Blogscams
Cryptojacking
Michelle Legge
By Michelle LeggeHead of Crypto Tax Education
Updated Jul 4, 2025
This article has been fact checked and reviewed as per our editorial policy.

Cryptojacking: What Is It & How Does It Work?

Cryptojacking refers to using a computer to mine cryptocurrencies while the user is unaware. Learn about cryptojacking, how it works, and how to prevent it.

  • Cryptojacking is a cyberattack where hackers secretly use your device’s processing power to mine cryptocurrency.

  • It can take several forms, including browser-based scripts, malware infections, cloud-based exploits, and mobile app abuse.

  • Real-world incidents have involved major companies like Tesla, government websites, and platforms like YouTube.

  • Detection and prevention involve watching for signs like system slowdowns and high CPU usage, and using tools like antivirus software and browser blockers.

What is cryptojacking?

Cryptojacking is a form of cyberattack where hackers secretly use someone else's computing resources, like a laptop, phone, or even a server, to mine cryptocurrency. The victim usually has no idea this is happening. It’s like someone sneaking into your house and using your electricity to run a gold-mining operation in your basement.

Unlike ransomware or other obvious forms of malware, cryptojacking doesn’t steal your data or lock you out of your system. Instead, it quietly steals your CPU power. Over time, this can slow your system down, run up your energy bill, and cause long-term damage to your hardware.

Read next: Common Bitcoin Scams

How does cryptojacking work?

There are different types of cryptojacking, so it can vary slightly, but it generally works like this:

  1. Infection: The attacker finds a way to deliver cryptomining code to your device. This might happen through malicious websites, infected software downloads, or phishing emails.

  2. Execution: Once the code is on your device (or in your browser), it runs in the background—often undetected—mining cryptocurrency and sending the earnings back to the attacker.

  3. Resource drain: While it’s running, the script eats up your CPU or GPU power, which can slow down your computer, cause it to overheat, or reduce its lifespan.

Some cryptojacking scripts only run while you're on a specific website, while others persist in the background even after you close your browser or restart your computer.

Types of cryptojacking

Cryptojacking can take several forms, depending on how the attacker delivers the cryptomining payload and what kind of system they’re targeting. While the end goal is always the same—stealing computing power to mine cryptocurrency—the tactics vary widely in sophistication and persistence.

Let’s break down the main types in more detail:

1. Browser-based cryptojacking

Often referred to as "drive-by mining," this method runs cryptomining scripts directly in your web browser, typically via JavaScript embedded in a webpage. It doesn't require downloading or installing malware. As long as you’re on the infected website, your CPU is working for the attacker. Though temporary and easier to stop (just close the tab), it can still impact performance and energy usage, especially in high-traffic environments.

2. File-based cryptojacking

This type involves actual malware being installed on a device. Delivered through phishing emails, fake software downloads, or malicious ads, the malware hides in the system and continuously mines in the background. It’s harder to detect than browser-based attacks, and because it runs persistently, it can significantly degrade system performance over time and even be used alongside other malicious tools.

3. Cloud cryptojacking

Attackers target cloud platforms like AWS, Azure, or Google Cloud to exploit large-scale processing power. If a hacker gains access through stolen credentials or misconfigured settings, they can spin up powerful mining operations on someone else’s dime. This method can lead to massive cloud bills and indicates serious security lapses, such as unsecured APIs or poor credential hygiene.

4. Mobile cryptojacking

Smartphones and tablets, particularly Android devices, are increasingly targeted by malicious apps that mine cryptocurrency in the background. Some mining apps even disguise themselves as games or utilities. These attacks drain battery life, slow device performance, and can potentially reduce hardware lifespan. While less profitable per device, mobile cryptojacking can scale quickly through mass app distribution.

5. Hybrid & advanced attacks

Some attackers combine methods, using browser scripts to test vulnerabilities before deploying malware, or using fileless techniques that live in system memory to avoid detection. These more sophisticated attacks may also involve lateral movement across networks or leverage legitimate system processes to disguise their activity.

Read next: How to Report Stolen Crypto

Examples of cryptojacking

Cryptojacking has affected organizations across industries, from tech giants to government websites, showing how widespread and diverse this threat can be. Here are several notable incidents that highlight how cryptojacking works in the wild:

  • Tesla (2018): Hackers gained unauthorized access to Tesla’s Amazon Web Services (AWS) cloud environment through an unsecured Kubernetes console. They deployed mining software to exploit the company’s vast cloud resources and hid the operation using custom scripts and traffic masking to avoid detection. This case underscored the growing threat of cloud cryptojacking and the importance of securing cloud configurations.

  • Coinhive abuse (2017–2019): Coinhive was a legitimate service that allowed websites to mine Monero using visitor CPU power. Although intended for ethical opt-in use, cybercriminals quickly began embedding Coinhive’s JavaScript miner into compromised websites without user consent. At its peak, Coinhive was estimated to be responsible for over two-thirds of browser-based cryptojacking activity before it was shut down in 2019.

  • UK government websites compromised (2018): Over 4,000 websites, including domains operated by the UK’s Information Commissioner’s Office and the Student Loans Company, were compromised via a third-party accessibility plugin called Browsealoud. Attackers modified the plugin to inject a cryptomining script, turning users' browsers into Monero miners without consent. This attack demonstrated the risks of supply chain vulnerabilities.

  • YouTube ads serve miners (2018): Google’s ad platform was abused to deliver cryptojacking malware to YouTube viewers. Ads containing JavaScript-based miners were shown to users worldwide, causing CPU spikes even during short viewing sessions. This case illustrated how even well-regulated platforms can be leveraged for cryptojacking when malicious actors find loopholes in advertising networks.

