What is Cryptojacking? Definition & Explanation
Cryptojacking is the unauthorized use of someone else's computer, server, or cloud workload to mine cryptocurrency. Attackers install miners through malware, browser scripts, or compromised cloud credentials and silently consume CPU, GPU, and electricity for financial gain.
In-Depth Explanation
Cryptojacking surged in 2017 with the rise of browser-based miners like Coinhive (which embedded JavaScript miners in compromised websites) and has since shifted toward server-side, cloud-based, and Kubernetes cluster compromises. Modern campaigns like TeamTNT, Kinsing, and 8220 Gang specialize in compromising cloud workloads, exploiting unpatched Confluence, Apache Struts, and Docker API exposures to deploy XMRig (Monero miner) at scale. Attackers prefer Monero for its privacy features. Indicators of cryptojacking include unexplained CPU spikes, elevated cloud bills, suspicious outbound connections to mining pools (e.g., port 3333), and spawned processes with names like "xmrig" or "kdevtmpfsi". Defenses include EDR with cloud workload protection, container image scanning, blocking outbound connections to known mining pools, restricting Docker socket access, monitoring for unusual cloud spending patterns, and patching internet-facing services promptly. Cloud providers offer native cryptojacking detection (AWS GuardDuty, Microsoft Defender for Cloud).
Why It Matters for Security
Cryptojacking causes direct financial harm through unexpected cloud bills (a single compromised AWS account can rack up tens of thousands in mining costs overnight), degraded application performance, and elevated electricity consumption. More importantly, cryptojacking is often the visible symptom of a deeper compromise — once attackers have code execution on your cloud, they can pivot to data exfiltration, ransomware, or supply chain attacks.
Related Tools
- CrowdStrike Falcon Prevent
Next-gen antivirus with AI behavioral analysis. Top-rated in MITRE ATT&CK evaluations. Blocks known and unknown malware, ransomware, and fileless attacks using
- Sophos Intercept X
AI-powered endpoint protection with deep learning malware detection and anti-ransomware.
- Malwarebytes ThreatDown
AI-powered endpoint security with automated remediation designed for lean security teams.
Frequently Asked Questions
What does Cryptojacking mean in cybersecurity?
Cryptojacking in cybersecurity is the unauthorized use of a victim's computing resources — laptops, servers, cloud workloads, or browsers — to mine cryptocurrency for the attacker's profit, typically by installing malware like XMRig or injecting browser-based miners.
Why is Cryptojacking important?
Cryptojacking matters because it generates direct financial losses through unexpected cloud bills (sometimes tens of thousands of dollars overnight) and degraded performance, but more importantly, it is usually a symptom of a deeper compromise that attackers can pivot into ransomware or data theft.