What Is Cryptojacking?

Updated on November 10, 2025

Cryptojacking is a cybercrime in which an attacker secretly exploits a victim’s computing resources to mine cryptocurrency without their knowledge or consent. This malicious activity is carried out by injecting malware onto a device or by running malicious code through a web browser. Cryptojacking’s primary impact is on the victim’s resources—it drains battery life, slows down system performance, and increases electricity costs. Unlike ransomware, which seeks a one-time payment, cryptojacking is a continuous, stealthy theft of computational power designed for long-term profit.

Definition and Core Concepts

Cryptojacking is the unauthorized, covert use of a victim’s computer or server resources to perform the complex mathematical operations required to mine cryptocurrencies, such as Monero or Bitcoin. The attacker’s goal is to leverage thousands of compromised devices to generate revenue with minimal cost, as the victims bear the expenses of the required electricity and processing power. Foundational concepts include:

• Cryptocurrency Mining: The process of validating transactions and adding them to a public ledger, also known as a blockchain. This process typically requires massive amounts of computational power.
• Payload: The malicious code that is secretly running on the victim’s device to perform the mining.
• Stealth: A key characteristic of cryptojacking. The malware or code is designed to remain hidden and often throttles its activity to avoid detection by the user or security tools.
• Monero (XMR): The cryptocurrency most commonly targeted by cryptojackers. Its design is more resistant to specialized mining hardware (ASICs) and can be efficiently mined using standard Central Processing Units (CPUs).

How It Works

Cryptojacking attacks generally fall into one of two categories, depending on how the malicious code is delivered.

Browser-Based Cryptojacking (Drive-by Mining)

In this method, the attacker embeds malicious JavaScript code into a legitimate website or an advertisement. When a user visits the compromised page, the code executes automatically, starting the mining process in the background of their browser tab. This method does not require malware installation but only runs while the browser tab is open. Attackers often use sophisticated scripts to remain active even if the tab is minimized.

Malware-Based Cryptojacking

Here, the attacker delivers a persistent piece of malware to the victim’s device, often disguised as a legitimate application or delivered via a phishing campaign. Once installed, the malware runs continuously in the background as a low-priority process, periodically checking in with the attacker’s command-and-control server. This method is more robust and lasts longer, as it does not rely on the user having a specific browser tab open.

Key Features and Components

Understanding the core components of a cryptojacking attack is essential for detection and mitigation. Key features include the following:

• Resource Consumption: The primary indicator of cryptojacking is unusually high CPU and Graphics Processing Unit (GPU) usage. This leads to symptoms such as overheating, slow system performance, and rapid battery drain on mobile devices.
• Command and Control (C2): The mining payload communicates with a centralized server to receive instructions and deposit the mined cryptocurrency. Disrupting this communication is a key defense strategy.
• Detection Evasion: Many cryptojacking payloads include logic to temporarily suspend mining activity if they detect task managers or other monitoring tools being opened by the user. This makes on-demand manual inspection less effective.

Use Cases and Applications (Attacker Perspective)

Cryptojacking is a favored revenue model for cybercriminals due to its low-risk, high-reward nature. Attackers apply it in several contexts to maximize their profits.

Large-Scale Server Attacks

Attackers often target cloud servers and web application servers. These environments have massive computational power and run continuously, yielding high profits for the attacker.

Botnets

Attackers create vast botnets of compromised individual devices to pool processing power for mining. Each device contributes a small amount, but the collective power can be substantial.

Troubleshooting and Considerations (Defense)

Defending against cryptojacking requires a multi-layered approach that combines monitoring, prevention, and response. IT administrators should consider the following strategies:

• Monitoring: Security teams should use tools to continuously monitor CPU and GPU utilization for sustained, unexplained spikes in resource consumption. Endpoint detection and response (EDR) solutions can help automate this process.
• Browser Extensions: For browser-based attacks, using browser extensions, like anti-crypto-mining blockers, and maintaining up-to-date ad-blockers can prevent malicious JavaScript from running.
• Patch Management: Keeping operating systems and web browsers patched eliminates vulnerabilities that malware-based cryptojackers often exploit for initial access.
• Network Traffic Analysis: Monitoring outbound network traffic for connections to known mining pool domains is an effective method of detection. Egress filtering rules can block this communication.

Key Terms Appendix

• CPU: Central Processing Unit, the main processor of a computer.
• GPU: Graphics Processing Unit, a specialized processor often used for cryptocurrency mining due to its efficiency at performing parallel calculations.
• Monero (XMR): A privacy-focused cryptocurrency frequently targeted by cryptojackers because it is designed to be mined effectively with consumer-grade hardware.
• JavaScript: A programming language commonly used for web-based attacks, including browser-based cryptojacking.
• Botnet: A network of private computers infected with malicious software and controlled as a group without the owners’ knowledge.