Hubbry Logo
CryptojackingCryptojackingMain
Open search
Cryptojacking
Community hub
Cryptojacking
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Cryptojacking
Cryptojacking
Cryptojacking
View on Wikipedia
from Wikipedia

Cryptojacking is the act of exploiting a computer to mine cryptocurrencies, often through websites,[1][2][3] against the user's will or while the user is unaware.[4] One notable piece of software used for cryptojacking was Coinhive, which was used in over two-thirds of cryptojacks before its March 2019 shutdown.[5] The cryptocurrencies mined the most often are privacy coins—coins with hidden transaction histories—such as Monero and Zcash.[2][6]

Like most malicious attacks on the computing public, the motive is profit, but unlike other threats, it is designed to remain completely hidden from the user. Cryptojacking malware can lead to slowdowns and crashes due to straining of computational resources.[7]

Bitcoin mining by personal computers infected with malware is being challenged by dedicated hardware, such as FPGA and ASIC platforms, which are more efficient in terms of power consumption and thus may have lower costs than theft of computing resources.[8]

Notable events

[edit]

In June 2011, Symantec warned about the possibility that botnets could mine covertly for bitcoins.[9] Malware used the parallel processing capabilities of GPUs built into many modern video cards.[10] Although the average PC with an integrated graphics processor is virtually useless for bitcoin mining, tens of thousands of PCs laden with mining malware could produce some results.[11]

In mid-August 2011, bitcoin mining botnets were detected,[12][13][14] and less than three months later, bitcoin mining trojans had infected Mac OS X.[15]

In April 2013, electronic sports organization E-Sports Entertainment was accused of hijacking 14,000 computers to mine bitcoins; the company later settled the case with the State of New Jersey.[16]

German police arrested two people in December 2013 who customized existing botnet software to perform bitcoin mining, which police said had been used to mine at least $950,000 worth of bitcoins.[17]

For four days in December 2013 and January 2014, Yahoo! Europe hosted an ad containing bitcoin mining malware that infected an estimated two million computers using a Java vulnerability.[18][19]

Another software, called Sefnit, was first detected in mid-2013 and has been bundled with many software packages. Microsoft has been removing the malware through its Microsoft Security Essentials and other security software.[20]

Several reports of employees or students using university or research computers to mine bitcoins have been published.[21] On February 20, 2014, a member of the Harvard community was stripped of his or her access to the university's research computing facilities after setting up a Dogecoin mining operation using a Harvard research network, according to an internal email circulated by Faculty of Arts and Sciences Research Computing officials.[22]

Ars Technica reported in January 2018 that YouTube advertisements contained JavaScript code that mined the cryptocurrency Monero.[23]

In 2021, multiple zero-day vulnerabilities were found on Microsoft Exchange servers, allowing remote code execution. These vulnerabilities were exploited to mine cryptocurrency.[24]

Detection

[edit]

Traditional countermeasures of cryptojacking are host-based and not suitable for corporate networks. A potential solution is a network-based approach called Crypto-Aegis, which uses machine learning to detect cryptocurrency activities in network traffic, even when encrypted or mixed with non-malicious data.[25]

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Cryptojacking

View on Grokipedia
from Grokipedia
Cryptojacking is a form of in which malicious actors secretly exploit a victim's resources—such as CPU, GPU, or —to mine cryptocurrencies like or without the owner's knowledge or consent. This illicit activity often occurs through infections, browser-based scripts embedded in websites or advertisements, or vulnerabilities in software and networks, allowing attackers to generate profits at the expense of the victim's device performance and electricity costs. The phenomenon emerged in the early 2010s alongside the rise of cryptocurrencies, with initial instances reported around 2013 through embedded in video games and applications, but it surged in popularity after due to the introduction of accessible in-browser mining tools like Coinhive, which enabled non-technical attackers to hijack resources via on compromised websites. Common techniques include browser-based cryptojacking, where scripts run temporarily while users visit infected sites (often without installation), and host-based , which installs persistent miners through , exploited vulnerabilities (e.g., in routers or servers), or bundled software in legitimate apps like YouTube video loaders or Zoom installers. Attackers frequently target high-value resources, such as cloud servers (e.g., the TeamTNT compromising tens of thousands of instances across campaigns) or IoT devices including routers and smart home gadgets. These devices are particularly attractive due to their weak default security, always-on connectivity, and suitability for CPU-based mining of privacy-focused cryptocurrencies like Monero without owner knowledge. Security experts anticipate that future cryptojacking attacks will continue to target and increasingly focus on these devices as IoT deployments expand. The technique has evolved post-2019 to use for efficiency and evasion after Coinhive's shutdown. Impacts of cryptojacking are multifaceted, causing immediate device slowdowns, overheating, and crashes from resource monopolization, as well as long-term financial burdens from elevated energy bills and potential hardware damage. On a broader scale, it has affected , including a 2018 incident where U.S. Department of Defense systems were used to mine 35.4 units of , and it contributes to the broader environmental strain from , which consumes electricity comparable to that of some small nations. Incidents have proliferated, with a 450% global increase reported in 2019, a fourfold rise in and the U.S. by 2023, and continued growth into 2025—including a 60% rise in evaded attacks in 2024 and over $2.17 billion in illicit -related crimes by mid-2025—underscoring its persistence as a stealthy threat targeting cloud, AI, and IoT infrastructure despite detection advancements like machine learning-based monitoring.

