What Is Cryptojacking? Definition and Explanation | Fortinet (2024)

Cryptojacking is also referred to as malicious cryptomining, and it is a threat that embeds itself within a computer or mobile device and then uses its resources to mine cryptocurrency.

Cryptojacking essentially gives the attacker free money—at the expense of your device and the overall health of your network. When a hacker cryptojacks a device, they are capitalizing on the device’s computing ability to solve complicated math problems. The reward for solving these problems is cryptocurrency, which can be traded in an exchange for other cryptocurrency or traditional money, often referred to as fiat currency.

Cryptojacking has been in the news for quite some time, but it has recently increased in popularity due to several factors in the cryptocurrency space. First, digital currencies have grown in popularity and are being accepted by more and more vendors and institutions. This is, in part, due to the growth of decentralized financing or DeFi. DeFi enables holders of and investors in digital currencies to engage in lending and borrowing, as well as make a profit by putting their currency in liquidity pools, which is where people borrow cryptocurrencies from.

Even if a cryptojacker does not plan to spend the cryptocurrency they “earn” by using your device’s resources, they can simply put them in a liquidity pool and earn that way. Therefore, with the growth of DeFi, cryptojacking has become an increasingly present threat.

Cryptocurrency is digital money with no physical representation. It is generated by solving math problems, called hashes. People earn cryptocurrency by using their computers to either solve or verify the solutions to math problems.

There are hundreds of cryptocurrencies, and each has its own coin or token. Each cryptocurrency was invented to solve a problem its creators felt other cryptocurrencies did not adequately address. One way of simplifying the vast array of cryptocurrencies is by focusing on the platforms used to make them.

Bitcoin, the most popular digital asset, is mined on the bitcoin blockchain. A blockchain refers to a series of math problems, organized in blocks that get solved in sequence. When a block of hashes is solved, it is added to the “chain” of blocks. The blockchain is open source, meaning anyone can see its code, copy it, and even use it to make their own cryptocurrency. Also, all transactions on the blockchain are public—even though the identities of those involved in the transaction are completely hidden.

In the bitcoin blockchain, it takes a relatively long time for a hash to get solved, making it inefficient for many purposes. This inefficiency drove the need for a different kind of blockchain, the Ethereum network.

The Ethereum network also incorporates solving mathematical problems, but it takes less computing power to do so. Hence, transactions designed for the Ethereum blockchain can typically happen much quicker. You may also create applications— called decentralized apps or dapps—on the Ethereum network.

People make dapps to take advantage of trustless transactions without a middleman. Like all cryptocurrency transactions, the exchange involves a peer-to-peer interaction. This is significantly different than what happens when you write someone a check or pay using a credit card. In these transactions, a third party, a bank, is entrusted with holding your money and giving it to the person from whom you wish to purchase a good or service.

With a dapp, you can use a contract custom designed to accomplish the transaction without involving a third party. These are called smart contracts. The smart contract is just a program, but it does everything a bank or another third party would do—and a few things they cannot. For example, it verifies that the funds being used in the transaction have legitimate value, that they are delivered only when certain conditions have been met, and that the proper amounts are being distributed.

Many of the protocols on the Ethereum network have their own token or cryptocurrency. In most cases, users can use the cryptocurrency they have to vote on how a certain platform will operate in the future. Some platforms’ cryptos are only intended to be used for governing what happens with the platform. However, this does not stop people from trading these coins, which gives them value.

The value of cryptocurrencies, even those that may never be directly used to purchase goods and services, is central to the cryptojacking problem. Some of the tokens take so little computing power to generate that a relatively weak computer or device, once it has been hacked, can be a useful money-making tool. And because those who solve the problems are rewarded not just for generating new blocks but for verifying transactions, even a slow computer can earn a hacker money—as long as they do not have to pay the electricity bill. When your device or computer is compromised, you are supplying a hacker with both the computing power and the electricity to make money.

Cryptocurrency mining involves either solving hashes to generate blocks that get added to the blockchain or verifying transactions happening between the blockchain’s users. The “mining” process is performed by a computer that is essentially coming up with a password to crack an encryption. If a computer were charged with figuring out the password to your laptop, for instance, it would have to try enough combinations of numbers or letters until it got it right.

