Imagine someone broke into your house — not to steal your TV or jewellery, but to quietly run up your electricity bill while you slept. You’d never even know they were there.
That’s cryptojacking in a nutshell. And it’s happening right now, to businesses, governments, hospitals — and possibly to you.
In this deep-dive guide, we’ll break down exactly what cryptojacking is, how it works, the real-world incidents that shook the tech world, and — most importantly — how you can protect yourself today.
What Is Cryptojacking? (And Why Should You Care?)
Cryptojacking is a type of cyberattack where a hacker secretly uses someone else’s computing resources — CPU, GPU, or server power — to mine cryptocurrency without their knowledge or consent.
Unlike ransomware, which loudly demands payment, or data breaches that make headlines, cryptojacking is designed to be silent. It’s the digital equivalent of a squatter living in your walls — quietly consuming your utilities while you pay the bills.
| 💡 Fun (Scary) Fact: Cryptojacking attacks increased by an estimated 659% between 2022 and 2024, according to SonicWall’s Cyber Threat Report. It is now one of the fastest-growing categories of cybercrime globally. |
The mined cryptocurrency almost always goes directly into the attacker’s wallet. The victim is left with:
- Slower device performance
- Overheating hardware
- Skyrocketing electricity bills
- Reduced lifespan of their devices
- Potential data security vulnerabilities
How Does Cryptojacking Actually Work?
There are two primary delivery methods attackers use to deploy cryptojacking malware:
Method 1: File-Based Cryptojacking (Malware Installation)
The attacker tricks a victim into downloading a malicious file — through phishing emails, fake software downloads, or compromised apps. Once installed, a crypto mining script runs silently in the background, consuming system resources 24/7.
Method 2: Browser-Based Cryptojacking (In-Browser Mining)
This method requires no download at all. A malicious JavaScript code is injected into a website. When you visit that site, your browser starts mining crypto automatically. The moment you close the tab, it stops. CoinHive (now defunct) was the most notorious tool used for this.
Method 3: Cloud & Server Cryptojacking
Attackers increasingly target cloud infrastructure (AWS, Azure, Google Cloud) by stealing API keys or exploiting misconfigured containers. They spin up thousands of virtual machines — on the victim’s dime — to mine at massive scale.
Table 1: Cryptojacking Attack Methods Compared
| Attack Method | Delivery Vector | Persistence | Detection Difficulty | Primary Target |
| Malware-Based | Phishing / Fake Downloads | High | Medium | Individuals & SMBs |
| Browser-Based | Malicious JS in Website | Low (session) | Hard | All Web Users |
| Cloud Hijacking | Stolen API Keys / Misconfig | Very High | Very Hard | Enterprises & DevOps |
| Supply Chain | Compromised npm/packages | High | Very Hard | Developers |
| Mobile Apps | Rogue Apps / SDK Injection | Medium | Medium | Mobile Users |
| IoT Devices | Default Credentials / Exploits | Permanent | Very Hard | Smart Devices |
Source: SonicWall Cyber Threat Report 2024 | IBM X-Force | Palo Alto Networks Unit 42
The Numbers Don’t Lie: Cryptojacking by the Stats
Let’s put the scale of the problem in perspective with some hard-hitting data points:
| $3B+ Lost to cryptojacking 2023 (est.) | 1 in 6 Organizations hit by cryptojacking annually | ~700% Rise in cryptojacking 2022–2024 | 90%+ Cryptojacking uses Monero (XMR) |
These numbers are likely conservative. Because cryptojacking is so stealthy, the majority of incidents go completely undetected and unreported.