Overview

Definition

Cryptojacking refers to the unauthorized use of an individual's or organization's computing resources to mine cryptocurrencies without their knowledge or consent. This cybercrime involves hackers deploying malicious software or scripts that hijack the processing power of devices such as computers, smartphones, servers, and cloud infrastructure to perform cryptocurrency mining operations, generating profit for the attackers while remaining undetected by the victims. The primary cryptocurrencies targeted in cryptojacking attacks are privacy-focused ones like (XMR), which is well-suited for mining on standard CPU and GPU hardware due to its ASIC-resistant RandomX algorithm. (ZEC) uses Equihash, which was designed to be ASIC-resistant but has seen the development of ASICs since 2018, allowing mining on GPUs though less efficiently without specialized equipment. These features, along with their advanced privacy mechanisms—such as ring signatures and stealth addresses in or zk-SNARKs in —obscure transaction trails, allowing attackers to launder profits more effectively and evade detection by authorities. Key characteristics of cryptojacking include its covert nature, where processes run in the background to avoid alerting users through noticeable slowdowns or high resource usage, often achieved via browser-based scripts on compromised websites or infections. Unlike legitimate , which involves explicit user consent, controlled environments, and reward distribution to participants, cryptojacking deprives victims of any benefits while imposing costs like increased electricity bills and hardware wear without compensation or awareness. As a subtype of broader , cryptojacking exemplifies resource hijacking attacks, distinct from data theft or by focusing on sustained exploitation of computational power rather than direct or information exfiltration, though it may serve as an for more severe threats.

History

The origins of cryptojacking trace back to the early proliferation of in 2011, when security researchers first identified designed to exploit infected personal computers for cryptocurrency mining. In June 2011, Symantec reported the discovery of the first Bitcoin-specific , which primarily stole wallet credentials but highlighted the potential for botnets to covertly mine using victims' hardware resources, marking an early precursor to modern cryptojacking tactics. This warning came amid Bitcoin's nascent growth, though actual large-scale mining botnets, such as those leveraging GPU capabilities, began appearing later that year, demonstrating the feasibility of unauthorized computational hijacking. Cryptojacking gained significant traction following the 2017 cryptocurrency boom, particularly with the launch of browser-based mining services that democratized attacks. In September 2017, Coinhive introduced a allowing website owners to embed mining scripts directly in browsers, enabling in-browser cryptojacking without traditional installation; this service quickly became dominant, powering over two-thirds of detected attacks by facilitating easy integration for both legitimate and malicious use cases. The surge aligned with skyrocketing values, leading to a dramatic increase in incidents as attackers capitalized on the economic incentives. By the late , cryptojacking evolved from targeting individual devices to exploiting cloud infrastructure, driven by the and resources of misconfigured servers. Reports from 2018 onward documented a shift, with attackers compromising cloud environments like AWS and Azure to deploy persistent mining operations, as evidenced by a 450% rise in overall cryptojacking events that year. Coinhive's shutdown in March 2019, prompted by unprofitability and widespread abuse, led to a temporary decline, but alternatives such as Crypto-Loot and WebMiner rapidly filled the void, sustaining browser-based attacks through similar mechanisms. Despite this, overall threats persisted and intensified; recorded 332.3 million cryptojacking attempts in the first half of 2023 alone—a 399% year-over-year increase—escalating to 1.06 billion for the full year with an average of approximately 2.9 million daily incidents, representing a 659% rise over 2022. Into 2024 and 2025, cryptojacking attacks have continued to grow, with cloud-based incidents projected to increase by about 20% annually through 2025. Attacks on IoT devices, routers, and smart home gadgets are also ongoing and increasing, with experts predicting persistence or growth as IoT deployment expands. These devices are attractive targets due to weak default security, always-on connectivity, and their suitability for mining privacy-focused cryptocurrencies like Monero using CPU resources without the owner's knowledge.