However, most people’s passwords are fairly short sequences of letters and digits. With a cryptocurrency, the password is long and random. During the mining process, a computer’s resources are devoted to figuring out the encryption. Once the encryption has been solved, it has to be verified by other users on the network. If the solution checks out, it is certified by the system as legitimate, and whoever solved it is rewarded with cryptocurrency. Those who verified the validity of the solution are also rewarded for their efforts.

The only thing someone needs to start cryptomining is a computer. For bitcoin mining, the computer needs to be very powerful to compete with the other devices trying to solve problems on the blockchain. For some currencies, however, solving the problems requires less power, and a normal smartphone, tablet, desktop, laptop, or server may be fast enough to get the job done. If a hacker can cryptojack devices on your network, they can therefore get you to fund and facilitate their cryptocurrency mining.

Cryptojacking works by either using malware or doing what is referred to as drive-by cryptomining. When a hacker uses malware, a portion of your computer is taken over and controlled, similar to what happens with ransomware. But unlike ransomware, the control happens unseen, in the background, while you continue to use the device.

Here is how this process works, step by step:

1. You click on a malicious link in an email. The email and link may look completely innocent.
2. Clicking on the link loads cryptomining code into your computer, which places a mining script in the background. The script is designed to control your computer.
3. The script captures some or all of your device’s computing power and uses it to mine cryptocurrency.
4. The cryptojacker monitors the crypto being mined and collects it in their digital wallet.

Drive-by cryptomining has its origins in a legitimate transaction. People would openly disclose that visitors’ computers would be used to mine cryptocurrency while they were on the site. Once they left the site, their device would no longer be used to mine. This eventually gave rise to drive-by cryptomining, which involves using visitors’ devices to mine crypto without their permission.

When the unsuspecting user visits the site, code is placed on their device. Not only does the user not know that their device is being used to mine but it also continues mining long after they leave the site.

Some cryptojacking malware works like a worm-style virus. It moves through your network, infecting one device after another, enslaving them all, and consuming their resources in the process.

It can be difficult to detect cryptojacking after it has happened because the process is often hidden or made to look like a benevolent activity on your device. However, there are some telltale signs to watch out for:

1. Your laptop or computer’s fan is running faster than usual. This is because the cryptojacking script or website is causing it to heat up, and your fan is running to prevent melting or a fire.
2. Your device feels much hotter than usual.
3. Your battery is draining more quickly than it normally would.
4. Your device is running slowly, crashing, or exhibiting unusually poor performance.

To prevent cryptojacking while visiting websites, make sure each site you visit is on a carefully vetted whitelist. You can also blacklist sites known for cryptojacking, but this may still leave your device or network exposed to new cryptojacking pages.

Another option for preventing cryptojacking while browsing is to block JavaScript, which is one of the tools used to gain access to your device’s computing power. However, this could make some important features of the sites you want to visit unusable. You can also try using programs designed to block mining while you visit websites. They install as extensions in some popular browsers.

However, an all-around cybersecurity program is a more comprehensive solution. It can serve as a catch-all because it detects threats across the board and can provide protection even if hackers find workarounds for the software designed to block mining.

In February 2018, cryptojacking code was discovered concealed within the Los Angeles Times' Homicide Report page. The code on the site was made by a legitimate cryptominer called Coinhive. It was used to mine a popular currency called Monero. When visitors went to the Homicide Report page, their devices were used to mine Monero. It took awhile for the threat to be detected because the amount of computing power the script used was decreased, so users would not be able to tell their device had been enslaved.

A water utility in Europe was also hacked by cryptominers in early 2018, a big year for cryptojacking. A security firm, Radiflow, discovered the presence of cryptomining scripts that had been using the system’s resources to generate income. It reportedly had a “significant impact” on the water company’s systems. Similar to the Los Angeles Times hack, the miner was generating Monero.

The political fact-checking website PolitiFact was also victimized by cryptominers in 2017. Like the Los Angeles Times cryptomining, Coinhive was used in the attack, but the code was programmed to initiate eight simultaneous instances of the miner, devouring the visitor’s resources.