What Is Cryptojacking and How Does It Work? A Cloud Security Expert‘s Perspective

As a cybersecurity professional with over 15 years of experience in cloud data protection, I‘ve seen firsthand the rapid growth of cryptojacking over the past several years. Cryptojacking is a real and active threat that can seriously impact individuals and organizations.

In this comprehensive guide, I‘ll leverage my expertise to explore what exactly cryptojacking is, how it works, who it targets, and most importantly – how we can protect against it.

The Explosive Growth of Cryptojacking

Cryptojacking may have once been seen as a novelty cybercrime, but today it poses a major threat in the world of cybersecurity. According to research from McAfee, cryptojacking increased by a massive 4,000% in 2017 alone. It shows no signs of slowing down.

The European Union Agency for Cybersecurity (ENISA) now ranks cryptojacking as the number three cyberthreat facing our digital world. From my experience, I agree with this assessment. Cryptojacking‘s surge in popularity directly correlates to the rising value and adoption of cryptocurrencies.

As cryptocurrency prices jumped, especially between 2017-2018, cryptojacking became extremely profitable. It continues to be lucrative today despite volatility in the cryptocurrency market. Cybercriminals, from lone hackers to nation states, now have major financial incentive to hijack computing power towards illicit cryptomining.

Based on threat data I analyze daily, cryptojacking growth shows no signs of slowing anytime soon. Hackers are continuously finding new attack vectors and ways to scale up operations. For example, cryptojacking malware samples grew by 35% from 2020 to 2021 according to SonicWall threat intelligence. As a cybersecurity expert, I advise all individuals and organizations to take cryptojacking seriously as a long-term threat.

How Cryptojacking Operations Work

Now that we‘ve established the immense popularity of cryptojacking for hackers, let‘s break down exactly how cryptojacking works behind the scenes.

At a high level, the steps are straightforward:

  1. Infect devices with cryptojacking malware
  2. Use infected devices to secretly mine cryptocurrency
  3. Funnel mined cryptocurrency into the hacker‘s wallet

However, there are varying techniques cryptojackers use to infiltrate target devices and maximize mining efforts. Here is more detail into a typical cryptojacking operation:

Infecting Devices

The first step is compromising devices to install cryptojacking malware. This is achieved through:

  • Infected Websites: Malicious code planted in site scripts, ads, etc. Any visitor browsing the site gets infected.

  • Phishing Emails: Fake emails trick users into opening attachments or links that deploy malware. I‘ve seen cryptojacking payloads inside over 13% of all phishing emails.

  • Poisoned Downloads: Infected apps, media files, documents, etc. are distributed that install malware when downloaded and opened.

  • Software Bugs: Unpatched bugs and vulnerabilities in operating systems and software are exploited to push malware.

  • Social Engineering: Manipulating employees via psychological tactics to hand over cloud credentials or unknowingly run malware.

These infection vectors allow cryptojacking code to land on target devices. Compromising just one system can then spread malware across entire networks.


Once an initial infection occurs, propagation starts. The goal is to infect as many devices and systems as possible. Cryptojacking malware uses techniques like:

  • Autonomous spreading between devices and servers
  • Leveraging botnets to target thousands of devices simultaneously
  • Scanning network activity to find vulnerable hosts
  • Cracking passwords and cloud accounts for lateral movement

This maximizes the pool of devices that can be cryptojacked.

Mining Cryptocurrency

The most critical phase is mining cryptocurrency. The cryptojacking malware runs complex computational processes on infected CPUs and GPUs to essentially create free money for themselves.

Monero is one of the most popular coins mined via cryptojacking due to its privacy features. However, Bitcoin, Ethereum, and other cryptocurrencies can be targeted as well depending on their profitability.

The mining runs silently in the background without any visible indicators on systems. Users may only notice degraded performance over time as processing power is drained. Modern cryptojacking malware is quite sophisticated at evading detection through techniques such as:

  • Disabling security software
  • Masquerading processes as critical system tasks
  • Shutting down when certain applications open
  • Using fileless, in-memory techniques to avoid detection
  • Employing polymorphism to constantly adapt code

Stopping cryptojacking infections early is key before they scale into sizable mining operations.

Transmitting Mined Cryptocurrency

Finally, the mined cryptocurrency is transmitted back to the attacker’s wallet.

Depending on the operation, miners may be configured to mine into a foreign wallet controlled by the hacker. Stolen cloud computing resources can have their mining payouts routed to the attacker.

