Some cryptocurrencies are easier to mine than others, making them more appealing to hackers. For example, Monero can be mined using a desktop, laptop, or server, while mining Bitcoin requires specialized and expensive hardware. Cryptocurrency can also be mined using mobile devices, IoT devices, and routers.
A cryptocurrency is a form of virtual or digital money that takes the form of coins or tokens. Bitcoin is the most well-known example, but thousands of other types of cryptocurrencies exist. While some cryptocurrencies have physical applications, most exist only in the virtual world. Cryptocurrencies operate using a distributed blockchain database that is regularly updated with transaction information. To create new blocks, individuals must provide computing power. These individuals are known as crypto-miners and are rewarded with cryptocurrency.
More prominent cryptocurrencies typically have teams of miners who run dedicated computer rigs to perform the necessary calculations. Still, this process requires a significant amount of electricity. Cybercriminals reduce their mining costs by stealing computers and energy resources. They use various hacking techniques to access systems that will perform the calculations illegally, then have these hijacked systems send the results to a server controlled by the hacker.
Cryptojacking is a cybercrime where a criminal secretly uses a victim’s computing power to generate cryptocurrency. Malicious crypto-miners often come through web browser downloads or rogue mobile apps. They can compromise all devices, including desktops, laptops, smartphones, and network servers. The goal of cryptojacking is profit, but unlike many other threats, it’s designed to stay hidden from the user.
Cryptojacking initially began as a way for website owners to make money by using visitors’ computers to mine cryptocurrency. The service was published by an organization called “Coinhive” in September 2017 and used JavaScript to mine Monero within visitors’ browsers. When Coinhive was shut down in 2019, other imitation services appeared. Sadly, hackers quickly seized the chance to utilize it maliciously. They would hack websites and leave the Coinhive JavaScript to mine Monero for their accounts.
Since 2021, there has been a renewed interest in cryptojacking attacks due to the surge in cryptocurrency prices. While the original in-browser cryptojacking script, Coinhive, is no longer active, many copycat scripts are still in operation. Furthermore, cryptojacking malware targets Internet of Things (IoT) devices, mobile phones, computers, and routers. Modern cryptojacking attacks are not solely focused on mining cryptocurrency.
Instead, cybercriminals use their access to achieve multiple goals, such as combining cryptojacking with data theft. These combined attacks give cybercriminals various ways to profit from their exploits.
Cryptojacking involves two primary methods of operation: malware and drive-by crypto mining. Malware-based cryptojacking involves the unauthorized takeover and control of a portion of your computer, akin to ransomware. With cryptojacking, the real threat remains in the background without you noticing the hack.
The other method, drive-by crypto mining, infects a website or ad with a script that automatically initiates cryptocurrency mining on your device without your consent or knowledge. For better understanding, this is how cryptojacking takes place in three steps:
Drive-by crypto mining initially emerged from a legitimate practice where websites openly disclosed that visitors’ devices would be used to mine cryptocurrency while on the site. The mining process would stop once the user left the site. However, cybercriminals soon began to exploit this method through drive-by crypto-mining, which involves using visitors’ devices to mine cryptocurrency without their knowledge or consent.
When a user visits such a site, a code is installed on their device, and it continues to mine cryptocurrency even after they have left the site. Additionally, some cryptojacking malware acts like a worm-style virus, which spreads through a network, infecting one device after another and using their resources to mine cryptocurrency.
There are two primary tactics that hackers use to covertly mine cryptocurrencies, and sometimes they use both:
One approach is to persuade the victim to download crypto mining code onto their device. This is accomplished by tricking them through social engineering methods, like phishing emails.
The email appears genuine and urges the victim to click a link that executes malicious code. This code then installs the crypto-mining script onto the device, which runs in the background while the victim uses the device.
The other strategy involves injecting a script into an advertisement or website distributed to multiple websites. The script runs automatically when the victim opens the website or views the infected ad. The victim’s computer doesn’t store any code. The code performs complicated mathematical problems in both scenarios on the target device. It sends the results to a server controlled by the hacker.
Attackers may combine both approaches to maximize their profits. For instance, among hundreds of devices mining cryptocurrencies for an attacker, 10% might receive earnings from code on the target machines. In comparison, 90% do so via their web browsers.
In recent years, cryptojacking has become a widespread threat, with a significant rise in incidents occurring in 2017 and 2018. According to Malwarebytes Labs, malicious crypto-mining became the most common type of detection in February 2018. Fortune also warned that cryptojacking could be the next significant security threat in October 2017.
Android-based cryptojacking malware detections saw a massive 4,000% increase in Q1 2018. Although it may not be making headlines as frequently as other malware types, cryptojacking remains a persistent threat that allows hackers to profit from other people’s computing resources. It’s, therefore, essential to safeguard your devices against this attack.
Cybercriminals use a malware program to breach a target’s device and harness its computing power to mine cryptocurrency. The malware is usually embedded in websites or applications. It is intentionally concealed, allowing it to be downloaded and installed on the victim’s computer without detection.
Once installed, the malware deploys the device’s processing power to solve complex mathematical problems that verify transactions on the blockchain, which consumes significant amounts of energy and processing power. The cryptojackers receive cryptocurrency as a reward for confirming the transactions.
The stolen currency is then transferred to the attacker’s digital wallet, allowing the attacker to reap the profits at the victim’s expense.