Table 2: Cryptojacking Growth & Financial Impact (2019–2024)
| Year | Total Incidents (est.) | Financial Impact (USD) | Primary Target | Top Coin Mined |
| 2019 | ~50,000 | $52 Million | Websites / Browsers | Monero (XMR) |
| 2020 | ~80,000 | $100 Million | Enterprise Servers | Monero (XMR) |
| 2021 | ~200,000 | $430 Million | Cloud Infrastructure | Monero / ETH |
| 2022 | ~1.2 Million | $1.2 Billion | Government & Healthcare | Monero (XMR) |
| 2023 | ~4.5 Million | $3+ Billion | Cloud / IoT / Mobile | Monero (XMR) |
| 2024 (est.) | ~8 Million+ | $5+ Billion | AI Servers / Edge Compute | Monero / Kas |
Source: SonicWall 2024 | Kaspersky Security Bulletin | Chainalysis | IBM X-Force Threat Intelligence
Real-World Cryptojacking Incidents That Shocked the World
This isn’t theoretical. Some of the biggest organizations on earth have fallen victim to cryptojacking attacks. Here’s a look at the most notable real-world cases:
Table 3: Notable Real-World Cryptojacking Incidents
| Incident / Victim | Year | Attack Method | Scale / Impact | Outcome |
| Tesla (AWS Cloud Hack) | 2018 | Stolen API Keys | Mined XMR via Tesla’s Kubernetes | Discovered by RedLock; fixed within hours |
| Los Angeles Times | 2018 | Browser JS Injection | Visitors’ browsers mined XMR | Script removed; attacker not found |
| UK Gov / NHS Websites | 2018 | Browsealoud Plugin | 4,000+ sites affected simultaneously | Plugin suspended; Texthelp audited |
| European Water Utility | 2018 | SCADA System Exploit | OT network compromised for mining | Disclosed by Radiflow; systems patched |
| Jenkins CI Servers (Mass) | 2020 | CVE exploit | 10,000+ servers hijacked | Vulnerability patched; losses unquantified |
| Huobi & Alibaba Cloud | 2021 | Misconfigured Containers | XMR mined at cloud scale | Alibaba disclosed; enhanced monitoring added |
| Docker Hub Supply Chain | 2021 | Malicious Docker Images | 1M+ pulls of infected images | Images removed; Docker hardened policy |
| Kinsing Malware Campaign | 2022 | Docker API Exploit | 1,000s of cloud servers hijacked | Ongoing; multiple patches released |
| GitHub Actions Abuse | 2023 | CI/CD Pipeline Hijack | Free compute used for mining XMR | GitHub rate-limited; abuse policies updated |
| AWS Lambda Cryptojacking | 2023 | Serverless exploit | First known serverless cryptojack | Reported by Cado Security; patched |
Source: Wired, BBC, Radiflow, RedLock, Cado Security, Palo Alto Unit 42
| 🚨 Notable Pattern: Over 60% of major cryptojacking incidents in 2022–2024 targeted cloud infrastructure — not individual PCs. As companies move to the cloud, attackers follow the computing power. |
Why Do Cryptojackers Love Monero (XMR)?
You might be wondering — if Bitcoin is the most famous crypto, why aren’t cryptojackers mining Bitcoin? Great question.
- Privacy by default: Monero uses ring signatures and stealth addresses, making transactions virtually untraceable
- CPU-friendly algorithm: Monero uses RandomX, an algorithm optimized for regular CPUs — perfect for hijacking ordinary computers and servers
- No ASIC advantage: Bitcoin mining is dominated by expensive specialized machines (ASICs). Monero levels the playing field for CPU miners
- Untraceable wallet addresses: The attacker’s wallet cannot be linked to their identity on the Monero blockchain
- Lower detection: Monero transactions don’t appear on public blockchain explorers like Etherscan
This makes Monero the perfect ‘getaway car’ for cryptojackers. Over 90% of all cryptojacking attacks mine XMR rather than Bitcoin or Ethereum.
Warning Signs: Is Your Device Being Cryptojacked Right Now?
Because cryptojacking is designed to be invisible, you have to know what to look for. Watch out for these red flags:
Table 4: Cryptojacking Warning Signs — Device & Network Indicators
| Symptom | Device Level | Network Level | Severity | Action Required |
| CPU/GPU usage spikes to 90%+ | Yes | No | 🔴 High | Check Task Manager / top |
| Device overheating constantly | Yes | No | 🔴 High | Run antimalware scan now |
| Fan running at max speed | Yes | No | 🟡 Medium | Monitor background processes |
| Battery drains 3x faster | Yes (mobile) | No | 🔴 High | Check battery usage by app |
| Slow browser performance | Yes | No | 🟡 Medium | Check browser extensions |
| Unusual outbound traffic | No | Yes | 🔴 High | Check firewall / DNS logs |
| Connections to mining pools | No | Yes | 🔴 Critical | Block and investigate immediately |
| High electricity bills | No | Yes (indirect) | 🟡 Medium | Audit all connected devices |
| System crashes / BSOD | Yes | No | 🔴 High | Full system malware scan |
| Cloud compute costs spike | No (cloud) | Yes (billing) | 🔴 Critical | Audit cloud resource usage |
Note: Presence of multiple symptoms strongly indicates an active cryptojacking infection.