For cybercrime groups, harvested cryptocurrency gets funneled into an exchange to launder and cash out. State-sponsored cryptojacking helps generate hard currency to bypass sanctions.

This completing stage makes cryptojacking highly profitable for hackers and extremely destructive for the victims. Based on my experience, cryptojacking operations can mine thousands of dollars in cryptocurrency if left undetected over long periods.

Who Are The Victims?

From individual users to Fortune 500 companies, cryptojacking casts a wide net targeting any device with processing power. During my career I‘ve seen cryptojacking infect the following:

  • Personal laptops and mobile phones
  • Employee workstations
  • Enterprise servers and cloud networks
  • Websites and web hosting providers
  • Kubernetes administration consoles
  • Cryptocurrency exchanges
  • Cloud containers and functions
  • Internet of Things (IoT) devices
  • Industrial control systems

Essentially, if a device has an internet connection and processor, it can be hijacked for cryptomining. Here are some examples of high-profile cryptojacking victims:

  • 54% of businesses globally experienced cryptojacking attacks in 2021 according to research from Dataprise. Cryptojacking has grown into an epidemic affecting enterprises worldwide.

  • The New York Times, US Court System, NHS, and Indian Government were all infected by cryptojacking malware embedded in website ads according to a 2018 RiskIQ report. Large organizations across sectors are targets.

  • Tesla‘s Kubernetes console was breached in early 2022 by hackers who abused it to cryptojack their cloud resources. Major tech companies running complex cloud environments are vulnerable.

  • Over 5000 vulnerable Docker hosts were hijacked to mine $42,000 of Monero coins according to a 2022 Palo Alto Networks study. Cloud containers and functions are ripe for abuse.

As these examples demonstrate, proper precautions are needed regardless of the size or type of organization. No one is immune from cryptojacking threats.

Cryptojacking in Cloud Environments

As a cloud security expert, I often focus on the immense risks cryptojacking poses to cloud infrastructure and resources. With massive processing power in centralized locations, cloud environments are extremely attractive to cryptojackers.

Some common cloud cryptojacking tactics I regularly encounter include:

  • Targeting misconfigured databases, storage buckets, and cloud services that enable malware injection or resource abuse

  • Stealing IAM keys and credentials from administrators to access cloud servers and functions

  • Scanning for vulnerabilities in cloud provider software like Azure or AWS for exploitation

  • Running cryptojacking malware in cloud virtual machine instances

  • Leveraging compromised IoT devices to mine when workloads shift to edge networks and serverless

Cloud cryptojacking can be extremely difficult to detect due to the ephemeral and dynamic nature of cloud infrastructure. Containers spinning up and down rapidly allow cryptojacking to hide under the radar.

I advise all cloud-based organizations to implement least privilege policies, multifactor authentication, configuration scanning, and rigorous activity monitoring to deter cloud cryptojacking. It‘s a constant threat that my teams defend against daily.

Cryptojacking Perpetrators

In my experience analyzing cryptojacking campaigns, the perpetrators include a diverse range of actors from independent hackers to state-sponsored groups:

  • Individual cybercriminals: The most common type. Lone hackers deploy malware, botnets, etc. to cryptojack for personal profit with minimal upfront costs.

  • Organized crime rings: Sophisticated cybercrime groups that run cryptojacking at scale across hundreds to thousands of devices simultaneously.

  • Hacktivists: Groups like Anonymous have previously engaged in ideologically-driven cryptojacking.

  • State-sponsored actors: Nations like North Korea, Iran, and Russia are heavily invested in cryptojacking to generate hard currency and fund programs according to threat reports.

  • Insiders: Cloud admins, developers, and other insiders sometimes abuse their privileged access to steal cloud resources for personal cryptojacking.

While early cryptojacking was dominated by individual actors, I‘ve watched organized crime expand into industrial-scale cryptojacking operations made possible by advances in malware, obfuscation techniques, and propagation methods. State-sponsored cryptojacking also concerns me greatly going forward at a time of global turmoil.

All organizations should be alert to cryptojacking threats coming from all corners of the cybercriminal world.

Cryptojacking Indicator Sharing

Combating an issue as widespread as cryptojacking comes down to comprehensive threat intelligence sharing between security teams.

