Cryptojacking

Cryptojacking: How Attackers Mine Cryptocurrency on Your Systems

by

Cryptojacking: How Attackers Mine Cryptocurrency on Your Systems

Bottom Line Up Front

Cryptojacking attacks hijack your computing resources to mine cryptocurrency for attackers, creating unauthorized resource consumption, performance degradation, and compliance violations. These attacks exploit your infrastructure’s processing power through malicious scripts, compromised applications, or unauthorized mining software, often flying under the radar for months.

From a compliance perspective, cryptojacking represents unauthorized system access and resource misuse that violates controls across SOC 2 (CC6.1, CC6.7), ISO 27001 (A.12.6.1, A.16.1.2), NIST CSF (Detect and Respond functions), and PCI DSS (Requirements 5, 11). Healthcare organizations face additional HIPAA concerns if cryptojacking compromises system availability or potentially exposes PHI through system instability.

Your security program needs cryptojacking detection and prevention controls not just for resource protection, but to demonstrate you’re monitoring for unauthorized activities and can detect compromise — core requirements across every major compliance framework.

Technical Overview

Attack Architecture and Data Flow

Cryptojacking operates through three primary attack vectors that security teams must monitor:

Browser-based cryptojacking injects mining scripts into web applications or compromised websites. When users visit infected pages, JavaScript miners execute in their browsers, consuming CPU cycles to mine Monero or other privacy coins. The mining pool communication flows through WebSocket connections or HTTP requests to attacker-controlled infrastructure.

Server-side cryptojacking deploys persistent mining software directly on compromised systems. Attackers exploit vulnerabilities, weak credentials, or misconfigured cloud instances to install miners like XMRig or CGMiner. These miners establish persistent connections to mining pools, often using domain generation algorithms (DGAs) or encrypted tunnels to evade detection.

Container and cloud cryptojacking targets misconfigured Kubernetes clusters, exposed Docker APIs, or compromised cloud instances. Attackers deploy mining containers or modify existing workloads to include mining processes, leveraging auto-scaling features to maximize resource consumption across your cloud environment.

Defense in Depth Positioning

Cryptojacking detection sits at multiple layers of your security stack:

  • Network layer: Monitor for mining pool communications, unusual outbound connections, and DNS queries to known mining domains
  • Host layer: Track CPU/GPU utilization patterns, process behavior, and unauthorized software installation
  • Application layer: Scan web applications for injected mining scripts and monitor JavaScript execution patterns
  • Cloud layer: Monitor cloud resource consumption, container behavior, and serverless function abuse

Cloud vs. On-Premises Considerations

Cloud environments face unique cryptojacking risks through auto-scaling abuse, where attackers trigger scaling events to maximize mining resources at your expense. Monitor CloudWatch, Azure Monitor, or GCP metrics for unusual resource consumption patterns that don’t correlate with legitimate workloads.

On-premises environments typically see cryptojacking through endpoint compromise or web application injection. Focus on endpoint detection and response (EDR) tools and network monitoring for mining pool communications.

Hybrid environments require correlation across both environments, as attackers often use compromised endpoints as pivot points to access cloud resources or vice versa.

Compliance Requirements Addressed

Framework-Specific Control Mapping

Framework Primary Controls Evidence Requirements
SOC 2 CC6.1 (Logical Access), CC6.7 (Data Transmission), CC7.2 (System Monitoring) Security monitoring logs, incident response procedures, access review documentation
ISO 27001 A.12.6.1 (Malware Management), A.16.1.2 (Incident Reporting), A.12.1.2 (Change Management) Anti-malware policies, incident response plan, monitoring procedures
NIST CSF DE.CM (Security Continuous Monitoring), RS.RP (Response Planning) Monitoring baseline documentation, response procedures, detection tool configuration
PCI DSS Requirement 5 (Anti-Virus), Requirement 11 (Security Testing) Anti-malware deployment evidence, vulnerability scan results, log monitoring

Compliance vs. Maturity Gap

Meeting compliance means having basic monitoring for unauthorized processes and documented incident response procedures. Your SIEM ingests system logs and flags obvious indicators like known mining software.

Security maturity requires behavioral analysis, machine learning-based detection, automated response capabilities, and proactive threat hunting. Mature programs detect cryptojacking through subtle indicators like unusual CPU patterns or network behavior changes.

Auditor Evidence Requirements

Auditors need to see:

  • Detection capabilities: SIEM rules, EDR deployment, network monitoring configuration
  • Response procedures: Incident response plan updates covering cryptojacking scenarios
  • Historical evidence: Log retention showing monitoring coverage, incident tickets for investigated alerts
  • Control testing: Evidence of testing detection rules and response procedures

Implementation Guide

AWS Environment Deployment

CloudWatch Integration:
“`yaml

CloudWatch Alarm for EC2 CPU Anomalies

Resources:
CryptojackingCPUAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: “High-CPU-Cryptojacking-Detection”
MetricName: CPUUtilization
Namespace: AWS/EC2
Statistic: Average
Period: 300
EvaluationPeriods: 3
Threshold: 80
ComparisonOperator: GreaterThanThreshold
TreatMissingData: notBreaching
“`

GuardDuty Configuration:
Enable GuardDuty CryptoCurrency finding types in your security hub integration. Configure custom threat intelligence feeds with known mining pool domains and IP addresses.

VPC Flow Logs Analysis:
“`sql
— Athena query for mining pool communications
SELECT srcaddr, dstaddr, dstport, sum(bytes) as total_bytes
FROM vpc_flow_logs
WHERE dstport IN (3333, 4444, 5555, 8080, 14444)
AND action = ‘ACCEPT’
GROUP BY srcaddr, dstaddr, dstport
HAVING total_bytes > 1000000
ORDER BY total_bytes DESC;
“`

Azure Environment Implementation

Azure Security Center Integration:
Configure Security Center’s adaptive application controls to whitelist approved processes and flag unauthorized mining software. Enable just-in-time VM access to reduce cryptojacking through compromised RDP/SSH.

