What is cryptojacking?

Cryptojacking is the unauthorized use of someone else’s computing resources to mine cryptocurrency, often without the victim’s knowledge. It can degrade system performance, increase cloud costs, and signal a broader compromise of the environment.

A cryptojacking attack can be pretty straightforward–since there is no need to escalate privileges or move laterally to get to the host with the secret they need. Our latest Annual Threat Report indicated, cryptojacking made up more than a quarter of all attempts to deploy malware in 2024. It’s a sweet gig for the bad guys, too: after the miner is deployed, they can sit back, relax, and watch the money pile up.

What is cryptojacking?

Cybercriminals are always looking for new ways to make money. We often hear about holding data or systems for ransom. But what about cryptojacking? It’s when a threat actor steals your organization’s computing resources/power and uses it to mine various crypto-currency blockchains. The bad news: it can slow your network way down, and even shut down critical processes.

How does cryptojacking work?

How do they get in? Public application exploitation. Access key compromise. Phishing emails. USB devices. Cryptojacking typically involves two main methods of attack, but the list grows every year.

1. Malicious websites or ads: Cybercriminals inject cryptomining scripts into websites or online ads. When users visit these compromised sites or interact with infected ads, the script automatically runs in the background, using the visitor’s processing power to mine cryptocurrency.
2. Malware infection: Hackers can also infect devices with malware specifically designed to mine cryptocurrency. This malware often spreads through phishing emails, malicious downloads, or unsecured networks.

In recent years, threat actors have launched numerous campaigns to breach poorly secured Kubernetes clusters and hijack their underlying cloud resources for cryptomining. Such attacks are designed for persistence. They can significantly degrade performance, increase energy consumption and cost, strain hardware resources, and provide a gateway for future attacks

In all cases, the mining activity happens without the user’s permission. This often makes the device work incorrectly as it uses more energy, and shortens its lifespan.

Expel’s 2026 Annual Threat Report

Our SOC sees millions of alerts yearly. Here’s what attackers are actually doing—and how to play defense when you’re short on time and people.

Read now

What are the signs of cryptojacking?

Since cryptojacking doesn’t typically involve overt disruption like ransomware, it can be difficult to detect.

However, there are several red flags to watch for:

• Slower performance: devices or networks may become noticeably sluggish, with increased lag times or crashes.
• Overheating: The use of CPU or GPU resources can cause devices to overheat, leading to hardware malfunctions or failure.
• Increased energy use: mining cryptocurrency demands significant processing power, which can result in higher-than-usual electricity bills.
• Unexplained CPU usage: a sudden spike in CPU or GPU usage, especially when no resource-heavy applications are running, can indicate cryptojacking.

What impact does cryptojacking have on organizations?

For businesses, cryptojacking attacks can have serious consequences beyond just performance issues. Widespread cryptojacking can:

• Increase operational costs: the drain on energy and resources from these types of attacks can result in higher costs.
• Reduce productivity: slowed networks and devices hinder productivity, affecting daily operations.
• Shorten hardware lifespan: the excessive load on systems can lead to premature hardware failures, resulting in costly repairs or replacements.
• Increase security risks: cryptojacking infections may open the door to other vulnerabilities or indicate a broader breach of system security.

How do you prevent cryptojacking?

Fortunately, attacker entry points for cryptojacking overlap with those for other threat types like ransomware, so focused efforts to reduce your cryptojacking attack surface can help protect against multiple problems.

Cryptojacking prevention strategies

Cryptojacking prevention requires a multi-layered security approach, focusing on both personal devices and organizational networks. Here are some key steps:

• Install anti-malware software: use reputable anti-malware solutions to detect and block cryptomining scripts and malware.
• Update software regularly: keep operating systems, browsers, and software up-to-date to patch vulnerabilities that hackers may exploit.
• Use browser extensions: extensions like NoCoin and MinerBlock can block cryptojacking scripts from running on websites.
• Monitor system performance: regularly monitor CPU and GPU usage to detect unusual spikes that may indicate mining activity.
• Educate employees: if you’re an organization, ensure employees are aware of phishing schemes and how to avoid suspicious links or downloads.

Frequently asked questions

How does cryptojacking work?

Cryptojacking attackers gain access through common vectors—phishing, application exploitation, or compromised credentials—then deploy cryptomining scripts or malware that run silently in the background. Some attacks target individual devices via malicious websites or ads; others compromise cloud infrastructure like Kubernetes clusters for large-scale mining. In every case, the victim’s computing resources do the work while the attacker collects the cryptocurrency.

What are the signs of a cryptojacking attack?

Cryptojacking is designed to stay hidden, but it leaves behind resource-drain indicators. The most common signs are unexplained spikes in CPU or GPU usage, noticeable slowdowns in device or network performance, devices running hotter than usual, and unexpected increases in energy costs. Because these symptoms can resemble other performance issues, organizations should monitor system resource usage continuously so anomalies get flagged rather than dismissed.

What impact does cryptojacking have on organizations?

Beyond the performance hit, cryptojacking drives up operational costs through higher energy consumption and accelerated hardware wear. It also reduces productivity across the organization and—critically—can signal a deeper security problem. Attackers who have deployed a cryptominer have already achieved persistent access, meaning the same foothold could be used to stage ransomware, data theft, or other more disruptive attacks.

How do you prevent cryptojacking?

Cryptojacking prevention relies on the same layered security approach used to defend against other malware. That means keeping software patched, deploying anti-malware tooling, monitoring for anomalous CPU and GPU usage, and training employees to recognize phishing attempts. Browser extensions that block cryptomining scripts add an additional layer of protection for endpoint users. Because cryptojacking entry points overlap heavily with ransomware, investments in this area pay dividends across multiple threat types.