How to Prevent Cryptojacking: Your Complete Defense Playbook
The good news: cryptojacking is highly preventable with the right layers of defense. Here’s your complete prevention guide:
For Individual Users & Home Networks
- Install a reputable antivirus: Tools like Malwarebytes, Bitdefender, and Norton actively detect and block crypto mining scripts
- Use an ad blocker with anti-mining filters: uBlock Origin with the ‘CoinBlocker’ filter list blocks in-browser mining scripts automatically
- Install a dedicated anti-cryptomining extension: Extensions like minerBlock or NoCoin block JavaScript mining in your browser
- Keep browsers and OS updated: Most browser-based cryptojacking exploits target unpatched vulnerabilities
- Disable JavaScript selectively: Use browser extensions like NoScript to control which sites can run JavaScript
- Monitor your Task Manager: Spikes in CPU usage when visiting specific websites are a clear red flag
- Avoid pirated software: Illegal downloads are one of the most common malware delivery vectors
For Businesses & IT Teams
- Deploy Endpoint Detection & Response (EDR): Tools like CrowdStrike Falcon and SentinelOne detect anomalous CPU usage patterns associated with mining
- Use network-level blocking: Configure DNS filtering (e.g., Cisco Umbrella) to block known mining pool domains
- Implement cloud security posture management (CSPM): Tools like Prisma Cloud detect misconfigured cloud resources before attackers exploit them
- Enforce the principle of least privilege: Limit API key permissions — stolen keys with minimal permissions cause less damage
- Monitor cloud billing anomalies: Set up billing alerts in AWS/Azure/GCP to catch unexpected compute spikes
- Conduct regular penetration testing: Simulate cryptojacking attacks to find vulnerabilities before criminals do
- Train employees on phishing awareness: The human firewall is your first line of defense
- Audit third-party scripts and plugins: Only include trusted, version-pinned third-party JavaScript in your web properties
| 💡 Pro Tip: Enable Subresource Integrity (SRI) on all external scripts in your website’s HTML. This cryptographically verifies that third-party scripts haven’t been tampered with — a key defense against supply-chain-style cryptojacking like the 2018 Browsealoud attack. |
For Cloud & DevOps Teams
- Never hardcode API keys: Use secret managers (AWS Secrets Manager, HashiCorp Vault) instead
- Enable GuardDuty or equivalent: AWS GuardDuty specifically detects cryptocurrency mining activity in your cloud environment
- Use container image scanning: Scan Docker images with Trivy or Snyk before deployment
- Monitor Kubernetes resource limits: Set CPU and memory limits on all pods to prevent runaway processes
- Audit CI/CD pipeline access: Restrict who can trigger builds and what compute resources pipelines can access
Table 5: Anti-Cryptojacking Tools & Solutions (2024)
| Tool / Solution | Type | Best For | Cost | Effectiveness |
| Malwarebytes Premium | Antivirus / Anti-malware | Individuals & SMBs | ~$40/yr | ★★★★☆ |
| uBlock Origin + CoinBlocker | Browser Extension | All Web Users | Free | ★★★★☆ |
| minerBlock / NoCoin | Browser Extension | Individual Users | Free | ★★★☆☆ |
| CrowdStrike Falcon | EDR Platform | Enterprises | Custom | ★★★★★ |
| Cisco Umbrella | DNS-Level Blocking | Businesses | Custom | ★★★★☆ |
| AWS GuardDuty | Cloud Threat Detection | AWS Users | $0.002/GB | ★★★★★ |
| Prisma Cloud (Palo Alto) | CSPM | Multi-Cloud Teams | Custom | ★★★★★ |
| Trivy (Aqua Security) | Container Image Scanner | DevOps / Docker | Free/OSS | ★★★★☆ |
| Cloudflare Browser Isolation | Zero Trust Browsing | Enterprise Teams | Custom | ★★★★★ |
| SentinelOne | AI-Powered EDR | Enterprises | Custom | ★★★★★ |
Source: G2, Gartner Peer Insights, and vendor documentation (2024)
The Legal Landscape: Is Cryptojacking a Crime?
Absolutely, yes — in most jurisdictions, cryptojacking is illegal under computer fraud and abuse laws. Here’s the global picture:
- United States: Violates the Computer Fraud and Abuse Act (CFAA). Penalties include up to 10 years in prison for first-time offenders
- European Union: Violates the Directive on Attacks Against Information Systems. Member states can impose criminal sentences of 2–5 years
- United Kingdom: Prosecuted under the Computer Misuse Act 1990. Up to 10 years imprisonment for severe cases
- Japan: A landmark 2019 Supreme Court ruling convicted a developer for embedding a mining script on his website without disclosure
- South Korea: Classified as illegal under the Act on Promotion of Information and Communications Network Utilization
Despite clear laws, prosecution rates remain low. Cryptojackers often operate across borders, use VPNs and Tor, and receive payments in untraceable Monero — making attribution difficult.
