Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Cryptojacking
Jun 25, 2026
6 Mins Read

What is Cryptojacking? How Hackers Steal Your Computing Power

Cryptojacking is the unauthorized use of a victim’s computing resources to mine cryptocurrency without their knowledge or consent. Attackers target servers, endpoints, cloud workloads, and even browsers. The victim bears the cost in electricity and hardware degradation while the attacker collects the mined coins.

Cryptojacking sits at a unique intersection of stealth and profit. Unlike ransomware, it aims to avoid detection entirely. A compromised server may mine Monero for months before anyone notices performance problems.

Cryptojacking Definition

Cryptojacking is classified as a form of malware, even when delivered through a browser script rather than an installed program. The core behavior is the same in every case: the attacker diverts CPU or GPU cycles from the victim’s system to operate a cryptocurrency mining process that pays out to attacker-controlled wallets.

Monero (XMR) is the preferred currency for cryptojacking operations because its privacy features make transaction tracing significantly harder than Bitcoin. The term covers browser-based JavaScript mining, file-based malware, fileless variants, and cloud resource hijacking.

How Cryptojacking Works

A cryptojacking attack follows a straightforward chain from initial infection to ongoing revenue generation.

The attacker first delivers the mining component. This may be a malicious email link that installs a file-based miner, a compromised website that loads a JavaScript mining script in the visitor’s browser, a supply chain compromise that injects mining code into a legitimate software package, or a misconfigured cloud API that the attacker exploits to spin up compute-intensive instances.

Cryptojacking flow
Cryptojacking flow

Once active, the miner connects to a mining pool, contributes computational work to solve the proof-of-work algorithm, and relays the resulting hashes to the C2 server. The attacker receives a proportional payout from the mining pool based on the combined output of all compromised systems. The victim’s machine runs at elevated CPU usage, potentially indefinitely.

Types of Cryptojacking Attacks

Type Delivery Method Persistence
Drive-by browser mining JavaScript loaded on a malicious or compromised website Session only, unless a service worker is installed
File-based malware Phishing email, malicious download Survives reboots via startup entries or scheduled tasks
Fileless cryptojacking PowerShell or memory injection No file on disk, harder to detect
Supply chain cryptojacking Malicious code in npm, PyPI, or other packages Affects any system that installs the compromised package
Cloud and container cryptojacking Exploiting exposed APIs, misconfigured Kubernetes Runs within cloud instances at the victim’s expense

Cloud and Container Cryptojacking

Cloud cryptojacking is the fastest-growing variant of the attack as of 2025-2026. Attackers target exposed Docker APIs, misconfigured Kubernetes clusters, and AWS Lambda functions. Because cloud billing is metered, a cryptojacking operation that runs for a week on a victim’s cloud account can generate thousands of dollars in unexpected infrastructure costs before being discovered.

In Kubernetes environments, attackers deploy malicious pods that consume node resources without appearing in standard application dashboards. Container escape vulnerabilities can also allow a cryptojacker to move from an isolated workload to the underlying host.

Attack Surface Management (ASM) tools that continuously monitor internet-exposed cloud assets are one of the most effective defenses against cloud cryptojacking, because many of these attacks begin with a publicly exposed service that should not be accessible.

Cryptojacking vs Ransomware: Key Differences

Ransomware and cryptojacking share some technical infrastructure but represent different business models for cybercriminals.

Ransomware is loud by design. It needs the victim to discover the encryption and pay the ransom. Cryptojacking is quiet by design. Discovery ends the revenue stream. This means cryptojacking operations invest heavily in stealth while ransomware operators invest in pressure tactics.

Cryptojacking is also lower risk for the attacker. No ransom negotiation means no contact with law enforcement intermediaries. The attack can run unattributed for a long time. The tradeoff is lower per-victim revenue, which is why cryptojackers compensate through volume.

How to Detect Cryptojacking

Several indicators point to a cryptojacking infection on endpoints or servers:

  • Sustained CPU usage spikes with no corresponding workload increase
  • Performance degradation on servers or user devices that was not present before
  • Elevated electricity costs in on-premise environments without a clear cause
  • Unusual outbound network traffic to mining pools or unknown domains
  • EDR alerts on process injection, unusual PowerShell activity, or living-off-the-land techniques
  • In cloud environments, unexpected compute billing increases or unfamiliar instance types appearing in infrastructure dashboards

Network traffic analysis is particularly useful for detecting mining communications, since mining pool protocols use recognizable patterns.

How to Prevent Cryptojacking?

For endpoints: Deploy endpoint protection with behavioral detection capabilities. Script blocking browser extensions prevent in-browser miners from executing. Audit browser extensions across the organization and remove unauthorized ones.

For servers: Apply patches promptly. Disable unused services and exposed APIs. Monitor CPU usage baselines and alert on sustained deviations.

For cloud environments: Enforce strict IAM policies, disable public access to Docker APIs and Kubernetes dashboards, and use cloud security posture management tools to detect misconfigurations before attackers find them.

For all environments: Employee awareness training helps with phishing-delivered miners. Patch management automation ensures that the libraries and frameworks attackers exploit most often are kept current.

Cryptojacking Toolkits on the Dark Web

Cryptojacking is not limited to technically sophisticated attackers. On the Dark Web and Telegram-based underground markets, buyers can purchase ready-made cryptojacking toolkits, access to botnet infrastructure, and malware-as-a-service packages that handle deployment and C2 communication automatically. These kits lower the barrier to entry significantly and have contributed to the volume of cryptojacking activity seen in recent years.

SOCRadar’s Advanced Dark Web Monitoring tracks these marketplaces, allowing security teams to stay informed about new toolkits entering circulation before they appear in the wild.

How SOCRadar Threat Intelligence Detects Cryptojacking Infrastructure?

SOCRadar’s Attack Surface Management continuously monitors an organization’s external exposure, identifying cloud misconfigurations and exposed APIs that cryptojackers frequently exploit. Threat intelligence feeds provide indicators of compromise linked to known mining pools, C2 servers, and cryptojacking malware families, allowing security teams to detect infections and block communications before significant damage occurs.

Frequently Asked Questions

What is cryptojacking? Cryptojacking is the unauthorized use of a victim’s computing resources to mine cryptocurrency. The victim’s CPU or GPU cycles are diverted to generate revenue for the attacker without the victim’s knowledge.

How do I know if I’m being cryptojacked? Sustained unexplained CPU spikes, device slowdowns, and elevated power costs are common indicators. On servers, unusual outbound traffic to mining pools is a strong signal.

Is cryptojacking illegal? Yes. Unauthorized access to computer systems for any purpose, including mining, is illegal under cybercrime statutes in most jurisdictions.

How do I remove cryptojacking malware? Use an endpoint detection and response tool to identify and remove the miner. Check startup entries, scheduled tasks, and browser extensions for persistence mechanisms.