As crypto mining has gained more popularity, cyberattackers are developing a method to attack their victims called cryptojacking. This method gained popularity in 2017, when several prominent corporations, such as Starbucks and Tesla, were reported as victims. Despite declining relevance at the end of 2019 due to the fluctuation of cryptocurrencies, it has been reported that the cryptojacking threat is returning to the public recently. So, you need to raise your awareness regarding this topic.

In this article, you will learn about cryptojacking definition, how it works, how to detect the attack, and how to prevent it.

Cryptojacking Definition

Cryptojacking is where a cyberattacker uses malicious links to infect victims’ computers and uses their resources to mine cryptocurrency. This term is a combination of the word cryptocurrency and hijacking. This type of cybercrime runs in unconventional methods: rather than directly stealing information or funds from their victims, cyberattackers infect their targets’ computers or devices, hijacking their processing power to mine cryptocurrencies such as Bitcoin, Ethereum, Monero, and Dero.

Victims are often oblivious that their computing resources are being harnessed for cryptocurrency mining. The victims may notice the symptoms, such as a slowdown in system performance or an unusually noisy fan. Still, these signs are often mistaken for routine technical glitches or minor issues. Hence, it is also commonly known as a silent crypto miner. So, how does this silent crypto miner work?

How Does Cryptojacking Work?

Cryptojacking involves steps that begin with attackers infiltrating victims’ computers to achieve their goals: silently mine cryptocurrencies without the victims knowing. Here is the complete explanation of how cryptojacking works:

how cryptojacking works
Infographic on how cyberattacker uses the victim’s computer resources to mine cryptocurrencies

1. Cyberattackers Distribute Malicious Link to Victims’ Devices

The first step for these attackers is to deliver the malicious link to their victims. This can be achieved through various means, but the most common methods include:

  1. Sending deceptive emails with malicious links, 
  2. Inserting JavaScript code on online ads, 
  3. Or disguising a seemingly legitimate application with crypto mining JavaScript.

Cyberattackers commonly use social engineering to disguise themselves as coworkers, managers, or CEOs to convince the victims to click a link infected with malicious JavaScript inside an email. 

Besides email, they also target their victims through online ads the victims might click. These ads, which can be encountered on various websites, often seem normal, making it even easier for unsuspecting victims to fall prey to these attacks. Some cyberattackers even went the extra mile by creating a mobile application to attack their victims. 

2. Victims Unknowingly Install and Run JavaScript Crypto Miner

After cyberattackers have crafted deceptive and malicious links distributed through various means, all they have to do is wait for their victims to take the bait. The victims might not even be aware that they are exposed to malicious code simply by browsing a seemingly harmless website or clicking on an innocent-looking ad. Once the victims click those malicious links, the crypto mining software will automatically install on their computer without their knowledge. 

Typically, computers ask users’ permission to install any new application or software. However, this crypto mining software is designed to run in the background without the victim’s knowledge or consent.

3. Crypto Mining Silently Runs Using Victim’s Computer Resources

Once the crypto mining JavaScript is installed, the victim’s computer resources are diverted to cryptocurrency mining. Frequently, this results in a performance drop and increased electricity usage because cryptocurrency mining demands more resources than normal daily usage. 

Since victims do not notice these illegal activities running on their computers immediately, cryptojacking attacks can persist for extended periods. This allows the attackers to harvest a significant amount of cryptocurrency without raising immediate red flags.

4. Cyberattackers Gain Cryptocurrencies Without Using Their Resources

The unique aspect of cryptojacking compared to other malware threats lies in its destruction level. Cryptojacking scripts, unlike many different forms of malware, do not cause direct harm to your computer or data. Cryptojacking steals your computer processing resources by operating highly demanding software in the background. With the victims’ resources, cyberattackers can save money that was supposed to be allocated for resources and gain cryptocurrency simultaneously. 