Detecting cryptojacking can be challenging because it’s often disguised or presented as a harmless activity on your device. However, there are some telltale signs to watch out for:
One of the most noticeable symptoms of cryptojacking is a decrease in your computing device’s performance. Slow systems, crashes, or inferior performance are all red flags to look for. A rapidly draining battery is also a potential indicator.
Cryptojacking uses many resources and might lead to overheating in computing equipment. Your computer may become damaged as a result, or these activities may shorten its lifespan. Suppose the fan on your laptop or computer is operating more quickly than normal. In that case, it may be because a cryptojacking script or website is causing your device to overheat, and the fan is running to protect your device from damage.
Cryptojacking scripts increase CPU usage while a user remains on the website. Checking your computer’s Task Manager to see how much CPU is utilized can reveal illicit activity on your device.
Below are a few common cryptojacking attack methods to be aware of.
Hackers aim to increase the gains of cryptojacking by widening their scope to include servers, network devices, and Internet of Things (IoT) devices. Servers are a desirable target because they often have higher processing power than regular desktops and are a prime target in 2023.
Cybercriminals search for servers exposed to the public internet with vulnerabilities, such as Log4J. They take advantage of this flaw and silently install crypto-mining software on the system that connects to the hackers’ servers. This allows the attacker to mine cryptocurrencies at the expense of the server’s owner.
Cybercriminals use a new tactic to spread cryptojacking malware by embedding malicious code into open-source code repositories. This tactic involves adding cryptojacking scripts into widely-used packages and libraries, which are then downloaded by developers all over the world.
As a result, these attacks can scale up quickly, allowing the attackers to use developer systems and networks as mining resources or to distribute cryptojacking scripts to end-users. This poses a significant threat to the software supply chain, making it essential for developers to be vigilant and protect their systems and users from these attacks.
In the past, cybercriminals mainly used cryptojacking to make money by planting malware on desktops and laptops. Hackers usually deliver these malicious scripts via standard methods like phishing emails, fileless malware, and embedded malicious code on websites and web apps.
Hackers can steal resources through cryptojacking by sending legitimate-looking emails to users that contain a link that runs a script and installing the crypto-mining malware on their devices. The malware then runs undetected, sending results back to the attacker’s command and control infrastructure.
Another approach involves injecting a script into a website or ad on multiple sites. When users visit the infected site or encounter the ad, the script automatically runs without leaving any code on the victim’s device.
Many cryptojacking groups are leveraging the scalability of cloud resources to expand their mining operations by breaking into cloud infrastructure. This provides them with access to a vast collection of computing resources that they can use to fuel their mining activities. A study conducted by Google’s Cybersecurity Action Team in the fall of last year revealed that 86% of compromised cloud instances were being used for crypto-mining.
One common method for carrying out these attacks is scanning for unsecured cloud storage buckets or exposed container APIs and then using the access gained to install coin-mining software on impacted cloud servers or container instances. These attacks are typically automated, with scanning software searching for publicly accessible servers with exposed APIs or unauthenticated access.
Here are three types of cryptojacking malware that you should know about:
PowerGhost spreads through spear-phishing emails and steals the victim’s Windows credentials to take control of their computer. Once the attackers gain control, they can disable antimalware software and other competing crypto-miners and start mining cryptocurrencies with the infected system.
Graboid is the first crypto-mining worm and targets unprotected Docker Engine systems connected to the internet. Once infected, the computer becomes a part of the attacker’s botnet, designed to mine for cryptocurrencies.
BadShell uses legitimate Windows processes to conceal its cryptocurrency mining activities. It runs a script that injects malicious code into ongoing operations to operate unnoticed.
The key to successful cryptocurrency mining is having access to powerful computers that can handle the processing. A Russian nuclear scientist was caught in 2018 for illegally using a supercomputer at the Federal Nuclear Center to mine Bitcoin. He had authorized access to the supercomputer but used it for personal profit, exploiting his country’s resources.
In another case, a popular news website, the Los Angeles Times Homicide Report page, was found to contain cryptojacking code hidden within it in February 2018. The malicious code was created using a legitimate crypto-mining tool called Coinhive. It was mining the popular cryptocurrency Monero.
The site’s visitors unwittingly used their devices to mine Monero in the background. The script was designed to use minimal computing power to avoid detection. It took some time for the threat to be discovered due to the script’s stealthy nature.
When browsing the web, one way to protect your device and network from cryptojacking is to visit sites thoroughly vetted and added to a whitelist. You can also blacklist sites that engage in cryptojacking activities, but this approach may not catch all new cryptojacking pages.
Another option is to block JavaScript, which is often used by cryptojackers to access your device’s processing power. However, this could result in some site features becoming unavailable. You can also use special software that’s designed to block mining while you’re browsing. Here are some tips to protect your devices and networks against cryptojacking:
Cryptojacking is a type of cybercrime quickly gaining popularity due to the increasing value of cryptocurrencies. This type of crime is popular among attackers because it requires minimal effort and can quickly scale, replicate, and generate profit with little transparency. However, several methods exist to detect and prevent this malicious activity.
You should be cautious about downloading questionable content, monitor your device’s performance for unusual activity, and always keep your software up to date to make it more challenging for attackers to exploit vulnerabilities.