Malware analysis

Malware spotlight: Crypto-jacking

Fakhar Imam
October 30, 2019 by
Fakhar Imam


In this article, we will explore crypto-jacking, a growing malware-based epidemic in the cryptocurrency realm. Before understanding this threat, though, it is necessary to understand more about cryptocurrency and cryptocurrency mining.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

What is cryptocurrency?

Cryptocurrency refers to digital money that can exist in a secure and decentralized form. It can be purchased, transferred and/or sold securely using blockchain technology, which uses cryptography to encrypt and protect data that helps in identifying and tracking cryptocurrency transactions. 

Unlike traditional money, cryptocurrency is not managed or backed by an authorized third party, such as a government or bank. Rather, cryptocurrency transactions are verified by the network of computers that are not affiliated with any single server.

What is cryptocurrency mining?

Cryptocurrency mining is the process in which transactions between users are verified and then added into a blockchain public ledger. The mining process is also responsible for adding new coins into the existing circulating supply and is one of the basic factors that allow cryptocurrencies such as Bitcoin or Litecoin to work as the peer-to-peer decentralized network without the need for any central third-party.

The control and security of this network are maintained by miners, or crypto-miners — the people who mine coins.

What is cryptocurrency-mining malware?

Cryptocurrency-mining malware, also known as crypto-jacking, is malicious software that penetrates people’s devices (e.g., smartphones, tablets, computers or even servers) to secretly mine cryptocurrency without users’ explicit permission.

Threat actors do not build a dedicated crypto-mining network. Instead, they use cryptocurrency-mining malware to hold control of the resources of a victim’s computer, usually a CPU and memory resources. When all resources are added up, hostile actors can compete against sophisticated crypto-mining operations.

Since crypto-jacking only uses CPU power, it may go unnoticed on a computer. As a result, your CPU will soon run at a snail’s pace, further resulting in unresponsiveness and/or unavailability of legitimate processes due to the poor performance of the CPU and memory resources.

How does crypto-jacking work?

Hackers often involve more than one way to enslave a computer. The penetration process is carried out either by infecting a website or by luring the victim to click on a malicious link in an email that incorporates cryptomining code into a victim’s machine. Hackers can also infect online ads with JavaScript code to trigger malware for automatic execution once loaded in the browser of the victim’s device.

Cryptocurrency-mining malware can also be propagated by downloading a malicious file or infected application or installing the infected web browser extension. In February 2018, Bad Packets Report found that around 34,474 websites were running Coinhive, which was the most popular JavaScript miner and being used for legitimate cryptomining.  

What is the potential cost of cryptocurrency-mining malware attacks?

Unlike other malware programs, crypto-jacking neither harms computers nor damages data stored on them. However, this growing epidemic uses CPU and memory resources. For individuals, this malware causes annoyance to the user due to the slow performance of the computer and additional electric units to the electricity bill. However, in the case of organizations, it may involve some cost to fix the problem or track down the performance issues, while bearing the burden of significantly-raised electricity bills.  

According to the site Digiconnomist, although cryptomining may not cost users a good deal, the overall cost is staggering. The calculations required to mine currency and verify a Bitcoin ledger needs more than 70 terawatt-hours each year, which is enough to power 6.5 million U.S. households.

According to Motherboard, around 300,000 Bitcoin transactions occur per day. The report also adds that threat actors could earn a profit utilizing 24 terawatt-hours of electricity annually. Each Bitcoin transaction costs 215 kilowatt-hours.

How can cryptocurrency-mining malware be detected?

Although cryptojacking malware is designed to stay hidden, it does not mean it has no bad effects or symptoms on the victim’s machine. The affected system will get slow, the electricity bill will be increased, and the device’s life will be shortened. In addition, the abnormally fast speed of the CPU cooling fan might also indicate the infection of cryptocurrency-mining malware attacks. If your computer is showing these symptoms, you can detect this menace through an antimalware security program.

What is the motivation behind cryptocurrency-mining malware?

Cryptocurrency mining is a lucrative business. Therefore, the motivation behind a crypto-jacking is simply money: generating huge revenue from cryptocurrency mining. According to Kaspersky Labs, a single cryptocurrency-mining malware can generate a revenue of more than $30,000 per month. Though cryptomining malware is so rampant, more than 500 million people are using cryptocurrency mining without realizing its devastating consequences, as per the AdGuard estimation.

According to Marc Laliberte, threat analyst at network security solutions provider WatchGuard Technologies, “Cryptomining is in its infancy. There’s a lot of room for growth and evolution. It is grown quite a bit since then. It is a really easy money.” Cybersecurity company Malwarebytes believes that hackers even seem to prefer crypto-jacking to ransomware.

How can cryptocurrency-mining malware be prevented?

Finding the origin of the high CPU usage can be like untangling the Gordian knot. Running processes often hide or mask themselves as legitimate operations to prevent security measures from stopping the intrusion. However, taking some proactive measures can save individuals and organizations from falling prey to cryptocurrency-mining malware attacks.

  • Use a popular anti-malware or/and antivirus program and keep them up-to-date
  • Use endpoint protection solutions to detect known crypto miners
  • Install a reputable coin-blocking, script-blocking or ad-blocking extension in your web browser, and block cryptocurrency-mining scripts in your web browser
  • Block JavaScript in the web browser. Be aware that doing so will also disable legitimate functions that are using JavaScript. Some specialized programs can also be used to disable mining activities in web browsers. Those programs include “MinerBlock,” “No Coin” and so on. The latest versions of the Opera web browser even offer a built-in No Coin functionality
  • Avoid downloading files from untrusted sources
  • Always read the Terms of Services for browser extensions and even for all applications
  • Keep your operating system and security applications up-to-date
  • As soon as your system gets noticeably slower, run an anti-malware solution
  • Do not trust anonymous emails and never open untrusted email attachments
  • Avoid visiting anonymous and redirected links
  • Process monitoring should be enabled. Only allow legitimate processes to be run
  • Add cryptocurrency-mining malware into your security awareness and training program

The bottom line (conclusion)

Cryptocurrency-mining malware is malicious software that penetrates your computer through phishing techniques such as email attachments or by injecting cryptomining code using JavaScript into your web browser. This growing epidemic doesn’t cause any direct harm to your computer, but it does use the CPU and memory resources of your machine. 

You can protect yourself from cryptocurrency-mining malware by deploying some security practices such as installing an antimalware program and avoid clicking suspicious-looking links in email attachments.



  1. Cryptocurrency-Mining Malware, NJCCIC
  2. What is Cryptocurrency?, NJCCIC
  3. Cryptocurrency, Webopedia
  4. Cryptojacking, Malwarebytes
  5. Tallying Up the Hidden Costs of Cryptomining Malware, Symantec
  6. What Can Cryptojacking Attacks Cost Your Enterprise?, Endpoint Security Solutions Review
  7. Best endpoint security software of 2019: Secure your business perimeter, TechRadar
  8. What is cryptojacking? How to prevent, detect, and recover from it, CSO
Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.