On the other hand, the victim will have to face the damage while gaining nothing. It is important to note that the energy consumption required to mine a single bitcoin is substantial, roughly equivalent to 155,000 kWh. Additionally, prolonged periods of silent crypto mining can expose the victim’s computer to detrimental outcomes, such as chronic overheating and the risk of hardware damage.

Cryptojacking Attack Examples

The cryptojacking trend started in 2017 by Coinhive, where they successfully infiltrated their crypto mining JavaScript into victims’ computers worldwide. Following the success of Coinhive, cyberattackers developed similar JavaScript crypto mining codes to silently mine cryptocurrencies in their victims’ devices. In 2022, the cryptojacking attack was recorded at 139 million attacks, and it is predicted the number will triple by the end of 2023 at 332 million hits.

Among the million hits of cryptojacking, here are some notorious examples of the attacks:

1. Coinhive Miner

The first recorded case of cryptojacking occurred in September 2017. During this incident, the cryptocurrency mining service known as Coinhive introduced a code that allowed cryptocurrency miners to utilize third-party CPUs for mining the cryptocurrency Monero. Coinhive was regarded as the sixth most common malware globally at that time.  

cryptojacking example coinhive
Number of assets infected with Coinhive on Criminal IP Asset Search

However, this service was finally shut down in 2019 due to the declining price of cryptocurrencies, particularly Monero. Despite the official shutdown of the service in 2019, its cryptojacking traces remain. As of 2023, at least approximately five thousand devices are still infected with Coinhive cryptojacking, according to Criminal IP Asset Search.

2. Microsoft Store Cryptojacking Infected Applications

In 2019, eight applications infected with cryptojacking JavaScript on Microsoft Store were discovered. Those applications were Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, FastTube, Findoo Browser 2019, Clean Master+ (Tutorials), and Findoo Mobile & Desktop Search. After this finding, Microsoft immediately removed the infected applications.


The threat of cryptojacking has not ended yet. One of the most recent cases of cryptojacking emerging in 2023 is AMBERSQUID. This cryptojacking threat mainly targets Amazon Web Services (AWS) such as AWS Amplify, AWS Fargate, and Amazon SageMaker. AMBERSQUID has been reported to be able to infiltrate cloud services without sending any triggers for AWS approval for additional resources.

4. Qubitstrike

Another example of cryptojacking that occurred recently in 2023 is Qubitstrike. Cado Security reported in October 2023 that this crypto mining malware is targeting Jupyter Notebook users. Qubitstrike, which silently mines XMR cryptocurrency, employs Discord’s bot features to send commands on compromised nodes and track the attack progress. 

Besides the examples above, you also can read this cryptojacking case example about South Korean government servers hacked by cryptojackers.

Cryptojacking Detection: How to Do It?

While the prevalence of cryptojacking may have reduced from its peak a few years ago, the threat persists. Cyberattackers continue to evolve their tactics, as demonstrated by the emergence of threats like AMBERSQUID earlier this year. Therefore, it remains crucial to stay vigilant against such attacks. To achieve this, knowing how to identify cryptojacking incidents is essential. Here is how to detect the presence of a cryptojacking threat on your devices:

1. Devices Running Slower Than Usual

You might think your computer runs slow because too many applications run simultaneously. Or you might assume that your RAM handles too many tasks on your computer. While these factors could contribute to the issue, it is always a good idea to investigate whether you are unaware of any silently running software.

2. Devices Hotter than Usual

Devices getting hotter might be a daily occurrence for some people, especially if you are running software that demands high use of RAM. If the issue remains for an extended period, running an antivirus scan on your computer is a good idea to find any irregularities.

3. Battery Drained More Quickly than Usual

A quickly drained battery is frequently encountered in older devices like laptops, tablets, and smartphones. If your device’s battery unusually drains too quickly, check if it is infected with any crypto mining JavaScript. Since cryptojacking scripts secretly hijack a device’s processing power to mine cryptocurrencies, they impose a substantial load on the CPU or GPU, causing these components to work overtime.

