Your devices could be mining cryptocurrency without your knowledge. Right now.
It’s called cryptojacking, and many cybercriminals have turned to this insidious practice because of the rising popularity of cryptocurrencies and the lure of profit from crypto mining.
What is cryptojacking?
Cryptojacking is the illegal process of stealing a device’s computational power to mine cryptocurrencies without the user’s knowledge or permission.
Today, we have more than 20,000 cryptocurrencies in the world, valued at more than a trillion dollars. Mining these cryptocurrencies is a money-minting process. It offers lucrative returns, but it’s no easy task. It requires hardware, uninterrupted electricity, and huge computational power.
One way cybercriminals overcome this problem of crypto mining is cryptojacking. They reap the reward, but you pay the cost without even realizing it.
To defend against cryptojacking, you have to strengthen your cybersecurity program. You should use software like antivirus protection, runtime application self-protection (RASP) software, and web application firewalls (WAF) solutions. But to fix robust security defenses, it’s crucial to understand cryptojacking in detail.
And that’s what we’ll try to help you do with this article. We’ll explore the dark world of cryptojacking and take a closer look at how it works. We’ll also learn how to detect cryptojacking attempts and what you can do to protect your devices from falling prey to this sneaky and costly cybercrime.
How does cryptojacking work?
Before we dive deep into cryptojacking, let’s start with the basics of cryptocurrencies and crypto mining. This is important for understanding how cryptojacking works.
Cryptocurrency and crypto mining: a primer
In 2009, one mysterious developer named Satoshi Nakamoto mined Bitcoin, the first-ever digital currency. Fast forward a decade, and the cryptocurrency market is booming.
Definition of cryptocurrency: Cryptocurrency, sometimes called crypto-currency or crypto coins, is digital money built on blockchain technology and secured by cryptography. It is decentralized, meaning no central authority or banks regulate it. However, all transactions are encrypted, stored, and recorded in a public database through blockchain technology.
Nowadays, we have cryptos like Ethereum, Tether, Solana, BNB, XRP, and even Dogecoin, apart from the much sought-after Bitcoin. Crypto enthusiasts consider crypto coins extremely valuable, resulting in soaring cryptocurrency prices since the early Bitcoin days. Such high prices made crypto mining, the way to earn cryptocurrencies, extremely lucrative.
Definition of crypto mining: Crypto mining or cryptocurrency mining is the process of creating new digital coins by verifying and adding blocks to an existing blockchain. Here, verifying and adding blocks involve solving complex cryptographic hash equations. The first miner to crack the puzzle gets mining rewards like newly created cryptocurrencies or transaction fees.
This process of guessing the hash requires using computational power. The more profitable a cryptocurrency is, the more difficult the hash is, and the more necessary computational power is.
Today, crypto miners employ crypto mining software and powerful computer chips like field-programmable gate arrays (FPGAs) or specialized application-specific integrated circuits (ASICs) to mine cryptos. Some other miners bundle their computing resources in mining pools and share the earned revenue for the newly mined block.
The anatomy of cryptojacking
Now, cryptojacking is an illegal way of crypto mining. Hackers don’t employ any of their own resources. Instead, they steal the computing power of an unsuspecting user by deploying cryptojacking malware onto the victim’s platform.
Hackers leverage these malicious codes via different methods, like attaching them on webpages and online ads that users might unknowingly click on or installing them on the victim’s computer with social engineering techniques.
- Once the crypto-malware is installed and activated in a device, it directly connects to a mining pool via the internet or an application programming interface (API).
- The device receives a hash puzzle task to solve.
- Once the hash value is calculated, it gets sent back to the mining pool.
- As the new block gets added to the blockchain, the attacker gets the rewards without spending any energy or resources.
Targets of cryptojacking attacks
Hackers like to target these devices for cryptojacking attacks:
- Personal computers, laptops
- On-premise servers
- Cloud servers
- Internet of Things (IoT) botnet
- Mobile phones
Types of cryptojacking attacks
Three major types of cryptojacking occur: in-browser cryptojacking, in-host cryptojacking, and in-memory cryptojacking. Let’s look at all three.
