Skip to main content

What is Cryptojacking and how does it work?

what is cryptojacking

Cryptojacking meaning & definition

Cryptojacking is a type of cybercrime that involves the unauthorized use of people's devices (computers, smartphones, tablets, or even servers) by cybercriminals to mine for cryptocurrency. Like many forms of cybercrime, the motive is profit, but unlike other threats, it is designed to stay completely hidden from the victim.

Learn more about Kaspersky Premium

What is cryptojacking?

Cryptojacking is a threat that embeds itself within a computer or mobile device and then uses its resources to mine cryptocurrency. Cryptocurrency is digital or virtual money, which takes the form of tokens or "coins." The most well-known is Bitcoin, but there are approximately 3,000 other forms of cryptocurrency and while some cryptocurrencies have ventured into the physical world through credit cards or other projects — most remain virtual.

Cryptocurrencies use a distributed database, known as 'blockchain' to operate. The blockchain is regularly updated with information about all the transactions that took place since the last update. Each set of recent transactions is combined into a 'block' using a complex mathematical process.

To produce new blocks, cryptocurrencies rely on individuals to provide the computing power. Cryptocurrencies reward people who supply the computing power with cryptocurrency. Those who trade computing resources for currency are called "miners".

The larger cryptocurrencies use teams of miners running dedicated computer rigs to complete the necessary mathematical calculations. This activity requires a significant amount of electricity – for example, the Bitcoin network currently uses more than 73TWh of energy per year.

Cryptojackers and the future of cryptojacking

That is where cryptojacking comes in: cryptojackers are people who want the benefits of cryptocurrency mining without incurring the huge costs. By not paying for expensive mining hardware or large electricity bills, cryptojacking allows hackers to mine for cryptocurrency without the large overheads. The type of cryptocurrency primarily mined on personal computers is Monero, which appeals to cybercriminals because it is difficult to trace.

There is some debate as to whether cryptojacking is in decline or on the rise. Cryptojacking tends to rise in proportion to the value of cryptocurrencies, particularly Bitcoin and Monero. But in recent years, two factors have had a dampening effect on cryptojacking:

  • Crackdowns by law enforcement.
  • The shutdown of Coinhive, which was the leading site which dealt with cryptominers. Coinhive provided JavaScript code that websites could incorporate to make visitors' computers mine Monero. Coinhive's code was quickly abused: a mining script could also be injected into a website by hackers without the site owner's knowledge. The site shut down in March 2019, and with it, the number of site infections went sharply down.

The motivation behind a cryptojacking attack is simple: money. Mining cryptocurrencies can be very lucrative, but making a profit is challenging without the means to cover large costs. Cryptojacking is the criminal manifestation of cryptomining and offers an illegitimate yet effective and inexpensive way to mine valuable coins.

How does cryptojacking work?

Cybercriminals hack into devices to install cryptojacking software. The software works in the background, mining for cryptocurrencies or stealing from cryptocurrency wallets. The unsuspecting victims use their devices typically, though they may notice slower performance or lags.

Hackers have two primary ways to get a victim's device to secretly mine cryptocurrencies:

  • By getting the victim to click on a malicious link in an email that loads cryptomining code on the computer
  • By infecting a website or online ad with JavaScript code that auto-executes once loaded in the victim's browser

Hackers often use both methods to maximize their return. In both cases, the code places the cryptojacking script onto the device, which runs in the background as the victim works. Whichever method is used, the script runs complex mathematical problems on the victims' devices and sends the results to a server which the hacker controls.

Unlike other types of malware, cryptojacking scripts do not damage computers or victims' data. However, they do steal computer processing resources. For individual users, slower computer performance might simply be an annoyance. But cryptojacking is an issue for business because organizations with many cryptojacked systems incur real costs. For example:

  • The use of help desk and IT time spent tracking down performance issues and replacing components or systems in the hope of solving the problem.
  • Increased electricity costs.

Some cryptomining scripts have worming capabilities that allow them to infect other devices and servers on a network. This makes them harder to identify and remove. These scripts may also check to see if the device is already infected by competing cryptomining malware. If another cryptominer is detected, the script disables it.

In early instances of cryptomining, some web publishers sought to monetize their traffic by asking visitors' permission to mine for cryptocurrencies while on their site. They positioned it as a fair exchange: visitors would receive free content while the sites would use their computer for mining. For example, on gaming sites, users might stay on the page for some time while the JavaScript code mines for coin. Then when they leave the site, the cryptomining would end. This approach can work if sites are transparent about what they are doing. The difficulty for users is knowing whether sites are being honest or not.

Malicious versions of cryptomining – i.e. cryptojacking – don't ask for permission and keep running long after you leave the initial site. This is a technique used by owners of dubious sites or hackers who have compromised legitimate sites. Users have no idea that a site they visited has been using their computer to mine cryptocurrency. The code uses just enough system resources to remain unnoticed. Although the user thinks the visible browser windows are closed, a hidden one stays open. Often it can be a pop-under, which is sized to fit beneath the taskbar or behind the clock.

Cryptojacking can even infect Android mobile devices, using the same methods that target desktops. Some attacks occur through a Trojan hidden in a downloaded app. Or users' phones can be redirected to an infected site, which leaves a persistent pop-under. While individual phones have relatively limited processing power, when attacks occur in large numbers, they provide enough collective strength to justify the cryptojackers' efforts.