10 Fast Facts About Cryptojacking You Need to Know
- Cryptojacking scripts can be as small as a single line of JavaScript code
- CoinHive, the most infamous cryptojacking tool, was used on over 50,000 websites at its peak before shutting down in 2019
- The WannaMine worm used EternalBlue (the same NSA exploit used in WannaCry ransomware) to spread crypto mining malware
- Cryptojacking can reduce a smartphone’s battery lifespan permanently due to constant overheating
- Some unethical websites briefly experimented with opt-in browser mining as an alternative to ads — The Pirate Bay being the most famous example
- A 2023 Microsoft report found that cryptojacking is now more financially damaging to enterprises than ransomware in aggregate
- North Korea’s Lazarus Group has been linked to large-scale cryptojacking campaigns targeting financial institutions
- One cryptojacking campaign in 2022 abused GitHub Actions’ free compute tier to mine over $1 million in crypto
- Cryptojacking malware can lay dormant on a system for months before activation to avoid detection
- The shift to remote work in 2020–2021 significantly expanded the attack surface for enterprise cryptojacking
Frequently Asked Questions About Cryptojacking
Q: What is cryptojacking in simple terms?
A: Cryptojacking is when hackers secretly use your computer, phone, or server to mine cryptocurrency without your permission. They profit from the mined coins while you bear the costs in electricity, hardware wear, and slower performance.
Q: How do I know if I’m being cryptojacked?
A: Watch for unusual CPU spikes (especially when browsing), device overheating, drastically slower performance, loud fan noise, and faster-than-normal battery drain. On the network side, look for unexpected outbound connections to known mining pool domains.
Q: Can cryptojacking happen on a smartphone?
A: Yes. Mobile cryptojacking is growing rapidly, particularly through malicious apps on third-party app stores. It causes abnormal battery drain, overheating, and can permanently damage your phone’s battery cells and processor over time.
Q: Is cryptojacking the same as a virus?
A: Not exactly. Cryptojacking can be delivered via malware (like a virus) but browser-based cryptojacking requires no file download — it runs purely in your browser tab via JavaScript. However, file-based cryptojacking is technically a form of malware.
Q: Can cryptojacking steal my data or passwords?
A: Standard cryptojacking scripts focus on mining rather than data theft. However, advanced attackers often deploy cryptojacking alongside other malware. A device compromised for mining may also have a keylogger or RAT (Remote Access Trojan) installed.
Q: What coin do cryptojackers mine?
A: Monero (XMR) is the overwhelming favorite — used in over 90% of cryptojacking attacks. Its CPU-friendly mining algorithm and privacy features make it ideal. Some attackers also mine Ethereum Classic, Litecoin, and newer coins like Kaspa (KAS).
Q: Does closing the browser stop cryptojacking?
A: For browser-based cryptojacking, closing the tab or browser stops the mining immediately. However, some scripts use browser notifications or background service workers to continue mining even after the tab is closed — so keeping your browser updated is critical.
Q: How can businesses defend against cryptojacking?
A: Businesses should deploy EDR solutions, enforce cloud resource limits, monitor billing anomalies, use network-level DNS filtering to block mining pools, conduct security awareness training, and regularly audit all third-party scripts and container images.
Q: Is cryptojacking declining or growing?
A: Growing — significantly. SonicWall reported a 659% increase in cryptojacking from 2022 to 2024. The shift to cloud computing, the rise of AI compute infrastructure, and the proliferation of IoT devices have dramatically expanded the attack surface.
Q: Who are the biggest cryptojackers in the world?
A: Most cryptojackers remain anonymous. However, law enforcement has identified several major players: the operators of Smominru (a botnet that infected 500,000+ machines), FIN6 (a financially motivated threat group), and North Korea’s Lazarus Group, which has used cryptojacking to fund government operations.
Don’t Let Hackers Steal Your Computing Power
Cryptojacking is invisible, growing, and already targeting devices like yours right now.
The difference between a victim and a survivor is preparation. You now have everything you need to protect yourself.
- Install an anti-cryptomining browser extension today — it’s free and takes 60 seconds.
- Share this article with your IT team, family, or colleagues — awareness is the #1 defense.
- Subscribe to our cybersecurity newsletter for weekly threat intelligence and protection tips.
- Drop a comment below: Has your organization ever experienced a cryptojacking incident?
Your computing power is valuable. Don’t give it away for free.