An average computer might be unable to mine cryptocurrencies. But thousands of average computers connected together through the internet could do the job easily. Browser-based or in-browser crypto mining tries to do just that. It simply uses a website visitor’s computer to mine cryptocurrency while they browse.
Here, hackers use ready-to-mine scripts from service providers like Coinhive or CryptoLoot, and inject the code into a website’s HTML source code.
As long as the victim remains online, the mining happens. In-browser cryptojacking becomes profitable when a user remains on a website longer than 5.53 minutes. As a result, it’s widely found in free movies or gaming websites.
Source: SoK: Crypotjacking Malware – arXiv
Browser-based cryptojacking saw a massive decline when CoinHive, a major crypto mining script provider, shuttered during the crypto market downturn in 2019. However, researchers keep finding new crypto mining scripts and websites that use them intentionally or unintentionally.
In this type of cryptojacking, hackers install crypto malware like traditional Trojan horses. For example, an attachment of a phishing email can infect a computer by loading crypto mining code directly into the disk.
Apart from crypto mining scripts, attackers also modify several plug-and-play style mining applications like XMRig to illegally mine cryptos.
Hackers deliver the malware to the host system using vulnerabilities or social engineering techniques or as a payload in an unintentional download (the drive-by-download technique) on the host’s device.
Source: SoK: Crypotjacking Malware – arXiv
For instance, hackers recently disguised their crypto mining malware as a desktop version of the Google Translate app. It was downloaded by thousands of users searching for Google Translate for their personal computers (PCs). However, once installed, it put in place a sophisticated setup to mine Monero cryptocurrency without the user’s knowledge.
In-memory cryptojacking uses the same methods of infection as host-based cryptojacking. However, cryptojacking malware is usually fileless malware and runs on random access memory (RAM). It misuses legitimate local applications or preinstalled tools.
As a result, the cryptojacking script doesn’t leave any footprints in the system, making it difficult to detect and remove. Once attackers are inside a system using fileless malware, they leverage the access to escalate their privileges in the victim’s network and gain a large pool of the victim’s central processing unit (CPU) resources to illicitly mine cryptos.
Since attackers can gain command and control with this method, a fileless cryptojacking can be converted to a ransomware attack, too.
Mehcrypt, for instance, is fileless cryptojacking malware. It abuses several legitimate applications, like notepad.exe and explorer.exe, to carry out its cryptojacking routine.
History and evolution of cryptojacking
From the early days, cryptocurrency miners developed novel ways of getting additional computational power to mine cryptos that reduced their burden. One of those ways was browser-based crypto mining.
When it was first introduced in 2011, browser-based crypto mining was promoted as an alternative to in-browser advertising. And why wouldn’t people not like it? Instead of seeing intrusive ads on websites, you get a clean browsing experience in return for lending your computer to crypto miners. Simple, straightforward – sounds legal, right?
That’s what lots of other people thought in the beginning. A number of crypto enthusiasts and website owners used in-browser mining by adding mining scripts to their websites. However, browser-based mining was soon abused by hackers and cybercriminals. It became particularly notorious after the launch of Coinhive in 2017.
Coinhive and the rise of cryptojacking
The easy, scalable, and low-effort method to roll out crypto mining to a large user population without additional investments made it disruptive. A large number of crypto enthusiasts readily adopted its code.
However, while Coinhive’s business model was touted as legal, soon enough, its code was abused. Some website owners hijacked users’ processing power without their permission to mine XMR using the Coinhive script.
Aside from website owners, malicious actors hacked and embedded the crypto mining code on high-traffic websites. They also installed the script on browser extensions like Archive Poster and website plugins like Browsealoud.
Through these methods, Coinhive’s code found its way illegally to popular websites of companies like Showtime, The Los Angeles Times, Blackberry, and Politifact. They ran in-browser crypto mining without permission and sometimes without the website owner’s knowledge, effectively hijacking the site and the user’s computer resources. Even the websites of the US, UK, and Indian governments’ websites were found to be affected by these cryptojacking attacks.
