Cryptojacking is one of the most insidious forms of cybercrime because victims often have no idea it is happening. There are no ransom notes, no stolen files, no obvious alerts — just a quietly overworked CPU, a higher electricity bill, and degraded system performance. In 2026, as cryptocurrency values remain volatile but often lucrative, cryptojacking continues to be a go-to technique for threat actors who want steady, low-risk income from compromised systems.
What Is Cryptojacking?
Cryptojacking is the unauthorized use of someone else’s computing resources to mine cryptocurrency. Attackers deploy malicious code — either on a victim’s device or inside their browser — that secretly runs mining algorithms, typically for Monero (XMR). Monero is the preferred currency because its proof-of-work algorithm (RandomX) is CPU-friendly and its transactions are privacy-preserving, making payouts harder to trace.
Unlike ransomware, cryptojacking does not destroy data or demand payment. The attacker simply siphons CPU cycles over time, profiting quietly while the victim absorbs the cost.
How Cryptojacking Works
Browser-Based Cryptojacking
The most well-known early example was Coinhive, a JavaScript-based miner launched in 2017 that website owners could embed to monetize traffic instead of running ads. It was quickly weaponized: attackers injected the Coinhive script into thousands of websites without owner consent. Although Coinhive itself shut down in 2019, copycat services and custom scripts have taken its place.
Browser-based miners run entirely in JavaScript. When a victim visits a compromised or malicious website, the script executes silently in the browser tab, consuming CPU resources until the tab is closed. Some scripts use throttling to stay under the radar, capping CPU usage at 40–60% to avoid triggering user suspicion.
File-Based (Host-Based) Cryptojacking
More dangerous than browser miners, file-based cryptojacking involves installing a persistent miner on the victim’s operating system. Common delivery vectors include:
- Phishing emails with malicious attachments
- Trojanized software downloaded from unofficial sources
- Exploitation of unpatched vulnerabilities (e.g., exposed Docker APIs, unpatched Log4Shell instances)
- Supply chain compromises injecting miners into legitimate software packages
Once installed, miners like XMRig — a legitimate open-source miner frequently abused by attackers — run as background processes. They often disguise themselves with innocuous-sounding process names, use scheduled tasks or cron jobs for persistence, and may kill competing miners to maximize their own resource allocation.
Cloud and Container Cryptojacking
A growing attack surface in 2026 is cloud infrastructure. Attackers scan for misconfigured cloud environments — exposed Kubernetes dashboards, unauthenticated Docker sockets, or weak AWS IAM permissions — and spin up compute instances to mine at the victim’s expense. The TeamTNT threat group pioneered this technique, using worms that automatically spread through container environments and install XMRig. A single compromised cloud account can rack up thousands of dollars in compute bills within days.
Real-World Examples
| Incident | Year | Method | Scale |
|---|---|---|---|
| Coinhive script injections | 2017–2019 | Compromised websites | Millions of browser victims |
| Tesla AWS breach | 2018 | Exposed Kubernetes dashboard | Cloud-based mining |
| TeamTNT campaigns | 2020–2023 | Docker/Kubernetes exploitation | Global cloud infections |
| PyPI malicious packages | 2022–2025 | Supply chain via Python packages | Developer machines |
| Romanian threat group (ROCKE) | Ongoing | Linux server exploitation | Enterprise servers |
The ROCKE group, tracked by Cisco Talos and Palo Alto Networks, has persistently targeted Linux servers running Apache, Redis, and other internet-facing services, deploying custom miners with rootkit capabilities to evade detection.
How to Detect Cryptojacking
Detection is the first challenge because miners are designed to be quiet. Watch for these signs:
- Unexplained CPU spikes — sustained high CPU usage on a machine with no heavy workload
- Device overheating or louder-than-usual fan activity
- Slowdowns in applications that were previously responsive
- Unusual processes in Task Manager or
top/htopon Linux - Higher-than-expected cloud compute bills
Tools and Techniques
- Process monitoring: Look for processes named
xmrig,minerd,cpuminer, or suspicious lookalikes - Network traffic analysis: Miners communicate with mining pools; look for outbound connections to known pool addresses (e.g.,
pool.minexmr.com,xmrpool.eu) - Browser extensions: Tools like minerBlock and No Coin block known cryptomining scripts
- Endpoint detection and response (EDR): Modern EDR solutions flag mining behavior based on CPU patterns and known miner signatures
How to Prevent Cryptojacking
For individuals:
- Keep browsers and extensions updated
- Use ad blockers that include cryptomining filters (uBlock Origin with the right filter lists)
- Install browser extensions specifically designed to block miners
- Avoid downloading software from unofficial sources
- Use reputable antivirus/anti-malware with real-time protection
For organizations:
- Patch aggressively — many cryptojacking campaigns exploit known vulnerabilities
- Audit cloud configurations regularly; use tools like AWS Config, GCP Security Command Center, or Azure Defender
- Enforce least privilege on cloud IAM roles to limit blast radius if credentials are compromised
- Deploy network monitoring to catch connections to known mining pool endpoints
- Use container security tools (Falco, Sysdig) that alert on anomalous process execution in containers
- Implement Content Security Policy (CSP) headers on web properties to block unauthorized script execution
The Bottom Line
Cryptojacking may lack the drama of ransomware, but it represents a real cost — in electricity, hardware wear, degraded performance, and cloud bills. For organizations running cloud workloads, a single misconfiguration can turn into a mining operation that costs tens of thousands of dollars before anyone notices. Strong patch management, cloud security hygiene, and network monitoring are your best defenses against this quietly profitable threat.