Mechanisms and Types

How Cryptojacking Works

Cryptojacking begins with infection vectors that allow attackers to gain unauthorized access to victims' devices or systems. Common methods include drive-by downloads from compromised websites, where malicious scripts are injected into legitimate pages, and malicious browser extensions that users install unknowingly. Attackers also exploit attachments containing trojans or leverage software vulnerabilities, such as unpatched plugins like those in systems, to deliver payloads. Once infected, attackers execute cryptojacking through two primary methods: browser-based scripts or standalone . In browser-based attacks, or miners are embedded in web pages, running directly in the victim's browser to perform tasks without installing files. For more persistent infections, such as trojans deploys dedicated software, exemplified by XMRig, which targets and operates as a high-performance client. These methods hijack computational resources by utilizing CPU and GPU cycles to solve proof-of-work puzzles, such as Monero's RandomX algorithm, which is designed for CPU efficiency and resistance to specialized hardware. The miners connect to remote mining pools over encrypted channels, like or , to submit work and receive rewards while evading network firewalls. To maintain operations without alerting users, cryptojackers employ techniques that ensure long-term resource exploitation. Background processes are configured to mining intensity—reducing CPU usage to around 80% during high user activity—to mimic normal system behavior and avoid noticeable slowdowns. Code obfuscation, such as encoding or binary packing, hides the malicious payloads from antivirus scanners, while techniques like process injection or masquerading as legitimate system services further aid evasion. Profits are extracted by directing the output of mining computations to attacker-controlled cryptocurrency wallets, often through centralized pools that aggregate hashrates from multiple infected devices for proportional reward distribution. Although individual devices yield low returns due to limited processing power, attackers scale operations via botnets comprising thousands of compromised systems, amplifying overall profitability; for instance, privacy-focused coins like facilitate anonymous transfers to evade tracing.

Types of Cryptojacking

Cryptojacking attacks vary based on their delivery mechanisms and targeted environments, allowing attackers to exploit different levels of access and resource availability. These variants include browser-based, malware-based, cloud-based, mobile-specific, and hybrid forms, each presenting unique operational challenges for detection and impact. Browser-based cryptojacking, also known as in-browser or drive-by , involves injecting malicious code into legitimate websites, online advertisements, or browser extensions. This script executes automatically when a user visits the compromised site, hijacking the device's CPU or GPU resources to mine such as while the page remains open, without requiring any software installation or persistent infection on the victim's device. The mining ceases once the browser tab is closed, making it transient but scalable through widespread ; for instance, attackers may compromise high-traffic sites via vulnerabilities in plugins or systems, as seen in a July 2025 campaign affecting over 3,500 websites. This method prioritizes stealth over longevity, as it avoids antivirus detection by operating solely in memory. Malware-based cryptojacking relies on full device compromise through trojans, ransomware hybrids, or other malicious payloads delivered via phishing emails, drive-by downloads, or infected software. Recent variants as of November 2025 include email-delivered malware that performs covert resource theft for mining upon infection. Once installed, the malware establishes persistent access, running mining software in the background on endpoints such as personal computers or servers to continuously extract computational resources for cryptocurrency generation. Unlike browser variants, this approach yields higher long-term profits due to uninterrupted operation but increases risks of detection through elevated system resource usage, heat generation, and performance degradation. Targets often include individual users or small networks, with the malware configured to evade scans by mimicking legitimate processes. Cloud-based cryptojacking exploits virtual machines, containers, or servers in cloud platforms like AWS, Azure, or clusters, typically using stolen credentials obtained through or supply chain compromises. Attackers create or hijack instances with powerful hardware, such as GPU-enabled VMs, to run operations that connect to pools like Nanopool, generating significantly higher yields than consumer devices due to scalable, high-performance resources. This variant often involves and lateral movement within the cloud environment, leading to unexpected billing spikes for organizations; for example, reported incidents causing over $300,000 in compute fees from such abuse. It differs from endpoint attacks by leveraging shared infrastructure, where detection is complicated by legitimate multi-tenant usage patterns. Mobile cryptojacking targets smartphones and tablets, primarily Android and devices, by embedding hidden mining code within malicious apps, fake utilities, or software development kits (SDKs) integrated into legitimate applications available on app stores. These miners operate in the background, utilizing the device's processor to mine cryptocurrencies, which can rapidly drain batteries and cause overheating; for example, in a 2018 Kaspersky test on an older Android device, continuous deformed the battery after two days. Delivery often occurs through sideloaded apps or compromised store listings, with Android being more vulnerable due to its open ecosystem. This form exploits the ubiquity of mobile devices for broad reach but is limited by hardware constraints compared to desktops or clouds. Hybrid forms of cryptojacking combine multiple delivery methods or integrate with other malicious activities to enhance efficacy and evasion. For example, attacks may start with browser injection to assess viability before downloading persistent , or pair with clipboard hijacking in clipper that alters addresses during transactions. A notable 2020 case involved the , which blended cryptojacking with DDoS capabilities to overload targets while . These hybrids, such as those blending 10% code download with 90% browser execution, maximize resource exploitation across vectors but introduce complexity in propagation and control.

