigured Kubernetes dashboards, unpatched servers, and exposed cloud storage.

Cloud systems are attractive because they offer enormous computing power. Once inside, attackers can deploy mining containers, disable security monitoring, move laterally, and abuse autoscaling to maximize mining output. A successful compromise can generate massive cloud bills before anyone notices.

Fileless (memory-based) cryptojacking

In this attack, the miner never writes itself to disk. It runs mining operations entirely in a system’s RAM, typically loaded by a script that abuses something like PowerShell or a vulnerable driver.

Because there’s no file for a traditional antivirus to scan, these attacks are much harder to spot, and many are designed to survive system reboots. Before shutting down, the malicious script or process modifies legitimate system components so that it launches itself all over again when the operating system boots up.

Supply chain cryptojacking

In supply chain attacks, the miner is hidden inside software packages, open-source code, or third-party libraries. Developers or users unknowingly install the compromised software, allowing the mining malware to spread downstream to additional systems.

A notable example occurred in December 2024, when attackers compromised the Rspack npm packages @rspack/core and @rspack/cli. Both packages are part of Rspack, a JavaScript bundler, and had hundreds of thousands of weekly downloads. The attackers published malicious version 1.1.7 of each package after gaining unauthorized npm publishing access. The packages contained obfuscated code that deployed XMRig, an open-source Monero mining tool often abused in cryptojacking campaigns, and used npm’s postinstall mechanism to run when the package was installed.

Real-world cryptojacking examples

Over the years, cryptojacking has affected everything from smartphones to enterprise cloud environments. Here are some more recent cases.

Fake Axis Card Android app

In 2025, attackers created a phishing site impersonating Axis Bank to distribute a fake Android app called "Axis Card.” The app had no real banking functionality. Its purpose was to mine Monero using XMRig.

The malware tried to evade detection by stopping mining whenever the user unlocked their phone. However, the giveaway was thermal: due to sustained CPU usage, just a 30-minute locked period left the phone noticeably hot to the touch when the user picked it up again.

Atlassian Confluence server exploit

In 2024, attackers exploited a critical vulnerability in Atlassian’s Confluence (CVE-2023-22527) to break into unpatched enterprise servers, deploy Monero miners, disable security tools, set up persistence so the miners would survive reboots, and move laterally to other machines in the network.

This pattern of finding an exposed enterprise server, mining quietly, and expanding from there is now becoming standard in cryptojacking attacks.

Misconfigured Kubernetes clusters

In 2024, a new variant of a Kubernetes cryptojacking campaign that had been running since early 2023 was documented. The setup was simple: scan the internet for clusters with anonymous authentication left enabled, then deploy malicious container images from Docker Hub (some with over 10,000 pulls) to mine Dero across every node.

To stay invisible, the attackers gave their deployments official-sounding names like k8s-device-plugin and pytorch-container to blend in with legitimate infrastructure. The miner binary itself was called pause, directly impersonating the real pause container that Kubernetes uses to bootstrap pods. And rather than passing wallet addresses and pool URLs as command-line flags (the obvious thing for defenders to monitor), the attackers hardcoded them straight into a binary.

TeamTNT's Docker Gatling Gun campaign

TeamTNT is a financially motivated threat group known for targeting cloud and container environments, especially exposed Docker and Kubernetes systems, to steal computing power for cryptocurrency mining. In October 2024, researchers disclosed a new TeamTNT campaign built around a script called TDGGinit.sh, short for TeamTNT’s Docker Gatling Gun init shell script.

The script scanned roughly 16.7 million IP addresses for exposed Docker daemons, then deployed a malicious Alpine Linux container from a compromised Docker Hub account onto anything it found. Compromised servers were enrolled into a single attacker-controlled Docker Swarm for coordinated mining at scale.

The unusual twist was the business model. Alongside mining directly, TeamTNT rented the stolen compute to other criminals through a public mining marketplace called Mining Rig Rentals. Essentially, the group had moved from running a mining operation to running a mining-as-a-service operation, with someone else's hardware.

Signs of cryptojacking

Cryptojacking is meant to stay hidden, but it usually leaves behind performance and resource-related clues. The more of these symptoms you notice together, the more likely it is you’ve been cryptojacked.

• High CPU usage while idle: One of the clearest warning signs is sustained CPU usage when the device should be doing very little.
• Sluggish performance: Your device feels slow, even during tasks that previously ran smoothly. Apps take longer to open, scrolling stutters, and general responsiveness may drop without an obvious reason.
• Hot hardware and loud fans: Sustained mining puts your CPU under near-constant heavy load, which generates heat and forces the cooling fans to run harder than normal. If your laptop sounds like it’s about to take off while you’re just reading email, something is likely using the processor. Some mobile malware has even caused battery swelling due to prolonged overheating.
• Battery drain: Mining is one of the worst possible things you can do to a battery. If your phone or laptop suddenly can't make it through a day on a charge, and especially if it's draining while locked and idle, that's worth investigating.
• Unexpected cloud or electricity bills: In cloud environments, cryptojacking can create large compute bills very quickly. For home users, the electricity impact is usually smaller, but long-running mining activity may still contribute to increased power consumption. The signal isn't a high bill; it's a sudden, unexplained jump while your usage habits haven't changed.

