What is cryptojacking?

Background: What is cryptocurrency?

Understanding cryptojacking requires a grounding in cryptocurrency basics. Cryptocurrencies are tradeable digital assets based on blockchain technology.

The blockchain is a global ledger that contains a record of every existing crypto asset. Currency holders cannot alter the blockchain, aside from recording transactions or adding new tokens. Outsiders can see every transaction on the chain, but the identities of participants remain private.

Crypto assets cannot be mined from thin air. They are generated by decoding complex hash blocks. If miners "solve" a hash block, it is added to the global blockchain. The miner has effectively earned a crypto token and can spend it on real-world goods or store it in a crypto wallet.

Cryptocurrency mining is an inefficient process. Solving a single hash block requires around 155,000 kWh of electricity (for comparison, the average American home consumes less than 1,000 kWh per month).

Few people have access to computing resources on that scale. In response, criminals have evolved ways to control devices owned by others. Hijacking enables them to mine coins without incurring computing costs.

How does cryptojacking work?

Cryptojacking is an illegal solution to an urgent, real-life problem. Mining cryptocurrency is expensive and time-consuming. Miners need to build powerful rigs using advanced GPUs and install cooling systems to ensure reliable operations. Cryptojacking avoids these costs, making cryptomining far more affordable.

Cryptojackers exploit hundreds or thousands of CPUs to aggregate computing resources. They achieve this by taking control of targeted devices via several malicious techniques:

• Malware or drive-by cryptojacking. Hackers deploy malicious cryptojacking code on the victim's device. This cryptomining code embeds itself deep within the system and operates in the background, diverting CPU cycles to mining operations. Attackers typically use phishing emails or malicious links to deploy mining scripts, often without the victim's knowledge.
• In-browser cryptojacking. Attacks launch inside web browsers via malicious PHP or JavaScript code. Attackers can also deploy malicious code via infected browser extensions or through infected Java library downloads. Browser cryptojacking is hard to detect as it does not require a separate malware installation.
• Web application attacks. Cryptojackers can gain access to network devices via unsecured ports and web application portals. Attackers can use web apps like WordPress to inject mining scripts into a target website. They can also use cross-site scripting (XSS) to compromise unsafe online forms.
• Worm-based cryptojacking. Attackers use self-propagating worms to spread cryptojacking code and automatically extend their operations. For example, the Graboid worm spreads via data containers, often evading endpoint detection systems. Worms can spread quickly within networks, creating a local cluster of mining hubs. This rapidly degrades network performance.
• Cloud jacking. Attackers hijack virtual machines via compromised cloud accounts and stolen API keys. The target's cloud environment becomes a host for cryptomining operations, resulting in a large service bill for legitimate users.
• Fileless cryptojacking. These cryptojacking attacks use fileless techniques to establish residence and evade detection. Cryptojacking scripts load into memory or the boot sector of the targeted device. Separate cryptojacking malware is not needed. This technique is hard to detect and leaves very little evidence for security analysts to parse.
• Insider threats. Not all cryptojacking attacks involve remote malware or fileless deployment. Insiders can also launch cryptomining code via unauthorized hardware or leak credentials to malicious outsiders.

The techniques above differ in how they infect networks and devices. However, cryptojacking attacks tend to follow a regular playbook.

• Attacks start with a compromise. Victims click on links to fake websites and download malware. Or they may download a seemingly innocent email attachment.
• When victims download the attachment or visit the fake site, cryptomining software loads onto their device (or browser). The agent executes immediately, launching cryptomining scripts that connect the device to the attacker's botnet.
• The cryptomining code hijacks the victim's device. From its position in the background, the cryptojacking app looks for computing resources and harnesses them for its own purposes.
• Meanwhile, cryptojackers monitor the process via command and control centers that track every connected device. They divert solved hashes into their crypto wallet and manage networks to minimize the risk of discovery.

How to detect cryptojacking

Cryptojacking is a significant cybersecurity and operational threat. A single infected device can become inoperable, compromising individual productivity. An infected network could eventually collapse, putting critical systems out of action.

Companies need to avoid this situation by detecting cryptojacking early. Fortunately, there are several ways to spot cryptojacking and launch mitigation actions:

• Unexplained device slowdown. Laptops and workstations start to run far slower than usual, despite running the same applications.
• System reliability issues. Devices may start to crash regularly due to memory or heating issues.
• Poor battery performance. As devices work harder to serve cryptojacking attacks, they often deplete battery resources faster than normal.
• Suspicious device heating. When devices work at the limit of their specifications, they tend to heat up rapidly. Unexplained heat spikes or fan performance could indicate cryptomining is at work.

Individually, these symptoms may not indicate ongoing cryptojacking attacks. Devices develop faults, and software configuration problems can lead to performance issues. However, if you detect a combination of the above symptoms, cryptojacking could well be to blame.