It should be noted that mining cryptocurrencies with the computing power of others is not considered illegal when a clear notification of activities is shown and the possibility of opting out exists for users. However, most in-browser crypto mining lacks these and is therefore considered illegal.
The rising instances of illicit crypto mining from 2017 brought cryptojacking to mainstream attention. Cybercriminals started using not only illegal browser-based crypto mining but also employed malware and other methods for illegal crypto mining.
Recent cryptojacking attack examples:
- Kiss-a-dog was a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructures to mine Monero using XMRig.
- Mexals, who call themselves Diicot, launched a cryptojacking campaign through a secure shell (SSH) brute-force attack and mined over $10,000 worth of Monero coins.
- ProxyShellMiner is a crypto mining malware that exploits the unpatched vulnerabilities in Microsoft Exchange servers.
- 8220 Gang, a cybersecurity threat actor, scans the internet for vulnerable cloud users and absorbs them into its cloud botnet, and then distributes cryptocurrency mining malware.
- Headcrab, a cryptojacking malware, has infected over 1,000 Redis servers to build a botnet that mines Monero
Why do some crypto miners cryptojack?
Consider this. In 2009, a PC with an Intel Core i7 processor could mine around 50 bitcoins daily. But today, we need specialized mining rigs like ASIC systems to mine cryptos like Bitcoin.
Further, many cryptocurrencies also have limits on how many coins can be mined and the reward that miners get. Add to this mixture soaring energy prices. A single bitcoin requires 811.90 kilowatt-hours, equivalent to the average amount of energy consumed by an American household in 28 days. All this makes crypto mining a costly affair. Today, mining Bitcoin at home is not even an option.
was the average Bitcoin mining cost as of May 2023.
In such a situation, turning a profit from crypto mining with legitimate resources could be difficult. As a result, hackers try to offload the cost to others by hijacking a victim’s system.
Why should you care about cryptojacking?
Forewarned is forearmed. It’s better to know the dangers of cryptojacking and be prepared than fumble when you face an actual attack.
Unlike many other cybersecurity threats which announce their presence, cryptojacking succeeds in complete silence.
“Cryptojacking significantly deteriorates your device’s performance, shortens its lifespan, and increases its energy consumption. Even worse, the malware that enables it could act as a doorway to even more sophisticated cyber attacks.”
Cybersecurity Research Analyst, G2
What’s more concerning is attackers today target devices with more processing power rather than personal devices. Some examples are enterprise cloud infrastructures, servers, a large number of inadequately protected IoT devices, or Docker and Kubernetes containers. With this, the attackers aim to obtain more profit in less time.
For enterprises, this has wide-ranging implications. For every dollar made from cryptojacking, the victim gets billed $53. The risk doesn’t stop with inflated bills. Once inside the enterprise infrastructure, the attackers can leverage their access at any time to carry out other dangerous cyber attacks like ransomware and supply chain attacks.
How to detect cryptojacking attacks
Cryptojacking attacks are often hidden but not unidentifiable. Try some of these methods to detect cryptojacking attacks.
How to detect cryptojacking attacks in devices
If you notice the following signs on your PC or mobile device, your device may have been cryptojacked.
Cryptojacking causes your device to significantly slow down or crash very often. If you start noticing any unusually poor device performance, scan your system using antivirus software to see if you find any cryptojacking malware.
Another telltale sign of cryptojacking is overheating. Since cryptojacking consumes too much processing power, it easily overheats a system and drains the battery. You might notice fans in your system running faster than usual to cool the device. Or your mobile phone battery might show poor performance and drain rapidly due to overheating.
Another noticeable symptom is high CPU usage. Computers keep records of all the running applications in the system. If you notice a spike in CPU usage while doing a small task or browsing an innocuous website, it may be because of cryptojacking.
A quick cryptojacking test for your device!