4. Stay Informed About the Latest Cryptojacking Cases

While Coinhive might have officially shut down its operation, it does not mean that cryptojacking attacks have ended. Cyberattackers keep developing new methods to hijack people’s devices to turn them into silent crypto mining resources. 

You have to keep up to date on the recent news about cryptojacking to stay vigilant about the issue. You can also run an asset search on a Cyber Threat Intelligence (CTI) search engine like Criminal IP to discover IP addresses, domains, and assets infected by cryptojacking. 

For example, you want to check CoinIMP, a crypto mining script code that allows cyberattackers to initiate mining cryptocurrencies. Go to Criminal IP Asset Search and type “var_client = new Client.Anonymous”. Then, you will see sites infected with the CoinIMP crypto mining script.

cryptojacking example coinimp
Number of assets infected with CoinIMP on Criminal IP Asset Search

How to Prevent Cryptojacking

Cryptojacking threats are only one click away if you are not cautious enough when you are online. While cyber threats constantly evolve, maintaining online security requires awareness, preventive measures, and continuous caution. In this section, we will give you a few tips on preventing cryptojacking attacks on your devices.

1. Always Be Vigilant When You Are Online

The first line of defense against cryptojacking is vigilance. Always be cautious when clicking links, downloading files, or simply visiting websites, especially if they are from unknown sources. You can apply the “trust no one, suspect everyone” principle when you are online for your safety.

2. Install Antivirus on Your Devices

Installing a credible antivirus software on your devices is crucial. Antivirus programs can detect and block cryptojacking scripts, helping to keep your computer safe. Keep your antivirus software updated to the latest version to get the maximum protection against evolving threats, including cryptojacking.

3. Use Ad Blockers

Pop-up online ads are one of the main methods cyberattackers use to transfer their crypto mining JavaScript to the victims. Ad blockers can help prevent you from opening malicious ads like that. While not all online ads are harmful, blocking them can reduce exposure to potential threats. Many web browsers have ad-blocking extensions that you can install for an added layer of protection.

4. Be Careful Before Installing Any Application

Cyberattackers not only target you through online ads and links in an email. They became more creative in disguising their crypto-malware to enter your device. The crypto mining JavaScript code infected applications on Microsoft Store is one of the examples. 

You must ensure the application is created by a legitimate developer to avoid this incident. Check if the developer has a legitimate website. See if the users leave any reviews. It will take five minutes to check those. Spending five minutes to check the legitimacy of an application does not sound too bad compared to crypto mining JavaScript penetrating your devices. 

5. Always Check the Link You Want to Click

Before clicking any link, hover your mouse over that link to reveal the destination URL. Ensure it matches your expectations and does not look suspicious. Be cautious with email attachments and links in emails, especially if they are unsolicited. Verify the legitimacy of the source before opening the link.

If you are using the Google Chrome browser, you can install this phishing link checker extension to help you detect any malicious links. Using AI technology, Criminal IP Phishing Link Checker performs a thorough scan to detect any potential threat before you click any link. 

For example, you got a promotional email, and you want to know whether the link is safe or not to click. After installing and activating the extension, you can right-click the link and choose Pre-Check This Link

how to detect cryptojacking link checker
Checking the link before clicking with Criminal IP Phishing Link Checker

If the link is safe to click, you will get a result like this: 

cryptojacking detection-link checker
Criminal IP Phishing Link Checker verified the link is safe to click

[Conclusion] Always be Vigilant Against Cryptojacking Threats

Cyber threats could be perching on your devices even without your knowledge. What you can do as an internet user is always be cautious and vigilant against any online threats, including cryptojacking. But you do not have to worry too much because you will not do all the protection by yourself. Many security and protection tools can help protect you from cryptojacking attacks. One of the most crucial steps is to invest in a powerful antivirus to keep your devices from viruses and malware. As a preventive action, you can install the Criminal IP Link Checker to avoid clicking malicious links. Lastly, utilize a cybersecurity search engine tool like Criminal IP Search Engine to check any cryptojacking cases circulating online.