What Is Cryptojacking?
At a practical level, cryptojacking means an attacker has gained access to a system and is using that system’s CPU, GPU, memory, or cloud resources to run cryptocurrency mining software without permission.
Cryptojacking is the unauthorized use of a device, browser session, server, container, or cloud workload to mine cryptocurrency for someone else’s profit. In practice, it is less about stealing files and more about quietly hijacking compute power, electricity, and infrastructure capacity in a way that can degrade performance, raise costs, and signal a broader compromise.
If you’re comparing related malware concepts, see what is malware and what is ransomware.
How cryptojacking works
Most cryptojacking incidents follow a familiar pattern.
Initial access
Attackers first need code execution somewhere in the environment. That can happen through:
- Phishing or malicious downloads on endpoints
- Exploited internet-facing applications
- Weak or exposed administrative credentials
- Misconfigured cloud services
- Compromised containers or orchestration platforms
- Unpatched systems with known vulnerabilities
Miner deployment
Once inside, the attacker installs or launches mining software. Depending on the campaign, that may be:
- A dedicated miner binary
- A shell or PowerShell script
- A malicious container image
- A scheduled task or cron job
- A lightweight downloader that fetches the miner later
Persistence and stealth
Because cryptojacking works best when it stays running, attackers often add persistence so the miner survives reboots or admin activity. Common techniques include:
- Scheduled tasks or cron jobs
- Startup items or services
- Renamed binaries that blend in with normal processes
- Reinstall scripts
- CPU throttling to avoid obvious performance alarms
Some attackers also kill competing miners installed by other threat actors.
Connection to mining infrastructure
The compromised host usually connects to a mining pool or attacker-controlled infrastructure. This allows the attacker to assign mining work and receive the rewards. Analysts may notice:
- Repeated outbound connections to unfamiliar domains or IPs
- Long-running high-CPU processes
- Mining-related command-line arguments
- Wallet identifiers in scripts or configuration files
Ongoing resource abuse
The actual impact is often gradual. Instead of immediately locking systems, cryptojacking causes slow, persistent resource drain. That may lead to:
- High CPU or GPU usage
- Slower system performance
- Overheating
- Battery drain on laptops and mobile devices
- Shorter hardware life
- Higher cloud compute costs
Why cryptojacking matters
It can be tempting to treat cryptojacking as a minor issue because it may not destroy files or interrupt operations immediately. That is a mistake.
Cryptojacking still means:
- An attacker gained unauthorized access
- Code executed inside your environment
- Persistence may exist
- Other payloads may also have been deployed
- The compromise path is still unresolved
In other words, the miner is often only the visible symptom. The bigger issue is the intrusion itself.
Where teams encounter cryptojacking
Cryptojacking appears most often in environments where attackers can get scalable access to compute resources.
Cloud and container environments
Cloud workloads are a common target because compute power directly translates into cost. If attackers compromise a cloud instance, container host, or orchestration platform, they may spin up mining quickly.
Common warning signs include:
- Unexpected cloud spend increases
- Sustained high CPU on workloads that should be idle
- New workloads appearing without approval
- Suspicious startup scripts or container images
Internet-facing servers
Web servers, Linux hosts, and application servers exposed to the internet are frequent targets. If attackers gain execution through weak credentials or unpatched software, they may install a miner and try to keep the system otherwise stable enough to avoid investigation.
Endpoint infections
On employee devices, cryptojacking may show up as part of a broader malware infection or after risky software installation. Users may report:
- Fan noise
- Overheating
- Sluggish performance
- Constant high resource usage
- Rapid battery drain
Shared infrastructure and managed environments
Anywhere many systems are managed centrally, cryptojacking can spread operationally fast if one admin point is compromised. For MSPs and larger IT teams, the main issue may be widespread hidden performance degradation and cost impact across many systems.
Incident response and threat hunting
Security teams often discover cryptojacking while investigating what first looks like a performance issue. Threat hunters may also find it through:
- Unusual long-running processes
- Persistence artifacts
- Mining pool traffic
- Suspicious scheduled tasks
- Broad use of scripting tools to deploy miners
Common signs of cryptojacking
While cryptojacking can be stealthy, it often leaves clues. Watch for:
- Unexplained CPU or GPU spikes
- Systems running hot when idle
- Sudden increases in cloud bills
- Security tools flagging miner binaries or scripts
- Strange scheduled tasks or startup entries
- Outbound traffic to mining pools
- Containers or workloads launching without a clear owner
No single sign proves cryptojacking, but several together should trigger investigation.
Cryptojacking vs other malware
Cryptojacking vs ransomware
Ransomware aims to extort by encrypting or disrupting systems. Cryptojacking aims to monetize stolen compute resources quietly over time.
Cryptojacking vs spyware
Spyware is focused on monitoring and stealing information. Cryptojacking is focused on consuming resources for mining. However, both still reflect unauthorized access and can exist in the same compromise.
Cryptojacking vs botnet activity
A botnet is a network of compromised devices under attacker control. Cryptojacking may be one way a botnet operator monetizes infected systems.
Practical prevention tips
Cryptojacking prevention overlaps with general hardening. Teams usually get the best results by focusing on:
- Patching internet-facing systems quickly
- Restricting admin privileges
- Monitoring cloud spend and workload creation
- Using EDR on endpoints and servers
- Reviewing scheduled tasks, cron jobs, and startup items
- Locking down containers and cloud identities
- Filtering malicious downloads and phishing attempts
For smaller teams, practical baseline tools may matter more than complex detection engineering. For example, Get Malwarebytes → can be useful for endpoint protection and suspicious process detection, while Try 1Password → can help reduce password reuse that often contributes to initial access. If administrators frequently manage infrastructure from public networks, Check NordVPN pricing → may also be a sensible layer for safer remote access hygiene.
Conclusion
Cryptojacking is the unauthorized use of systems to mine cryptocurrency for someone else’s profit. It often tries to stay hidden, but it still signals a real security compromise.
The right response is not just to remove the miner. Teams should also investigate how access was gained, what persistence remains, whether other payloads were deployed, and how broadly the intrusion spread across endpoints, servers, or cloud workloads.