Cryptojacking works by planting mining code on a device or server so it quietly runs proof-of-work calculations for the attacker, usually generating Monero or another privacy coin rather than Bitcoin, since Monero's algorithm resists specialized ASIC hardware and its payouts are harder to trace to a wallet address. There are two main delivery routes: file-based malware that installs a persistent miner after a user opens an infected attachment, pirated software bundle, or vulnerable server exploit, and browser-based scripts injected into a website's code that mine only while the tab stays open. Once active, the code deliberately throttles CPU or GPU usage to stay below levels that would trigger obvious alarms.
Attackers favor cryptojacking over ransomware or data theft because it carries less legal risk: no files are encrypted, nothing is stolen, and the victim may never notice beyond a slower device, a spinning fan, and a higher electricity bill. Businesses face a larger version of the same problem when cloud infrastructure is compromised, since unmonitored cloud accounts can run mining instances that generate massive unauthorized billing before anyone investigates. Exposed Kubernetes dashboards, unpatched web servers, and compromised software plugins have all been used as entry points in real-world campaigns.
- Sudden CPU spikes, overheating, or shortened battery life on a device
- Unexpected cloud compute charges tied to unrecognized instances
- Sluggish browser performance that stops after closing a specific tab
Keeping software patched, restricting browser scripting where possible, and monitoring cloud resource usage remain the most effective defenses, since cryptojacking depends entirely on going unnoticed.