Cryptojacking (sometimes written as crypto jacking) is the covert commandeering of a computer or mobile device to mine cryptocurrency, typically by planting cryptomining code that siphons processing power and electricity without consent. The term is a portmanteau of “cryptocurrency” and “hijacking,” and it refers to a form of cyberattack.
What Is This Cyber Threat?
Often called malicious cryptomining, this attack embeds a script on your system that quietly runs in the background and uses your computing resources to mine coins or tokens. The intruder gains digital assets while your devices overwork, your network slows, and your electricity bills rise.
Attackers harness CPU and GPU cycles to solve mathematical puzzles that secure a blockchain. Successful solutions and transaction validation earn cryptocurrency, which can be exchanged for other cryptocurrencies or traditional fiat currency.
The tactic has grown as digital currencies and DeFi have expanded. With lending, borrowing, and liquidity pools readily accessible, stolen coins can be deposited to earn yield even if the criminal never spends them, making this threat increasingly attractive to cryptojackers.
Cryptocurrency Explained
Cryptocurrency is purely digital money created and secured by cryptography. New units are issued and transactions verified by solving hashes—complex mathematical problems performed by networked machines.
There are hundreds of assets, each with its own coin or token designed to address specific use cases. A practical way to understand them is by examining the platforms and consensus mechanisms that power them.
Bitcoin runs on the Bitcoin blockchain, a public, open-source ledger built from sequential blocks of solved hashes. Anyone can inspect or fork the code, and while all transactions are transparent, the parties remain pseudonymous.
Because confirming a Bitcoin hash takes longer and requires more power, alternatives emerged. Ethereum introduced a network where confirmations and transactions typically occur faster, and developers can build decentralized apps—dapps—on top.
Cryptocurrency and Dapps
Dapps enable peer-to-peer, trust-minimized exchanges that remove traditional intermediaries. Instead of relying on a bank to hold funds and settle payments, participants interact directly over the network.
Smart contracts—small programs on the blockchain—automate terms like verifying balances, enforcing conditions, and releasing funds only when criteria are met. They can also do things banks cannot, such as executing logic across many participants at once.
Many Ethereum-based protocols issue governance tokens that let holders vote on upgrades or parameters. Even when designed mainly for governance, these tokens trade on markets, giving them value.
This value fuels the cryptojacking problem. Some assets are lightweight enough that even compromised mobile devices, desktops, or servers can mine or validate transactions profitably for an attacker. Since the victim pays for computing resources and electricity, slow machines still generate income for criminals at zero cost to them.
What Is Cryptocurrency Mining?
Mining is the process of creating new blocks and validating transactions on a blockchain. In practice, a miner searches for a valid solution to a cryptographic puzzle—akin to guessing a long, random password—until one fits the rules.
Once a node finds a valid solution, others on the network verify it. If the result passes verification, it becomes part of the ledger, and the solver receives a reward. Participants who confirm the solution may also earn fees for their work.
Anyone can mine with a computer, but requirements vary. Bitcoin generally demands specialized, high-powered hardware to compete. Other currencies are less resource-intensive, allowing ordinary laptops, mobile devices, or cloud servers to participate. When attackers plant a cryptojacking script, they conscript your processing power to mine cryptocurrencies for themselves.
Cryptojacking Mechanics: Common Methods and a Typical Flow
- Malware-based cryptojacking: Malicious code is installed on a device so mining can run without the victim deliberately starting it.
- Drive-by cryptomining: Mining is triggered through web content delivered to a device, rather than through a traditional installer.
- Phishing emails with mining payloads: Messages trick users into opening a malicious attachment or running a file that starts mining activity.
- Malicious browser extensions: Add-ons claim to be useful tools but introduce unwanted behavior that abuses local computing resources.
- Compromised software downloads: Trojanized installers and bundled programs include hidden miners alongside the software a user intended to install.
- Cloud service exploitation: Attackers abuse stolen credentials or weak configurations to run miners on cloud infrastructure at scale.
Here is a typical flow:
| Step | Description |
|---|---|
| 1 | You open a convincing phishing email and click a malicious link. |
| 2 | A hidden miner or JavaScript code is delivered, installing a background script that persists. |
| 3 | The script hijacks CPU and GPU resources, driving up CPU usage while mining cryptocurrency. |
| 4 | The attacker routes the rewards to a digital wallet they control and monitors output remotely. |
Drive-by cryptomining began as a disclosed “CPU donation” concept but evolved into abuse that runs without consent. Some variants behave like worms, moving laterally across a network to infect additional machines and amplify output.
Detecting and Preventing Cryptojacking
Because the activity is designed to stay hidden, detection can be tricky. In system monitors, look for unexplained, sustained spikes in CPU or GPU usage, unfamiliar processes consuming significant resources, and increased outbound connections to unknown or suspicious domains. Security tools may also flag cryptomining scripts or suspicious background activity, especially when it correlates with performance drops.
Cryptojacking is often discovered indirectly: small performance changes and persistent resource use are frequently the earliest practical warning signs.
Watch for these signs:
- Fans spin loudly or constantly as components overheat under unexpected load.
- The device feels unusually hot, and surfaces warm quickly.
- Batteries drain far faster than normal during light use.
- Systems lag, crash, or exhibit sustained performance drops without clear cause.
To confirm whether cryptojacking is actually present, start by opening a system monitor (such as Task Manager, Activity Monitor, or a Linux process viewer) and sorting by CPU and GPU usage to identify which processes are consuming the most resources over time. If a suspicious process appears, check its file location and publisher information, then compare what you see against software you knowingly installed. Next, review running browser tabs and any browser task manager view (where available), and audit browser extensions for anything you do not recognize or no longer need. You can also inspect active network connections with built-in tools to see whether the device is repeatedly contacting unfamiliar domains during the spikes. Finally, run a reputable security scan to detect miners, unwanted programs, or persistence mechanisms, and review recently installed programs and startup items for anything unexpected.
To reduce risk while browsing, use a strict site whitelist and consider blocking known cryptomining domains. Blacklists help but can miss new or rapidly changing campaigns.
Disabling JavaScript in the browser thwarts many cryptomining scripts but can break site features. Mining blockers and privacy extensions can also stop web-based miners by filtering suspicious scripts.
A comprehensive cybersecurity suite offers broader protection, spotting malicious processes, cryptojacking software, and other types of malware—even when attackers try to evade detection with obfuscation.
Cryptojacking News: Real-World Examples
In February 2018, investigators found unauthorized mining code on the Los Angeles Times’ Homicide Report page. The embedded Coinhive miner quietly harvested Monero from visitors’ machines, tuned to a lower intensity to minimize obvious slowdowns.
Also in early 2018, a European water utility suffered a cryptomining intrusion identified by Radiflow. The miners consumed computing resources and degraded critical systems while producing Monero for the operators.
In 2017, PolitiFact was impacted when Coinhive code executed multiple concurrent mining threads, dramatically increasing resource usage on visitor devices.
Cryptojacking FAQs
What is cryptojacking and how does it work?
It is when a miner covertly takes control of a device and uses its computing power to mine cryptocurrency. Typically, a script installs silently and runs in the background to generate coins for the attacker.
What is a cryptojacking blocker?
It is a browser add-on that prevents web pages from running cryptomining scripts on your machine during a session.
What is a cryptojacking miner?
This is software—often malicious—that hijacks processing resources on someone else’s computer to mine cryptocurrencies.
How long does it take to mine 1 Bitcoin?
Roughly 10 minutes per block under normal network conditions. The Bitcoin protocol targets one block about every 10 minutes regardless of how many miners compete at a given time.