  • The WannaMine malware (2018–2020): WannaMine is a cryptojacking worm that spreads through networks using stolen credentials and the EternalBlue exploit (the same vulnerability used by WannaCry ransomware). Once inside a system, it installs file-based Monero miners and can severely degrade performance across entire organizations. Its ability to self-propagate made it particularly dangerous in enterprise environments.

  • Android cryptojacking apps (2019–2020): Researchers discovered dozens of Android apps on the Google Play Store embedded with cryptomining code, disguised as utility apps like QR code scanners and fitness trackers. Some would only mine when the phone was charging to avoid detection, while others drained resources constantly. Google has since removed many of these apps, but new variants continue to surface.

  • Los Angeles Times website (2018): A cryptojacking script was discovered in the interactive “Homicide Report” section of the LA Times website. The attacker exploited an unprotected Amazon S3 bucket used to host the page, injecting Coinhive code that mined Monero using visitors' browsers. The case highlighted how overlooked assets like data storage buckets can become attack vectors.

These examples show that cryptojacking isn’t just a fringe issue. It’s a widespread threat that targets everyone from individuals to multinational corporations. It also highlights how attackers continually evolve their techniques, using everything from cloud misconfigurations to ad networks and open-source repositories to deploy their miners.

Read next: SIM Swapping Scams

How common is cryptojacking?

Cryptojacking saw a surge in popularity a few years ago when crypto prices were booming, and while it cooled down a bit, it never fully went away.

As of 2024 and beyond, cryptojacking has been steadily on the rise again, especially with the increasing popularity of privacy-focused coins like Monero. According to cybersecurity reports, cryptojacking incidents increased by over 400% in recent years, particularly in enterprise environments.

The low risk and high reward for attackers make it an appealing cybercrime. Unlike ransomware, which makes a lot of noise and requires direct interaction with the victim, cryptojacking flies under the radar and can go unnoticed for months.

Why is cryptojacking a concern?

Cryptojacking might seem “harmless” compared to ransomware or data breaches, but it carries real risks:

  • System slowdowns: Your computer or phone may become sluggish and unresponsive as it struggles to keep up with the added workload.

  • Higher electricity costs: All that extra processing burns through energy, raising bills, especially for businesses with large networks.

  • Hardware damage: Constant high CPU/GPU usage can overheat components and shorten your device’s lifespan.

  • Security red flags: If a hacker can install cryptojacking code, they might also be able to install more dangerous malware or steal data.

  • Business disruption: In corporate environments, cryptojacking can reduce productivity, eat up cloud resources, and lead to compliance or financial headaches.

Read next: How to Report Stolen Crypto on Taxes

How to detect cryptojacking

Detecting cryptojacking can be tricky, especially since it’s designed to be stealthy. But there are some telltale signs:

  • Unexplained system slowdown: If your device is suddenly sluggish, check your CPU usage.

  • Overheating: Fans running loudly or devices getting unusually hot could be a clue.

  • High CPU usage in Task Manager: On Windows, press Ctrl + Shift + Esc and look for unknown processes using a lot of CPU.

  • Browser acting weird: If your browser becomes laggy or crashes frequently, it might be running a cryptojacking script.

  • Battery drain on mobile: A sudden dip in battery life without an obvious cause might be due to hidden mining activity.

You can also use anti-malware software or browser extensions that specifically detect cryptojacking scripts.

Read next: How to Avoid Crypto Scams

How to prevent cryptojacking

Thankfully, there are some simple steps you can take to protect yourself:

  1. Use a reputable antivirus or anti-malware tool: Many modern security tools now include cryptojacking protection. Make sure it's updated regularly.

  2. Install browser extensions: Extensions like No Coin or MinerBlock can block browser-based cryptomining scripts.

  3. Keep software updated: Outdated software can contain vulnerabilities that attackers exploit to install mining scripts.

  4. Use ad-blockers: Many cryptojacking scripts are delivered through malicious ads. A good ad-blocker can stop these in their tracks.

  5. Be cautious with downloads and emails: Don't click on sketchy links or download unknown files. Phishing emails are a common delivery method for cryptojacking malware.

  6. Monitor your system performance: Check your task manager or system monitor regularly. If something looks off, investigate.

  7. Secure your cloud services: For businesses, properly configuring and securing cloud platforms is crucial. Use strong authentication, monitor usage, and restrict admin access.

By understanding the full spectrum of cryptojacking methods, both individuals and organizations can better recognize, mitigate, and prevent these silent attacks. Whether you're a casual web user or managing enterprise cloud infrastructure, staying aware of how cryptojacking operates across different vectors is the first step toward staying secure.

A banner with the Koinly Logo inviting crypto investors to Calculate Your Crypto Taxes with Koinly, a crypto tax calculator

Disclaimer
The information on this website is for general information only. It should not be taken as constituting professional advice from Koinly. Koinly is not a financial adviser. You should consider seeking independent legal, financial, taxation or other advice to check how the website information relates to your unique circumstances. Koinly is not liable for any loss caused, whether due to negligence or otherwise arising from the use of, or reliance on, the information provided directly or indirectly, by use of this website.
GET STARTED

Save hours with Koinly!

No credit card required
Make crypto less taxing.
SOC2 Type 2 certifiedISO27001 certified

Product

Resources

Company

Legal

The information on this website is for general information only. It should not be taken as consulting professional advice from Koinly. Koinly is not a financial adviser. You should consider seeking independent legal, financial, taxation or other advice to check how the website information relates to you unique circumstances. Koinly is not liable for any loss caused, whether due to negligence or otherwise arising from the use of, or reliance on, the information provided directly or indirectly, by use of this website.