To check CPU usage:
- In Windows, open Task Manager > Performance > CPU.
- On a Mac, go to Applications > Activity Monitor.
You should also check if there’s an application that has increased internet traffic more than normal, which could indicate in-browser mining. To check this:
- In Windows, go to Settings > Network & Internet > Data Usage > View usage per app.
- For Apple users, go to the Activity Monitor > Network > Sent Bytes.
Note that criminals have come up with sophisticated evasion techniques to hide spikes in CPU usage or internet traffic.
How to detect cryptojacking attacks in a cloud environment
Detecting cryptojacking might be difficult if companies have lower visibility into their cloud usage. However, businesses can try to work around this.
Audit cloud access controls
Most of the cyberattacks on the cloud originate from the misconfigured cloud, so audit your access controls. Any insecure or misconfigured entry to your cloud environment can be further investigated to see if there’s been any malicious activity like illicit crypto mining.
Analyze cloud network logs
Network logs keep track of traffic to and from your cloud and show you the current state of the network and who’s connecting from where. Analyze these records. You’ll recognize any irregular network behavior or a sudden spike in traffic. This could be a sign of an illicit crypto miner running on your cloud environment.
Monitor cloud spend
Inflated cloud bills are signs of either legitimately increased usage of cloud resources from your end or someone stealing your cloud resources for their profit. If you don’t have any cloud mismanagement on your end, investigate any spike in cloud bills to see if it’s related to cryptojacking.
To be clear, all these methods tell you if your cloud has been compromised in any way. Further analysis of any malicious activity should be done to find out if the compromise is due to illegal crypto miners or any other cyber attack.
Tips for protecting your device against cryptojacking attacks
Prevention is better than cure, so use these practical tips to safeguard your systems against cryptojacking attacks.
- Use a strong antivirus program to detect any malicious activity or malware.
- Employ anti-crypto mining extensions like Miner Block and Anti-Miner to prevent browser-based crypto mining.
- Install ad blockers to block unwanted pop-up ads and banner ads on websites. Crypto mining malware is often embedded in ads.
- Update your system and install all the latest software to patch vulnerabilities.
For enterprises, preventing cryptojacking attacks goes beyond covering these basic steps. Adopt the following security practices to protect your IT assets against any illicit crypto mining.
- Install firmware updates and patches: Update your system software as soon as the software vendor releases them.
- Have a robust identity and access management (IAM) policy: An effective IAM protects against any unauthorized access to your system, on-premise or on the cloud. Deploy IAM software to allow access only to authorized users and manage their level of clearance.
- Secure your endpoints: End-user devices like laptops, workstations, servers, and mobile phones serve as points of access to your corporate network. Protect them using robust endpoint security software to stop malicious software from infecting the devices. You can even use mobile data security solutions that secure access to your enterprise’s network via mobile devices.
- Monitor your network: Carefully analyze all your network logs in real time and look for any malicious activity. Rely on tools like WAF and security information and event management (SIEM) software to get direct visibility into your network and endpoint to detect any abnormal behavior or unauthorized usage. Leverage RASP tools to detect and prevent attacks in real time in your application runtime environment.
- Deploy cloud security solutions: You can use additional cloud security solutions like cloud access security broker (CASB) software for cloud access control and cloud security posture management (CSPM) software to look for any cloud misconfigurations.
- Train your employees: Adopt cybersecurity training programs for your employees and keep them aware of social engineering attacks like phishing.
- Adopt zero-trust model: Trust no one. Verify everything. Having a zero-trust approach to your security means you explicitly verify anyone or anything that seeks access to your IT assets. This goes a long way in protecting your system against any cyber threat.
Block the illegal block
Cryptojacking attacks are becoming more prevalent and difficult to detect even as crypto prices fluctuate. Hackers are getting more sophisticated with their infection and evasion techniques, but prevention is the key. Implement the security practices shared here and stay one step ahead of crypto thieves.
Want to level up your system security? Explore threat intelligence software to keep your security team updated on emerging malware, zero-day vulnerabilities, and exploits.