What is Cryptojacking?

How Cryptojacking Works

Browser-based cryptojacking uses JavaScript embedded in compromised websites or delivered through ad networks to run cryptomining code in visitors' browsers. The mining code executes for as long as the browser tab is open, using the visitor's CPU. This technique peaked around 2017-2019 with the Coinhive JavaScript miner before the service closed.

Host-based cryptojacking installs cryptomining software on compromised servers, workstations, and cloud instances. Attackers gain initial access through phishing, vulnerability exploitation, or credential theft, then deploy cryptomining software that runs as a background process. The mining software competes for CPU resources with legitimate workloads, causing performance degradation that is often the first symptom detected.

Cloud cryptojacking targets misconfigured cloud environments — exposed Kubernetes clusters, misconfigured container registries, AWS instances with weak credentials — to deploy high-CPU cloud instances that mine cryptocurrency at the victim's expense. Cloud cryptojacking bills have reached hundreds of thousands of dollars before detection in documented cases.

Detection and Defense

Cryptojacking detection focuses on performance anomalies and unauthorized process execution. Unexpected CPU and GPU utilization spikes on servers and workstations indicate potential cryptomining activity. Cloud cost anomaly monitoring detects unexpected compute spend that indicates unauthorized cloud resource provisioning. Endpoint detection with process behavioral analysis identifies cryptomining software regardless of the specific binary, because cryptomining behavior — sustained high CPU utilization by a process with specific network communication patterns — is distinctive.

Cloud Cryptojacking Prevention

Cloud security posture management continuously monitors cloud environments for the misconfigurations that cryptojacking attackers exploit: publicly accessible Kubernetes API servers, unauthenticated Docker registries, overly permissive IAM roles that allow new compute instance creation. Cloud cost monitoring with anomaly alerting provides early warning of cryptomining operations before costs accumulate significantly. AWS, Azure, and GCP all provide native cost anomaly detection services that alert on spending patterns inconsistent with historical baselines.

Real-World Example: Tesla's AWS Environment Cryptojacked

In 2018, security researchers discovered that Tesla's AWS environment had been compromised and was being used for cryptomining. The attackers gained access through an unsecured Kubernetes administration console that had no password protection. From the Kubernetes console, they accessed AWS credentials and deployed cryptomining workloads. Tesla's own cloud environment was mining cryptocurrency for attackers at Tesla's expense. The incident highlighted that cryptojacking is not limited to consumer devices or small organizations — cloud misconfigurations in sophisticated engineering organizations create the same exploitation opportunities.