Notable Incidents

Pre-2020 Cases

One of the earliest documented cases of unauthorized cryptocurrency mining involved hackers compromising servers of the E-Sports Entertainment Association (ESEA) in 2013, where they installed Bitcoin mining software to exploit the computational resources without user consent. This incident highlighted the vulnerability of gaming infrastructure to such attacks, though it was later revealed that ESEA's own employee had initiated the mining code, leading to the company being fined $1 million by the New Jersey Attorney General for violating consumer protection laws. In a related early enforcement action, German police arrested two individuals in December 2013 for operating a botnet that hacked into computer networks to mine over €700,000 (approximately $950,000) worth of Bitcoin, seizing the illicitly generated funds and marking one of the first major law enforcement interventions against such operations. Between late 2013 and early 2014, a malware campaign targeted Yahoo Europe's advertising network, infecting an estimated 2 million computers primarily in Germany and other European countries by exploiting vulnerabilities in Java-based ads. The malware hijacked users' processors to mine Bitcoin undetected for several months, siphoning resources from victims' devices while they browsed Yahoo sites, and was only discovered after security firm Fox-IT alerted authorities to unusual network traffic. This browser-based attack demonstrated the ease of distributing mining scripts through legitimate ad platforms, affecting a broad user base and prompting Yahoo to enhance its ad verification processes. In 2018, malicious advertisements on exploited Google's platform to distribute Coinhive mining scripts, impacting millions of viewers worldwide by covertly using their devices' CPU power to mine cryptocurrency. Security researchers at identified the ads, which masqueraded as legitimate video promotions and ran the mining code in users' browsers without detection, leading Google to suspend the offending ad accounts and block thousands of malicious domains. The incident underscored the risks of supply chain attacks in video streaming services, where brief exposure to an ad could initiate on unsuspecting devices. The widespread abuse of Coinhive between 2018 and 2019 involved hackers injecting its miner into compromised websites, including high-profile breaches at Showtime, where the code was embedded to mine using visitors' resources, and the Atlantic Council, whose site was similarly tampered with to facilitate unauthorized mining. These attacks proliferated due to Coinhive's ease of integration, affecting thousands of sites and prompting affected organizations to their web infrastructure; the service's shutdown in 2019 was driven by declining profitability and reputational damage from its criminal misuse, though forks like CryptoLoot emerged shortly after. In 2018, cryptojacking malware using Coinhive was discovered on U.S. Department of Defense servers, mining approximately 35.4 units of over the course of the infection. Early botnets like , which emerged in 2017, targeted vulnerable servers—particularly web and database hosts—by encrypting files and demanding ransom while also deploying persistent mining modules to generate revenue. These server-focused operations scaled by exploiting unpatched software, amassing significant hashing power across infected systems, and posed unique challenges for due to the anonymity provided by transactions and the distributed nature of botnets, often hindering attribution and asset recovery efforts.

2020–2025 Developments

In 2021, zero-day vulnerabilities in Exchange servers were exploited by threat actors, including the Chinese state-sponsored group , to gain unauthorized access to on-premises systems. Following initial espionage activities, opportunistic attackers such as the Lemon Duck botnet leveraged these flaws to deploy cryptocurrency miners, enabling widespread cryptojacking on compromised servers. This incident highlighted the vulnerabilities' role in facilitating resource-intensive mining operations across thousands of organizations globally. The TeamTNT botnet, active since 2020, targeted and environments, infecting over 850,000 servers for mining through exploited vulnerabilities in Docker APIs and other misconfigurations. In 2023, cryptojacking attacks experienced a dramatic resurgence, with reporting a 659% year-over-year increase in incidents for the full year, totaling 1.06 billion attacks, including 332.3 million in the first half of the year alone (a 399% rise). This surge underscored the tactic's appeal as a low-effort, high-volume method for illicit mining, often targeting infrastructure and unpatched systems. In 2024, a notable legal case emerged from involving Charles O. Parks III, who operated a cryptojacking scheme under the guise of an educational platform. Parks defrauded providers of approximately $3.5 million in computing resources to mine , leading to charges of wire fraud, , and unlawful monetary transactions. He pleaded guilty in December 2024 and was sentenced in August 2025 to one year and one day in prison, marking a significant prosecution in the evolving landscape of cryptojacking accountability. In July 2025, a broad-scale JavaScript-based cryptojacking wave compromised over 3,500 websites worldwide, injecting obfuscated miners that exploited browser resources without user detection. Attackers used advanced evasion techniques, such as communications, to maintain stealthy mining operations across diverse site hosts. In November 2025, threat actors exploited a critical in the Ray open-source AI framework to deploy a self-replicating cryptojacking , targeting exposed clusters worldwide for unauthorized . Overall, cryptojacking incidents rose by 63% in 2025 through mid-year, reflecting a continued shift toward more sophisticated tactics. A notable trend involved AI-assisted evasion, with approximately 35% of related operations incorporating to adapt payloads and avoid detection in real-time.