Cryptojacking malware risks and dangers

Cryptojacking attack – examples

High profile examples of cryptojacking include:

  • In 2019,eight separate apps that secretly mined cryptocurrency with the resources of whoever downloaded them were ejected from the Microsoft Store. The apps supposedly came from three different developers, although it was suspected that the same individual or organization was behind them all. Potential targets could encounter the cryptojacking apps through keyword searches within the Microsoft Store, and on lists of the top free apps. When a user downloaded and launched one of the apps, they would inadvertently download cryptojacking JavaScript code. The miner would activate and start looking for Monero, using up a significant amount of the device's resources and therefore slowing it down.
  • In 2018, cryptojacking code was discovered concealed within the Los Angeles Times' Homicide Report page. When visitors went to the Homicide Report page, their devices were used to mine a popular cryptocurrency called Monero. The threat was not detected for a while because the amount of computing power the script used was minimal, so many users would not be able to detect that their devices had been compromised.
  • In 2018, cryptojackers targeted the operational technology network of a European water utility control system, seriously impacting the operators' ability to manage the utility plant. This was the first known instance of a cryptojacking attack against an industrial control system. Similar to the Los Angeles Times hack, the miner was generating Monero.
  • In early 2018, the CoinHive miner was found to be running on YouTube Ads through Google's DoubleClick platform.
  • During July and August 2018, a cryptojacking attack infected over 200,000 MikroTik routers in Brazil, injecting CoinHive code in a massive amount of web traffic.

How to detect cryptojacking

Cryptojacking detection can be difficult because the process is often hidden or made to look like a benevolent activity on your device. However, here are three signs to watch out for:

Cryptojacking detection – 3 things to look out for

  1. Decreased performance
    One of the key symptoms of cryptojacking is decreased performance on your computing devices. Slower systems can be the first sign to watch out for, so be alert to your device running slowly, crashing, or exhibiting unusually poor performance. Your battery draining more quickly than usual is another potential indicator.
  2. Overheating Cryptojacking is a resource-intensive process that can cause computing devices to overheat. This can lead to computer damage or shorten their lifespan. If your laptop or computer's fan is running faster than usual, this could indicate that a cryptojacking script or website is causing the device to heat up, and your fan is running to prevent melting or fire.
  3. Central Processing Unit (CPU) usage:
    If you see an increase in CPU usage when you are on a website with little or no media content, it could be a sign that cryptojacking scripts might be running. A good cryptojacking test is to check the central processing unit (CPU) usage of your device using the Activity Monitor or Task Manager. However, bear in mind that processes might be hiding themselves or masking as something legitimate to hinder you from stopping the abuse. Also, when your computer is running at maximum capacity, it will run very slowly, and therefore can be harder to troubleshoot.

How to protect yourself against cryptojacking

Use a good cybersecurity program:

A comprehensive cybersecurity program such as Kaspersky Total Security will help to detect threats across the board and can provide cryptojacking malware protection. As with all other malware precautions, it is much better to install security before you become a victim. It is also good practice to install the latest software updates and patches for your operating system and all applications — especially those concerning web browsers.

Be alert to the latest cryptojacking trends:

Cybercriminals are constantly modifying code and coming up with new delivery methods to embed updated scripts onto your computer system. Being proactive and staying on top of the latest cybersecurity threats can help you detect cryptojacking on your network and devices and avoid other types of cybersecurity threats.

Use browser extensions designed to block cryptojacking:

Cryptojacking scripts are often deployed in web browsers. You can use specialized browser extensions to block cryptojackers across the web, such as minerBlock, No Coin, and Anti Miner. They install as extensions in some popular browsers.

Use ad blockers:

Since cryptojacking scripts are often delivered through online ads, installing an ad blocker can be an effective means of stopping them. Using an ad blocker like Ad Blocker Plus can both detect and block malicious cryptojacking code.

Disable JavaScript:

When browsing online, disabling JavaScript can prevent cryptojacking code from infecting your computer. However, although that interrupts the drive-by cryptojacking, this could also block you from using functions that you need.

Block pages known to deliver cryptojacking scripts:

To prevent cryptojacking while visiting websites, make sure each site you visit is on a carefully vetted whitelist. You can also blacklist sites known for cryptojacking, but this may still leave your device or network exposed to new cryptojacking pages.

Cryptojacking might seem like a relatively harmless crime since the only thing 'stolen' is the power of the victim's computer. But the use of computing power for this criminal purpose is done without the knowledge or consent of the victim, for the benefit of criminals who are illicitly creating currency. We recommend following good cybersecurity practices to minimize the risks and to install trusted cybersecurity or internet security onto all of your devices.

Kaspersky Internet Security received two AV-TEST awards for the best performance & protection for an internet security product in 2021. In all tests Kaspersky Internet Security showed outstanding performance and protection against cyberthreats.

Related Articles:

Recommended products:

What is Cryptojacking and how does it work?

Cryptojacking is where cybercriminals secretly use a victim's computing power to generate cryptocurrency. Learn the risks & how to protect yourself.
Kaspersky logo

Related articles