What is Cryptojacking?

In cryptojacking, cybercriminals infect computers and mobile devices with malware in order to use their computing power to generate cryptocurrencies. An infection can be detected by an inexplicably high CPU load. Several methods help to detect, stop, and prevent cryptojacking.

Cryptojacking – from “cryptocurrency” and “highjacking” – is a hybrid malware transmitted in the form of Trojans and scripts. Cryptojackers have pretty much replaced ransomware and viruses as one of the biggest online threats globally. Infiltrated systems are hijacked by criminals undetected for cryptomining of cryptocurrencies. As a result, CPU usage and energy consumption are extremely high. Unlike other malware, cryptojackers are primarily interested in hijacking computing resources; spying on sensitive user or system data does not play much of a role.

Cryptojacking is linked to the process of cryptomining. In cryptomining, miners provide their own computing capacity or combined capacities (when part of pools) in order to legitimize and verify transactions with cryptocurrencies and to document them in the blockchain. To ensure the legality of transactions, Bitcoin transactions, for example, are publicly recorded. However, anonymized altcoins such as Monero and Ethereum, offer criminals the necessary anonymity for illegal transactions via hijacked systems.

As cryptomining becomes more resource-intensive and time-consuming, profitable mining increasingly depends on high computing capacities and expensive power consumption. Illegal mining in the form of cryptojacking aims to use other people’s computing resources to generate profits without incurring any of their own operating costs. To this end, affected systems are often added to mining botnets that act as illegal mining pools and bundle computing power.

Becoming part of a large-scale cryptojacking network unintentionally and unknowingly is easier than you think. You could be lured in by scareware and end up clicking on a link that leads to an infected website or download a third-party app from a dubious source. The only thing you may notice is a slower system, because a Trojan will use the computing capacities of your PC or mobile device in the background.

Home users are not the sole target of cryptojackers: famous cryptojacking have involved major brands and businesses such as, for example, Tesla Motors, where employees used unprotected applications infected with cryptojacking scripts. Another well-known case was the Wi-Fi provided by Starbucks stores in Buenos Aires, through which the computing power of connected laptops and mobile devices was hijacked. Other examples include the websites of Cristiano Ronaldo and the San Diego Zoo, which unknowingly used the mining program Coinhive to mine computing powers of site visitors.

Depending on how foreign computers or mobile devices are used for cryptojacking, one distinguishes between the following categories of dangerous malware:

• Cryptojacking through Trojans/adware: Systems that become infected with a cryptojacking Trojan through infected websites, files, downloads, or other means are used to make CPU or GPU available for mining. Since they bypass antivirus programs and the task manager, they typically remain undetected for a long time.
• Cryptojacking through JavaScript/browsers: Here, mining code is hidden in scripts, e.g., in the form of code snippets of the Coinhive program, in websites and executed by the browser. Visitors to a website unknowingly make their computing power available for mining, possibly even after they have navigated away from the site which is possible through hidden popups or tabs. Since streaming portals keep their users on-page for a long time, they are also affected by mining codes in video players or disguised cryptojacking ads.

It seems ironic for the maker of the Coinhive JavaScript code, widely used for cryptojacking, to claim that Coinhive is an alternative to classic ad banners. But the idea behind a code like Coinhive is not illegal. Provided it is not abused. In principle, a code integrated into websites, via which visitors consciously agree to mining, can be a safe alternative to advertisements that lead to malicious scam or phishing sites or stealing of sensitive user data.

The prerequisite for this is that page visitors agree to offer a portion of their computing power for the website visit, as is the case with cookie queries. In this way, website operators finance themselves even without a high density of uncontrolled advertising. However, this could only be implemented through independent standards and transparency of cryptomining codes in web projects. A successful example for the legal use of Coinhive was a donation initiative of UNICEF Australia, where donations were generated through website visits.

If you are wondering whether your device is affected by cryptomining malware, you should pay attention to the most common sign to detect malware: an unexplained high CPU or GPU load. Since cryptojackers are primarily interested in computing power, it is difficult to hide the malware’s impact. In order to generate high profits from cryptojacking, workload must be correspondingly high. This can sometimes reach up to 90 or 100 percent.

Noticeably noisy operation of the computer’s ventilation or an overheated device indicates that processes are running in the background. So, unless you’re running computationally intensive tasks your device shouldn’t overheat. If it does, it may be indicative of a possible malware infestation. In the worst scenario, undetected cryptojacking can shorten the lifespan of your device due to permanent load and cause higher energy bills.

Those infected by cryptojacking Trojans should proceed as they would in case of any other malware infestation:

Scan your device using a reliable anti-malware software to check whether the malicious program is detectable; eliminate the malware. Since cryptojacking Trojans can disable antivirus software and inactivate the Task Manager or hide in the registry system files, this method isn’t always successful.

If anti-malware programs cannot detect anything, contact a professional IT security expert. You could play it safe by completely rebooting your device, e.g., by using Windows Recovery.

You can prevent cryptojacking Trojans by keeping your system up to date, installing updates, using a reliable and regularly updated antivirus program, and taking note of suspicious system behaviors, for example, a device heating up, loud ventilation, and slow processing power.

Since cryptojacking does not always infect your system, but also hijacks computing capacities via Java scripts, advertisements or streams, illegal mining can be prevented by blocking Java scripts or mining filter lists. Java scripts can then be disabled in any browser. However, this may result in some website functionalities no longer being executable. Browser extensions such as “No Coin” or “MinerBlock” also attempt to directly prevent mining activities in the browser.

It is safer to use holistic security solutions such as MyDefender from IONOS or Malwarebytes, which detect both “classic” malware and mining malware and combat them.

Since cryptojacking can damage hardware and lead to data loss, you should regularly back up your data using external media. MyDefender from IONOS is a suitable option offering automatic backups in ISO-certified data centers for double protection and multiple backups. You can back up selected data or entire systems.

Malware can be defined into roughly three categories:

• Viruses: Malicious program codes that multiply and manipulate and damage systems.
• Worms: A subclass of viruses that manipulates systems, damages them, opens access for additional malware, overloads computer capacity and, unlike viruses, spreads without user intervention, for example through emails and spam in networks; a well-known example is Emotet
• Trojans: Malicious program codes that do not reproduce but manipulate system functions

As cryptojacking shows, the boundaries between malicious programs are blurry. For example, computer worms often serve to open up access for malicious Trojans and rootkits. The most common functions of malware include:

• Espionage and phishing of sensitive user and access data
• Spreading or downloading further malware, e.g., as part of a botnets
• Infiltration to carry out cyber attacks
• “Highjacking” of systems to perform targeted tasks
• Overloading of computers and systems due to DDoS and DoS attacks
• Encryption of data for the purpose of extortion as is the case with ransomware