Security Measures

Detection Techniques

Detecting cryptojacking requires monitoring for specific indicators of unauthorized activity, which can manifest through patterns and system behaviors. Behavioral indicators often include unusual spikes in CPU or GPU usage, even during periods of low user activity, leading to noticeable system slowdowns, overheating, or reduced performance. Additionally, increased electricity consumption without corresponding workload increases can signal persistent operations, as the intensive computational demands of algorithms like those for persist in the background. These signs are particularly evident in malware-based cryptojacking, where infected hosts exhibit sustained high-load tasks. Network monitoring provides another key avenue for identification by scrutinizing outbound for connections to known mining pools. Common indicators include persistent low-rate to suspicious IP addresses or domains associated with pools, often over specific ports such as 3333 or 4444, which are frequently used by mining software like XMRig. Tools like Crypto-Aegis leverage to analyze encrypted network patterns, achieving high detection rates by identifying subtle anomalies in packet sizes, inter-arrival times, and flow characteristics without decrypting payloads. This approach has demonstrated over 95% accuracy in distinguishing mining from legitimate activities in real-world scenarios. Endpoint detection tools focus on scanning for known mining binaries and scripts directly on devices. Antivirus solutions commonly incorporate signatures for prevalent miners like XMRig, which is an open-source CPU miner frequently repurposed for illicit activities, allowing real-time identification and quarantine of infected processes. For browser-based attacks, extensions such as No Coin employ domain blacklisting to detect and block miners by intercepting requests to known malicious scripts, providing lightweight protection against in-browser cryptojacking, though users should consider more actively maintained alternatives like MinerBlock as of 2025. Log analysis involves examining system and application logs for anomalous patterns indicative of . Indicators include the presence of unexpected processes consuming excessive resources or the execution of (WASM) modules in browsers, which are often used to obfuscate and run efficient mining code. (SIEM) systems can correlate these logs with rules to alert on persistent high-compute tasks, such as repeated system calls for cryptographic hashing, enabling proactive investigation. Advanced techniques enhance detection through heuristic and behavioral analytics tailored to evasive tactics. targets obfuscated by profiling code structures and execution flows for mining-specific patterns, such as intensive loop iterations for proof-of-work computations, with models like random forests achieving up to 98% accuracy. Integration with (EDR) platforms allows for real-time by combining host , such as hardware performance counters and syscall monitoring, to flag deviations from baseline behavior in both in-browser and host-based attacks. Recent advancements as of include deep learning-based frameworks for detecting cryptojacking in containerized environments, offering efficient detection with minimal overhead. AI-based dashboards like CryptoGuard provide user-friendly interfaces for real-time monitoring and . Additionally, interpretable approaches using Local Interpretable Model-agnostic Explanations (LIME) balance accuracy and explainability in detection models. According to McAfee's 2024 Threat Report, cryptojacking attacks evading detection increased by 60% in the past year, highlighting the need for evolving techniques.