Examples of cryptojacking

Cryptominers have existed since Bitcoin appeared in 2009. However, cryptojacking is more recent. The first cryptojacking attacks emerged in 2017. Since then, attackers have become more agile and harder to detect, posing a constant threat to modern business networks.

CoinHive (2017)

Older cryptomining scripts relied on malvertising to control computing resources. Starting as a legitimate add-on supplied with downloaded apps, CoinHive took a different approach by integrating cryptomining scripts. These integrated scripts used a tiny part of the user's CPU for mining coins. However, criminals soon learned how to use CoinHive for less legitimate purposes.

Attackers weaponized CoinHive by integrating it into websites without users' knowledge. By embedding malicious code, attackers could hijack the site and disseminate mining malware with ease. Criminals soon learned how to embed mining tools into extensions, web apps, and ads.

Lemon Duck (2019)

Lemon Duck applies cryptojacking techniques to mine Monero tokens. Monero is a popular cryptocurrency mining option as operations require significantly less time and computing power. Tools like Lemon Duck also enable rapid spread and minimal detection risk.

Criminals can also automatically connect a few hundred bots via Lemon Duck, which spreads like a worm throughout networks following initial infections. The fileless variant also uses PowerShell commands and the CVE-2017-0144 vulnerability, making detection complex.

Infected Chrome and Edge store extensions (2019)

In 2019, security researchers highlighted a new technique: embedding cryptojacking code in popular browser extensions on the Chrome Store. In one instance, analysts found an infected version of the 2048 mathematics game. Another example infected an innocent-looking MP3 downloader. Both used sophisticated scripts to pose as Google Analytics while covertly loading cryptomining tools.

Tesla: cryptojacking enters the cloud (2018)

In 2018, Tesla reported a cryptojacking attack involving a compromised Kubernetes cluster in its Amazon Web Services deployment. Simple Kubernetes configuration errors allow attackers to breach Tesla's cloud environment before deploying XMrig monero cryptojacking scripts.

How to prevent cryptojacking

Cryptojacking is more than a nuisance. On an individual level, the processing demands made by cryptojackers can damage devices and lead to data loss. Infected company networks often experience performance issues, alongside problems with compromised websites or apps.

Prevention is critically important. Here are some best practices to detect and neutralize cryptojacking malware before damage occurs:

• Train staff to cut phishing risks. Many cryptojacking incidents start with an infected attachment. Train employees to spot suspicious emails, attachments, and links. Refresh phishing training annually to ensure users understand the importance of email hygiene. Include sessions on safe file sharing and web browsing to cover the main cryptojacking vectors.
• Implement EDR to secure network assets. Endpoint Detection and Response (EDR) helps you block cryptojackers by detecting activity that indicates active cryptomining software. For example, EDR tools can detect outbound connections to likely cryptojacking networks or suspicious traffic spikes. Automated responses block dangerous connections and alert security teams, giving you time to assess the situation.
• Use CDR to protect cloud deployments. Cloud Detection and Response (CDR) extends cryptojacking prevention to the cloud. CDR monitors activity within AWS or Azure deployments, looking for the signature of cryptojacking attacks. For instance, CDR can spot spikes in cloud compute costs that EDR would miss. Using both tools together provides comprehensive protection.
• Block JavaScript on network devices. JavaScript is one of the most common vectors for cryptojacking malware. Employees should use secure web browsers and disable JavaScript. This blocks malicious scripts hosted on infected websites, essentially locking the door before criminals enter your network. If needed, run Java in quarantined environments.
• Use VPNs to secure APIs and web applications. Virtual Private Networks help prevent cryptojacking by protecting endpoints with a layer of encryption. VPNs also help secure remote connections via public wifi (a common vector for cryptomining infections).
• Regularly update network apps. Cryptojackers look for outdated software versions linked to exploit attacks. Patching internet-facing apps to the latest version is essential. Updates help prevent cryptojacking by removing the low-hanging fruit. This forces cryptojackers to adopt riskier, more complex strategies.
• Employ system monitoring tools. Advanced hardware monitoring helps you detect successful cryptojacking attacks before they compromise network performance. Network monitoring tools track CPU usage and traffic within the network, using machine learning to detect slight departures from normal baselines. This complements EDR and CDR, making detection far easier.
• Prevent lateral movement without authorization. Apply the principle of least privilege and block access to network resources without a legitimate business reason. Use Zero Trust security tools to verify identities within the network. This limits the lateral movement of attackers and helps contain cryptojacking agents.

Block cryptojacking threats to avoid performance problems

Cryptojacking attacks seize control of targeted devices and integrate them into large-scale cryptomining communities. Cryptojackers force infected devices to serve their needs, diverting CPU cycles and GPU resources to criminal ends. The results range from slight slowdowns to device failure and network-wide performance issues.

Avoid becoming a victim of cryptojacking. Use EDR, CDR, and network monitoring tools to detect cryptomining early. Train employees to minimize phishing risks, and update apps to block exploits before attacks take place.