What Is Cryptojacking? How It Works and How to Protect Against It

September 21, 2022

Cryptojacking is the unauthorized use of another computer’s resources to “mine” cryptocurrency where threat actors employ numerous methods to take control of a device’s computer processor (CPU) or video graphics card (GPU)—secretly using them to run complex and incredibly taxing algorithms to generate units of crypto.


To best protect themselves against cryptojacking attempts, organizations should:

1. Educate personnel to report and avoid suspicious emails, or any other phishing attempts.

2. Identify and remediate vulnerabilities affecting organizational assets.

3. Create a Software Bill of Materials (SBOM) to gain visibility into the third-party libraries and OSS that comprises their software.

Cryptomining and the motivations of threat actors

Cryptocurrency is entirely virtual, with no regulating body determining how much currency should be released into circulation. And in order for crypto to retain value, it is necessary that there is enough currency in circulation to be bought and sold. Therefore, it is up to users to create units of crypto themselves, and then verify its existence with the blockchain—a process known as cryptomining.

Many participants mine in hopes to profit, but the digital resources required to do so are extraordinary. Depending on the user’s hardware and software, a single token of crypto, like Bitcoin, could take anywhere between 10 minutes to 30 days to generate and verify. In addition, each crypto has an automatic system built into its source code that limits the discovery of new units depending on how many miners are competing at the same time—meaning that profits are not guaranteed.

As such, users often create ‘pools’ where they link their machines sharing digital resources to lower the mining difficulty. This increases their overall success rate and newly generated crypto is dispersed among those in the pool.

Cryptojacking replicates this practice, but in a malicious way. By leveraging cryptojacking, hackers combine the resources of compromised devices, siphoning their victims’ processing power to create crypto without having to share profits. To accomplish this however, victims cannot know that their machines are infected, which lies the main security issue with cryptojacking—it can be extremely hard to detect.

Cryptojacking is not like other forms of malware

Unlike other forms of malware, cryptojacking is not meant to cause harm to a victim’s machine or data. Many delivery methods do not require downloads, with most threat actors favoring scripts that run discreetly in the background. Because of this, the majority of victims often have no idea that their processors have been hijacked. In most cases, victims only realize that they are compromised after noticing significant slowdowns on once well-performing machines, or discovering that energy bills are abnormally high.

But the main reason why cryptojacking is popular among threat actors is it provides more consistent money for much lesser risk. Many threat actors consider cryptojacking as a more affordable and beneficial alternative to ransomware. Cryptojacking continuously generates money unlike ransomware—which profits only if the victim pays, and is a one-time operation. Additionally, it is estimated that hackers only have a three percent success rate of coercing someone into paying to recover an infected computer. It also comes with a substantially higher risk of getting caught than other attacks. That is often not the case with cryptojacking.

Who is more at risk of being targeted for cryptojacking attacks?

According to recent findings, despite a sharp drop in the value of cryptocurrency, the number of cryptojacking attacks rose to 66.7 million in 2022 H1—which is up by 30% compared to the same period last year. And in terms of targeting, enterprises are highly favored by threat actors due to the size and variety of their corporate networks. Servers are particularly sought after, since they have exponentially higher processing power compared to an individual’s laptop or desktop PC.

Hackers try to gain a foothold into corporate networks and from there, move laterally within their systems attempting to infect every machine they can without being detected. Depending on the threat actor, the manner in which they gain access can vary. Some may choose to employ social engineering tactics in hopes of getting an employee to click on a malicious link, triggering a script. Others might scan a target’s network to see if any deployed assets are affected by vulnerabilities like Log4Shell, and then exploit them. Or, they might perform a software supply chain attack where they insert malicious code into the open source software (OSS) that is bundled into organizational products.

Mitigate risk using Flashpoint

To minimize risk, organizations need comprehensive intelligence. Using Flashpoint’s Compromised Credentials Monitoring (CCM), users can mitigate the risk of account takeover—acting fast whenever a potential account may be in control of a threat actor. In addition, vulnerability managers can gain insight to all known vulnerabilities affecting critical assets using VulnDB. Sign up for a free trial today to see how better intelligence leads to better risk decisions.

Begin your free trial today.