Prevention Strategies

Preventing cryptojacking requires proactive measures to address vulnerabilities, secure networks, and promote safe user behaviors, thereby blocking unauthorized access to resources before exploitation occurs. Organizations and individuals can implement layered defenses focusing on patching, controls, and enforcement to minimize entry points for malicious scripts or . Regular software updates and patching form a foundational strategy to eliminate injection points exploited by cryptojackers, such as outdated browsers or deprecated plugins like , which historically enabled drive-by downloads. For instance, keeping operating systems, web browsers, and applications current prevents attackers from leveraging known vulnerabilities to inject code. Automated patch management tools prioritize updates for high-risk assets, ensuring timely remediation without manual intervention. Network controls effectively restrict the delivery and operation of cryptojacking payloads by filtering suspicious traffic and content. Firewalls configured to block outbound connections to known IP addresses or domains, such as those associated with pools, prevent resource hijacking at the perimeter. Ad blockers, including extensions like , further mitigate risks by intercepting embedded mining scripts in advertisements or compromised websites, as these tools incorporate filters specifically designed to detect and halt cryptomining attempts. Web application firewalls provide an additional layer by analyzing traffic for anomalous patterns indicative of script injection. User education empowers individuals to avoid common vectors for cryptojacking, such as emails or malicious downloads. Training programs should emphasize verifying sources before downloading files or clicking links, as well as using secure connections like VPNs on public to prevent man-in-the-middle attacks that could facilitate payload delivery. Regularly monitoring system resource usage through built-in tools like Windows or macOS Activity Monitor helps users identify unusual CPU spikes early, allowing for immediate investigation without relying on advanced detection. For organizations, implementing robust policies through endpoint protection platforms (EPP) with behavior-based blocking is essential to safeguard devices and cloud environments. These platforms monitor for unauthorized processes and halt them proactively, integrating seamlessly with identity and access management (IAM) systems to limit credential abuse. In cloud settings, IAM controls such as (MFA), privileged identity management, and policies restrict over-privileged accounts, preventing attackers from spinning up unauthorized virtual machines for . Emerging technologies enhance prevention by isolating potential threats and enforcing strict verification. Browser sandboxing improvements, such as those in modern engines like , confine JavaScript execution to isolated environments, limiting the spread of mining code across tabs or sessions. Zero-trust models complement this by requiring continuous and granular access controls, ensuring that even compromised credentials cannot escalate to resource-intensive activities like cryptomining in or endpoint infrastructures. As of 2025, enhanced focus on container security and AI-driven in environments addresses rising threats in containerized setups.

Impacts and Responses

Economic and Technical Impacts

Cryptojacking imposes significant resource drain on affected devices by commandeering central processing units (CPUs) and graphics processing units (GPUs) for unauthorized , leading to reduced and increased hardware stress. Victims often experience noticeable slowdowns in computing speed, as the prioritizes mining tasks over legitimate operations, resulting in sluggish applications and diminished productivity. Additionally, the intensive computational demands cause overheating of hardware components, such as GPUs and batteries, which can accelerate wear and potentially shorten device lifespan or lead to permanent damage from prolonged high temperatures. This resource hijacking also elevates , manifesting as higher electricity bills for individuals and organizations, with global estimates from a 2018 study indicating a daily of approximately $59,000 USD attributable to widespread cryptojacking activity affecting millions of users monthly. Economically, cryptojacking yields low returns per individual victim but achieves substantial scale through mass infections, enabling attackers to amass illicit revenue in the millions annually. For instance, in a notable cloud-based cryptojacking scheme, a perpetrator in defrauded providers of over $3.5 million in computing resources to mine cryptocurrencies between 2021 and 2024, highlighting how attackers exploit scalable for profit while imposing unpaid costs on service hosts. Despite the per-incident yield being modest—often mere cents per device—the cumulative effect from infecting vast networks, such as websites or enterprise systems, was estimated to generate about $21.5 million in annual illicit revenue for cybercriminals as of 2018. These losses extend beyond direct , encompassing indirect expenses like elevated utility payments and the need for remediation efforts to restore compromised systems. As of 2025, cloud-based cryptojacking activity has risen by approximately 20%, contributing to ongoing economic burdens without precise updated global figures available. On the technical front, cryptojacking induces system instability by overloading resources, frequently causing application crashes, unresponsiveness, and full device failures due to excessive CPU utilization. This overload disrupts normal operations, creating opportunity costs such as delayed business processes and reduced employee efficiency in affected environments. In enterprise settings, the persistent background can exacerbate network latency and server , compounding technical vulnerabilities and necessitating resource-intensive diagnostics. The broader ecosystem faces indirect pressures from cryptojacking's distributed energy demands, which contribute to heightened overall usage without corresponding investments, though the impact remains less pronounced than large-scale legitimate operations. For victims, individuals primarily endure personal financial burdens from utility spikes and device degradation, while enterprises grapple with recovery costs for system audits and hardware replacements, often in the range of thousands per incident. Cryptojacking is legally classified in the United States primarily under the (CFAA), which prohibits unauthorized access to computer systems, with penalties ranging from one to 20 years imprisonment depending on the severity of the violation. It is also frequently prosecuted as wire fraud, carrying a maximum sentence of 20 years, due to the deceptive transmission of data across state lines to hijack computing resources. Internationally, enforcement faces challenges from cross-border mining pools, which facilitate the laundering of illicitly mined and complicate attribution across jurisdictions. Notable prosecutions include the 2025 sentencing of Charles O. Parks III, a Nebraska-based influencer known as "CP3O," who was convicted of wire fraud, , and unlawful monetary transactions for orchestrating a cryptojacking scheme that defrauded providers of over $3.5 million in resources. Parks received a one-year sentence after pleading guilty to using misrepresented educational platforms to mine on hijacked cloud infrastructure. Regulatory responses have included calls for enhanced know-your-customer (KYC) requirements on pools to better trace and disrupt illicit activities, as these platforms are often exploited to obscure the origins of cryptojacked funds. In the , the General Data Protection Regulation (GDPR) primarily addresses breaches. Ethically, cryptojacking raises profound concerns over , as attackers exploit users' devices without permission, depriving individuals and organizations of control over their computational resources and often causing undetected performance degradation. This lack of exacerbates equity issues, disproportionately affecting under-resourced users in developing regions or small entities unable to afford robust defenses, thereby widening digital divides. Furthermore, the environmental toll is significant, with cryptojacking contributing to unnecessary —equivalent to substantial waste—that intensifies global challenges amid 's already high . Looking ahead, the 63% rise in cryptojacking incidents reported in 2025 underscores the urgency for targeted , with experts advocating for specialized anti-cryptojacking laws to address evolving tactics beyond existing statutes. Such measures could include mandatory reporting for anomalous activity and international cooperation to regulate decentralized pools, potentially mitigating the trend as enforcement priorities shift toward cryptocurrency-related crimes.