How to check for cryptojacking

If you suspect cryptojacking, there are a few practical ways to investigate:

• Task Manager (Windows) or Activity Monitor (macOS): These built-in monitoring tools help spot unrecognized high-CPU processes when you’d expect the machine to be idle. Many miners still reveal themselves through sustained CPU use, even if the process name is disguised.
• Endpoint detection and response (EDR) solutions: Modern antivirus and EDR tools like CrowdStrike Falcon and Microsoft Defender for Endpoint can detect many mining behaviors, suspicious scripts, and abnormal resource use patterns.
• Browser extensions: You can use these tools, for example, uBlock Origin, to block in-browser miners.
• Network monitoring tools: GlassWire and Wireshark are two examples. They look for outbound traffic to known mining pool addresses on ports such as 3333, 4444, 5555, 7777, or 14444.
• Htop or top on Linux servers: These help you spot processes with significant CPU usage. Runtime detection tools like Falco assist in production environments.

How to prevent cryptojacking attacks

One challenge with cryptojacking is that it can remain unnoticed for long periods. A miner can run quietly on a server for months before anyone connects the dots between sluggish performance and a higher cloud bill. So, prevention isn’t just better than removal; it’s most of the game.

Set CPU usage alerts

This is perhaps the single most effective control. A basic alert like "Tell me when CPU stays above 80% for more than 10 minutes during off-hours" can catch a huge share of miners, because mining is the one workload that has to run the CPU flat-out to make money.

Azure Monitor, AWS CloudWatch, and Google Cloud Monitoring all support this, and most on-premises monitoring tools do too.

Install reputable anti-malware software

Antivirus software can detect and block many cryptojacking scripts and binaries before they execute. Whether you’re using your system’s built-in antivirus, like Microsoft Defender in Windows, or a third-party solution, make sure it’s monitoring continuously rather than only during scheduled scans.

Patch everything

Many cryptojacking campaigns rely on known vulnerabilities that were patched months before the attack. Servers, CMS plugins, container base images, browsers, routers; all of it. Cryptojackers scan the public internet for unpatched targets continuously, so unpatched servers are likely to be found eventually.

Turn on automatic software updates where you can, and put servers on a patching schedule you can stick to.

Lock down cloud accounts

This is where the worst financial damage happens. Enforce multi-factor authentication (MFA) on every admin account, rotate API keys, and never commit credentials to a public GitHub repo. Leaked keys get picked up by automated scanners within minutes.

Equally important: don't expose container management APIs like the Docker daemon or Kubernetes dashboard to the public internet without authentication. This single mistake is responsible for an enormous share of cloud cryptojacking incidents.

Turn on billing alerts

Most cloud providers let you set spending thresholds and budget caps that fire the moment your usage deviates from normal. For cloud cryptojacking, the bill is often the first symptom you'll actually see. A sudden spike in compute charges can flag an attacker before your monitoring tools do.

Block known mining pools at the firewall

A miner that can’t reach a pool can’t earn anything. Maintaining an outbound blocklist for common mining pool domains is a small effort with a big payoff. You won’t catch every pool individually, but pattern-based filters work well. Using updated threat intelligence feeds or DNS filtering is a good place to start.

Train employees to spot phishing

In an organization, one careless click on an attachment is still one of the most reliable ways miners get inside a network. Phishing training isn’t a silver bullet, but it can reduce the risk.

IT teams should also know what cryptomining looks like so they can recognize it when a help desk ticket says, "My laptop’s been slow all week.”

Harden routers and network gear

Routers are an underrated target because they sit between you and every site you visit. They let cryptojackers move laterally across networks and access other devices.

In 2018, a campaign was uncovered that exploited a patched Winbox vulnerability (CVE-2018-14847) on over 200,000 MikroTik routers, injecting Coinhive’s mining script into web traffic passing through them. The damage went further than the router owners: several Brazilian internet service providers used MikroTik gear in their core networks, so subscribers were getting served mining scripts whether they owned the affected hardware or not.

Follow proper network security hygiene. Change default router credentials, enable WPA3 encryption, keep router firmware updated, and close any unnecessary open ports to reduce the attack surface.

What to do if you’ve been cryptojacked

Speed matters here because the longer the miner runs, the more it costs you. So, before you do anything else, disconnect the affected devices from the network to prevent further spread.

1. Stop the mining first: If it’s browser-based, close the tab and quit the browser. If it’s host-based, open Task Manager or Activity Monitor, find the high-CPU process you don’t recognize, and end it. For cloud or container compromises, revoke the identity and access management (IAM) credentials, quarantine the affected workload, and rotate any keys that might have leaked.
2. Hunt for persistence: Cryptojackers commonly add themselves to startup folders, scheduled tasks, cron jobs, systemd services, registry run keys, or Windows services. Killing the process doesn't help if it restarts on reboot. Run a full anti-malware scan and check your autostart entries.
3. Remove suspicious extensions and software: Check your browser extensions. Remove anything you didn’t intentionally install. On servers, look for unfamiliar binaries in places like /tmp, /var/tmp, and /dev/shm, which are common hiding spots on Linux.
4. Reset credentials and turn on MFA: Especially for cloud accounts, email, and anything else accessed from the affected device. Assume any password typed on a compromised machine is now compromised, too.
5. Get help for serious incidents: If business systems, production cloud infrastructure, or a significant number of devices are affected, bring in incident response. A proper response includes containment, eradication, recovery, and a review of how the attacker got in. Because if you don’t fix the entry point, you’ll see them again.

FAQ: Common questions about cryptojacking