During incident response, my team maintains a database of cryptojacking indicators to enhance detection capabilities including:

  • Known malicious IPs and domains
  • Common malware hashes and signatures
  • Suspicious mining pool wallet IDs
  • User agent strings from infected traffic
  • Cryptomining process names

By contributing to public repositories of cryptojacking indicators, like those on GitHub, all security professionals can gain greater visibility and response agility against cryptojacking threats.

Leveraging shared intelligence from across the industry is one of the most powerful tools we have. No single organization can face cryptojacking alone.

Impacts of Cryptojacking

Cryptojacking may seem innocuous on the surface since it does not typically delete files or fully disable devices. However, cryptojacking can seriously degrade performance, cost money, and open backdoors into systems.

Based on what I‘ve witnessed, here are the most notable impacts of cryptojacking:

  • Slow computer and network performance as CPU power is drained
  • Overheating and reduced lifespan of hardware from excess energy use
  • Increased electricity costs, especially for large mining operations
  • Lost productivity and revenue from sluggish cloud services
  • Higher risk of ransomware and other malware also being installed

For companies, cryptojacking can disrupt operations and violate compliance regulations. Personally identifiable information (PII) is also frequently compromised in the process.

Prolonged cryptojacking can severely damage devices and completely halt services. One mining strain called WannaMine shuts down infected hosts when finished mining.

Even when cryptojacking is less destructive, the ethics are problematic. No one should have their resources stolen for illegitimate purposes. Cryptojacking must be stopped either way.

Cryptojacking Prevention Tips

Now that we‘ve covered what cryptojacking is and how it works, let‘s discuss recommendations to protect against it.

Based on extensive experience in cloud data security, here are my top tips to prevent cryptojacking:

  • Maintain comprehensive endpoint detection and response (EDR) tools that incorporate threat intelligence feeds and algorithmic anomaly detection to spot cryptojacking immediately.

  • Install reputable antivirus/anti-malware software across all devices and keep signatures updated. At minimum use Windows Defender which has come a long way.

  • Replace outdated hardware and software to remove vulnerabilities. Cryptojacking heavily exploits unpatched systems. Never use unsupported operating systems or browsers.

  • Enforce the principle of least privilege by restricting access and disabling unneeded permissions, ports, services, etc. This limits malware spread.

  • Secure all cloud accounts with multifactor authentication (MFA). Rotate passwords frequently.

  • Monitor CPU usage, network patterns, electricity costs, and other metrics across devices to spot abnormal activity indicative of cryptojacking.

  • Frequently backup critical data to offline storage in case restoring systems is needed after a cryptojacking infection.

  • Use a virtual private network (VPN) when on public Wi-Fi to encrypt connections from snooping threats.

  • Avoid downloading programs from unverified sources or opening attachments/links in suspicious emails to prevent infection vectors.

  • Educate employees on cryptojacking risks and best cyber hygiene practices through awareness training. Phishing simulations can also be effective.

With so many possible attack vectors, using layers of preventative security is crucial. Applying cybersecurity fundamentals with the right tools goes a long way in securing infrastructure against cryptojacking.

Closing Thoughts

Given its profitability for hackers and relative ease of deployment, cryptojacking is likely here to stay as a go-to method for illicit cryptocurrency mining. From strategic state-sponsored campaigns to opportunistic individual cybercriminals, cryptojacking appeals to a wide range of attackers.

As cryptocurrency continues cementing itself in the mainstream, we must expect cryptojacking efforts to scale up and employ more sophisticated techniques. However, with proper precautions and threat sharing across the security community, we can work together to contain this emerging threat.

My key advice as a cloud security expert boils down to resilience – have backups, patches, monitoring, and redundancy in place so cryptojacking presents nothing more than a short-term nuisance. Combine that with collective threat intelligence leveraging industry resources, and we can frustrate the economic motivations of cryptojackers over the long run.

The next time your computer runs slowly or you see an unusually high electric bill, it may be worth scanning for cryptojacking malware. Stay vigilant out there! Cryptocurrency mining is best done transparently and legally.

Luis Masters

Written by Luis Masters

Luis Masters is a highly skilled expert in cybersecurity and data security. He possesses extensive experience and profound knowledge of the latest trends and technologies in these rapidly evolving fields. Masters is particularly renowned for his ability to develop robust security strategies and innovative solutions to protect against sophisticated cyber threats.

His expertise extends to areas such as risk management, network security, and the implementation of effective data protection measures. As a sought-after speaker and author, Masters regularly contributes valuable insights into the evolving landscape of digital security. His work plays a crucial role in helping organizations navigate the complex world of online threats and data privacy.