References

  1. https://www.cisa.gov/news-events/news/defending-against-illicit-cryptocurrency-mining-activity
  2. https://dl.acm.org/doi/10.1145/3700706.3700713
  3. https://csl.fiu.edu/wp-content/uploads/2023/06/SoK_cryptojacking.pdf
  4. https://cloudtweaks.com/2024/10/how-recognize-prevent-cryptojacking-2025-expert/
  5. https://www.chainalysis.com/blog/2025-crypto-crime-mid-year-update/
  6. https://usa.kaspersky.com/resource-center/definitions/what-is-cryptojacking
  7. https://www.crowdstrike.com/en-us/cybersecurity-101/malware/cryptojacking/
  8. https://www.kaspersky.com/blog/secure-futures-magazine/cryptojacking-2019/28951/
  9. https://www.proofpoint.com/us/threat-reference/cryptojacking
  10. https://www.wired.com/2011/06/bitcoin-malware/
  11. https://arstechnica.com/tech-policy/2011/08/symantec-spots-malware-that-uses-your-gpu-to-mine-bitcoins/
  12. https://unit42.paloaltonetworks.com/unit42-unauthorized-coin-mining-browser/
  13. https://www.ibm.com/think/x-force/cryptojacking-rises-450-percent-as-cybercriminals-pivot-from-ransomware-to-stealthier-attacks
  14. https://blog.avast.com/coinhive-shuts-down
  15. https://www.sonicwall.com/blog/cryptojacking-continues-crushing-records
  16. https://www.sonicwall.com/news/2024-sonicwall-cyber-threat-report-navigates-the-relentless-surge-in-cybercrime
  17. https://www.paloaltonetworks.com/cyberpedia/cryptojacking
  18. https://www.akamai.com/blog/security-research/cryptominer-anatomy-internals
  19. https://attack.mitre.org/techniques/T1496/001/
  20. https://www.malwarebytes.com/cryptojacking
  21. https://www.ibm.com/think/topics/cryptojacking
  22. https://www.imperva.com/learn/application-security/cryptojacking/
  23. https://cyberpress.org/new-wave-of-crypto-jacking-attacks/
  24. https://www.sentinelone.com/cybersecurity-101/cybersecurity/cryptojacking/
  25. https://abnormal.ai/blog/email-delivered-crypto-malware
  26. https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
  27. https://www.wiz.io/academy/what-is-cryptojacking
  28. https://www.helpnetsecurity.com/2025/02/05/crypto-stealing-ios-android-malware-found-on-app-store-google-play-sparkcat-malicious-sdk/
  29. https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/
  30. https://www.wired.com/2013/11/e-sports/
  31. https://nj.gov/oag/newsreleases13/pr20131119a.html
  32. https://www.coindesk.com/markets/2013/12/05/german-police-detain-bitcoin-mining-hackers
  33. https://www.bbc.com/news/technology-25653664
  34. https://www.theguardian.com/technology/2014/jan/08/yahoo-malware-turned-europeans-computers-into-bitcoin-slaves
  35. https://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/
  36. https://www.bbc.com/news/technology-42858406
  37. https://mashable.com/article/coinhive-youtube-google-doubleclick
  38. https://www.secureworks.com/research/cryptocurrency-mining-malware-landscape
  39. https://krebsonsecurity.com/2019/02/crytpo-mining-service-coinhive-to-call-it-quits/
  40. https://www.computer.org/csdl/magazine/sp/2018/04/msp2018040092/13rRUxcKzYX
  41. https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
  42. https://www.microsoft.com/en-us/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/
  43. https://cyberscoop.com/microsoft-exchange-server-flaws-monero-cryptojacking/
