eastbaycyber

What Is Cryptojacking?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-08
Definition

At a practical level, cryptojacking means an attacker has gained access to a system and is using that system’s CPU, GPU, memory, or cloud resources to run cryptocurrency mining software without permission.

Cryptojacking is the unauthorized use of a device, browser session, server, container, or cloud workload to mine cryptocurrency for someone else’s profit. In practice, it is less about stealing files and more about quietly hijacking compute power, electricity, and infrastructure capacity in a way that can degrade performance, raise costs, and signal a broader compromise.

If you’re comparing related malware concepts, see what is malware and what is ransomware.

How cryptojacking works

Most cryptojacking incidents follow a familiar pattern.

Initial access

Attackers first need code execution somewhere in the environment. That can happen through:

  • Phishing or malicious downloads on endpoints
  • Exploited internet-facing applications
  • Weak or exposed administrative credentials
  • Misconfigured cloud services
  • Compromised containers or orchestration platforms
  • Unpatched systems with known vulnerabilities

Miner deployment

Once inside, the attacker installs or launches mining software. Depending on the campaign, that may be:

  • A dedicated miner binary
  • A shell or PowerShell script
  • A malicious container image
  • A scheduled task or cron job
  • A lightweight downloader that fetches the miner later

Persistence and stealth

Because cryptojacking works best when it stays running, attackers often add persistence so the miner survives reboots or admin activity. Common techniques include:

  • Scheduled tasks or cron jobs
  • Startup items or services
  • Renamed binaries that blend in with normal processes
  • Reinstall scripts
  • CPU throttling to avoid obvious performance alarms

Some attackers also kill competing miners installed by other threat actors.

Connection to mining infrastructure

The compromised host usually connects to a mining pool or attacker-controlled infrastructure. This allows the attacker to assign mining work and receive the rewards. Analysts may notice:

  • Repeated outbound connections to unfamiliar domains or IPs
  • Long-running high-CPU processes
  • Mining-related command-line arguments
  • Wallet identifiers in scripts or configuration files

Ongoing resource abuse

The actual impact is often gradual. Instead of immediately locking systems, cryptojacking causes slow, persistent resource drain. That may lead to:

  • High CPU or GPU usage
  • Slower system performance
  • Overheating
  • Battery drain on laptops and mobile devices
  • Shorter hardware life
  • Higher cloud compute costs

Why cryptojacking matters

It can be tempting to treat cryptojacking as a minor issue because it may not destroy files or interrupt operations immediately. That is a mistake.

Cryptojacking still means:

  • An attacker gained unauthorized access
  • Code executed inside your environment
  • Persistence may exist
  • Other payloads may also have been deployed
  • The compromise path is still unresolved

In other words, the miner is often only the visible symptom. The bigger issue is the intrusion itself.

Where teams encounter cryptojacking

Cryptojacking appears most often in environments where attackers can get scalable access to compute resources.

Cloud and container environments

Cloud workloads are a common target because compute power directly translates into cost. If attackers compromise a cloud instance, container host, or orchestration platform, they may spin up mining quickly.

Common warning signs include:

  • Unexpected cloud spend increases
  • Sustained high CPU on workloads that should be idle
  • New workloads appearing without approval
  • Suspicious startup scripts or container images

Internet-facing servers

Web servers, Linux hosts, and application servers exposed to the internet are frequent targets. If attackers gain execution through weak credentials or unpatched software, they may install a miner and try to keep the system otherwise stable enough to avoid investigation.

Endpoint infections

On employee devices, cryptojacking may show up as part of a broader malware infection or after risky software installation. Users may report:

  • Fan noise
  • Overheating
  • Sluggish performance
  • Constant high resource usage
  • Rapid battery drain

Shared infrastructure and managed environments

Anywhere many systems are managed centrally, cryptojacking can spread operationally fast if one admin point is compromised. For MSPs and larger IT teams, the main issue may be widespread hidden performance degradation and cost impact across many systems.

Incident response and threat hunting

Security teams often discover cryptojacking while investigating what first looks like a performance issue. Threat hunters may also find it through:

  • Unusual long-running processes
  • Persistence artifacts
  • Mining pool traffic
  • Suspicious scheduled tasks
  • Broad use of scripting tools to deploy miners

Common signs of cryptojacking

While cryptojacking can be stealthy, it often leaves clues. Watch for:

  • Unexplained CPU or GPU spikes
  • Systems running hot when idle
  • Sudden increases in cloud bills
  • Security tools flagging miner binaries or scripts
  • Strange scheduled tasks or startup entries
  • Outbound traffic to mining pools
  • Containers or workloads launching without a clear owner

No single sign proves cryptojacking, but several together should trigger investigation.

Cryptojacking vs other malware

Cryptojacking vs ransomware

Ransomware aims to extort by encrypting or disrupting systems. Cryptojacking aims to monetize stolen compute resources quietly over time.

Cryptojacking vs spyware

Spyware is focused on monitoring and stealing information. Cryptojacking is focused on consuming resources for mining. However, both still reflect unauthorized access and can exist in the same compromise.

Cryptojacking vs botnet activity

A botnet is a network of compromised devices under attacker control. Cryptojacking may be one way a botnet operator monetizes infected systems.

Practical prevention tips

Cryptojacking prevention overlaps with general hardening. Teams usually get the best results by focusing on:

  • Patching internet-facing systems quickly
  • Restricting admin privileges
  • Monitoring cloud spend and workload creation
  • Using EDR on endpoints and servers
  • Reviewing scheduled tasks, cron jobs, and startup items
  • Locking down containers and cloud identities
  • Filtering malicious downloads and phishing attempts

For smaller teams, practical baseline tools may matter more than complex detection engineering. For example, Get Malwarebytes → can be useful for endpoint protection and suspicious process detection, while Try 1Password → can help reduce password reuse that often contributes to initial access. If administrators frequently manage infrastructure from public networks, Check NordVPN pricing → may also be a sensible layer for safer remote access hygiene.

Conclusion

Cryptojacking is the unauthorized use of systems to mine cryptocurrency for someone else’s profit. It often tries to stay hidden, but it still signals a real security compromise.

The right response is not just to remove the miner. Teams should also investigate how access was gained, what persistence remains, whether other payloads were deployed, and how broadly the intrusion spread across endpoints, servers, or cloud workloads.

Last verified: 2026-06-08

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.