Protect against cryptojacking

Expel-validated security alerts and guided investigative actions

Crypto: coin mining graphic

Cryptojacking … the who, what, and why.

Cybercriminals: they’re always looking for new ways to make money. We often hear about holding data or systems for ransom. But what about cryptojacking? It’s when a threat actor steals your organization’s computing resources/power and uses it to mine various crypto-currency blockchains. The bad news: it can slow your network way down, and even shut down critical processes.

The attack can be pretty straightforward – no need to escalate privileges or move laterally to get to the host with the secret they need. As our end-of-year report indicated, 35% of the web application compromise incidents we saw in 2021 resulted in deployment of various cryptocurrency coin miners. It’s a sweet gig for the bad guys, too: after the miner is deployed, they can sit back, relax, and watch the money pile up.

How do they get in? Public application exploitation. Access key compromise. Phishing emails. USB devices. These are just some of the ways. And the list grows every year.

What are your biggest cryptojacking prevention challenges?

Blue password install

I need to know if coin miners are installed.


I need visibility (ideally EDR) into host activity that could be coin miner entry points.

I need a “playbook” for coin miner investigating and fixing.

Blue prioritize

I need recommendations to proactively mitigate exploitations used for cryptojacking.

How Expel spots cryptojacking attacks

We set up alerts for process command line arguments, strange process lineages, and network connections to well-known cryptojacking pool domains or to access cryptojacking utilities through multiple detection sources like EDR. We look for behavioral patterns. Then our bots, Josie™ and Ruxie™, get to work and automatically enrich and triage alerts, surfacing up Expel-validated alerts. We notify you of alerts that matter and will automatically remediate the incident (unless you prefer to handle remediations yourself).

  • Reduce risk. We detect cryptojacking attacks fast so your business doesn’t slow down
  • Maximize ROI. We leverage existing detection sources in your environment to detect cryptojacking
  • Improve Security Posture. We recommend resilience measures to mitigate future attacks

Cryptojacking protection: Identify and remediate compromised accounts and access, unusual behavior and more.

Fortunately, attacker entry points for cryptojacking overlap with those for other threat types like ransomware, so focused efforts to reduce your cryptojacking attack surface can help protect against multiple problems.

Learn more about MDR services

The biggest value of Workbench™ is the automated correlation of ancillary data and information into the investigation. It's both beautiful and accessible. Having that context at my fingertips is saving me hours of investigation that I would have had to do on my own. ”

⎯Viren Shah | Director of Engineering

I was able to share context about our environment right in Workbench, which Expel D&R engineers could use to filter and approve access. Expel is really on top of our custom requirements for our environment.”

⎯Detection & Response Manager

Read the story

Is Expel the right fit?

When you tell us you’re ready, we won’t waste your time. Let us know what you’re looking for, and what challenges you have, and we’ll have someone get in touch who can talk tech.

Bots mascots