  44. https://www.sonicwall.com/news/2023-sonicwall-cyber-threat-report-casts-new-light-on-shifting-front-lines-threat-actor-behavior
  45. https://www.justice.gov/usao-edny/pr/nebraska-man-pleads-guilty-multi-million-dollar-cryptojacking-case
  46. https://www.justice.gov/usao-edny/pr/crypto-influencer-sentenced-prison-multi-million-dollar-cryptojacking-scheme
  47. https://thehackernews.com/2025/07/3500-websites-hijacked-to-secretly-mine.html
  48. https://www.scworld.com/brief/thousands-of-websites-subjected-to-cryptojacking-campaign
  49. https://cyberscoop.com/ray-ai-cryptojacking-vulnerability-exposed-clusters-attack-oligo-security/
  50. https://blog.lastpass.com/posts/cryptojacking
  51. https://sqmagazine.co.uk/ai-cyber-attacks-statistics/
  52. https://www.zscaler.com/zpedia/what-is-cryptojacking
  53. https://cybernews.com/hosting-hub/cryptojacking-how-to-detect-crypto-mining-malware/
  54. https://www.cyberthreatalliance.org/wp-content/uploads/2018/09/CTA-Illicit-CryptoMining-Whitepaper.pdf
  55. https://arxiv.org/abs/1910.09272
  56. https://www.sciencedirect.com/science/article/pii/S0140366421000797
  57. https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/xmrig-malware/
  58. https://github.com/keraf/NoCoin
  59. https://www.mdpi.com/2076-3417/12/7/3234
  60. https://www.manageengine.com/log-management/cyber-security/cryptojacking-demystified-part-two.html
  61. https://pmc.ncbi.nlm.nih.gov/articles/PMC9740044/
  62. https://www.researchgate.net/publication/397203825_Deep_Learning-based_Cryptojacking_Detection_in_Cloud_Containerized_Environments
  63. https://arxiv.org/html/2509.09638v1
  64. https://eprint.iacr.org/2025/050.pdf
  65. https://seclab.skku.edu/wp-content/uploads/2018/08/a18-Rauchberger.pdf
  66. https://www.proofpoint.com/us/threat-reference/browser-isolation
  67. https://www.aquasec.com/cloud-native-academy/cloud-attacks/cryptojacking/
  68. https://www.ubs.com/de/en/assetmanagement/insights/asset-class-perspectives/equities/articles/mining-in-shadows-cryptojacking-exposed.html
  69. https://www.researchgate.net/publication/328327336_How_You_Get_Shot_in_the_Back_A_Systematical_Study_about_Cryptojacking_in_the_Real_World
  70. https://www.kaspersky.com/blog/secure-futures-magazine/cryptojacking-environmental-business-cost/48384/
  71. https://www.justice.gov/usao-edny/pr/nebraska-man-indicted-multi-million-dollar-cryptojacking-scheme
  72. https://www.greynoise.io/blog/php-cryptomining-campaign
  73. https://www.darktrace.com/cyber-ai-glossary/cryptojacking
  74. https://blog.barracuda.com/2021/10/22/whos-using-your-computers-cryptojacking-degrades-network-performance
  75. https://www.wired.com/story/cryptojacking-took-over-internet/
  76. https://www.sentinelone.com/cybersecurity-101/threat-intelligence/how-to-prevent-cryptojacking/
  77. https://www.kaspersky.com/resource-center/definitions/what-is-cryptojacking
  78. https://www.federallawyers.com/can-you-go-to-prison-for-unauthorized-crypto-mining/
  79. https://www.chainalysis.com/blog/cryptocurrency-mining-pools-money-laundering/
  80. https://earthjustice.org/feature/cryptocurrency-mining-environmental-impacts
  81. https://medium.com/thecapital/crypto-enforcement-trends-2025-navigating-deregulation-fraud-priorities-and-risk-mitigation-e6e75800e66d
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.