Log Analytics Workspace:
“`kql
// KQL query for cryptojacking process detection
SecurityEvent
| where EventID == 4688 // Process creation
| where Process contains “xmrig” or Process contains “cgminer”
or Process contains “ethminer” or CommandLine contains “stratum+tcp”
| summarize count() by Computer, Process, CommandLine, TimeGenerated
| order by TimeGenerated desc
“`

On-Premises SIEM Integration

Splunk Detection Rules:
“`spl
index=windows EventCode=4688
| eval ProcessName=lower(Process_Name)
| search ProcessName=”xmrig” OR ProcessName=”cgminer” OR ProcessName=”ethminer
| table _time, Computer, Process_Name, Process_Command_Line, User
“`

Network Monitoring with Suricata:
“`yaml

Suricata rule for mining pool detection

alert tcp any any -> any [3333,4444,5555,8080,14444] (
msg:”Possible Cryptojacking – Mining Pool Connection”;
flow:established,to_server;
content:”stratum+tcp”;
sid:1000001;
rev:1;
)
“`

Container Environment Protection

Kubernetes Pod Security Standards:
“`yaml
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
– name: app
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [“ALL”]
readOnlyRootFilesystem: true
resources:
limits:
cpu: “1”
memory: “1Gi”
“`

Falco Runtime Security:
“`yaml

Falco rule for cryptocurrency mining detection

  • rule: Cryptocurrency Mining Process

desc: Detect cryptocurrency mining
condition: >
spawned_process and proc.name in (xmrig, cgminer, ethminer, minerd)
output: >
Cryptocurrency mining process detected (user=%user.name proc=%proc.name
parent=%proc.pname cmdline=%proc.cmdline)
priority: WARNING
“`

Operational Management

Daily Monitoring Tasks

Morning Security Review:

  • Check SIEM dashboard for overnight cryptojacking alerts
  • Review CloudWatch/Azure Monitor for resource consumption anomalies
  • Validate EDR agent status across all endpoints
  • Scan overnight vulnerability reports for cryptojacking-related indicators

Resource Utilization Baseline:
Establish normal CPU/GPU utilization patterns for each system type. Document baseline performance metrics during legitimate workloads to identify deviations that may indicate cryptojacking.

Weekly Analysis Procedures

Threat Intelligence Updates:

  • Update mining pool domain blocklists from threat feeds
  • Review new cryptojacking TTPs from MITRE ATT&CK updates
  • Validate SIEM detection rules against latest mining software variants
  • Test incident response playbooks with tabletop exercises

Performance Correlation:
Correlate help desk tickets about “slow systems” with security monitoring data. Many cryptojacking incidents are first reported as performance issues rather than security alerts.

Monthly Security Assessments

Detection Rule Tuning:
Analyze false positive rates on cryptojacking detection rules. Tune thresholds based on actual attack patterns while maintaining coverage for legitimate business processes that may trigger alerts.

Compliance Evidence Collection:
Document cryptojacking-specific monitoring coverage for compliance reporting. Collect evidence of detection rule effectiveness, incident response capability, and preventive control deployment.

Common Pitfalls

Detection Avoidance Traps

Resource Throttling Bypass: Modern cryptojacking malware throttles CPU usage to avoid detection, operating at 60-70% capacity instead of maxing out resources. Don’t rely solely on high CPU alerts — monitor for sustained moderate consumption that doesn’t correlate with legitimate workloads.

Legitimate Mining Confusion: Some organizations run legitimate cryptocurrency mining or blockchain operations. Clearly document approved mining activities to avoid false positives and compliance confusion. Your auditor needs to understand the difference between authorized and unauthorized mining.

Cloud Misconfiguration Risks

Auto-Scaling Abuse: Attackers trigger cloud auto-scaling to maximize mining resources. Implement scaling policies with rate limiting and monitoring for unexpected scaling events that don’t correlate with application metrics.

Serverless Function Hijacking: AWS Lambda, Azure Functions, and Google Cloud Functions face cryptojacking through compromised deployment pipelines. Monitor function execution times, memory usage, and network connections for mining indicators.

Compliance Documentation Gaps

Incident Classification: Ensure your incident response plan specifically addresses cryptojacking scenarios. Many organizations treat these as performance issues rather than security incidents, missing compliance requirements for security event documentation.

Evidence Retention: Maintain detailed logs of cryptojacking investigations for compliance audits. Document the business impact, response timeline, and remediation actions taken to demonstrate effective incident response capabilities.

FAQ

What’s the difference between cryptojacking and legitimate cryptocurrency mining?
Legitimate mining is authorized, documented, and managed by your organization with proper resource allocation and security controls. Cryptojacking is unauthorized resource hijacking by external attackers. Document your organization’s position on cryptocurrency mining to avoid audit confusion.

How do I differentiate cryptojacking alerts from false positives caused by legitimate high-CPU applications?
Correlate resource usage with business context — legitimate applications have predictable usage patterns, scheduled execution times, and known network destinations. Cryptojacking typically shows sustained resource usage with connections to external mining pools and often occurs during off-hours.

Does browser-based cryptojacking require endpoint installation?
No, browser-based cryptojacking executes through JavaScript in web browsers without installing persistent software. Monitor for unusual browser CPU usage, web application security scans for injected scripts, and network connections to known mining domains from user endpoints.

How quickly should we respond to confirmed cryptojacking incidents?
Treat cryptojacking as a security incident requiring immediate containment within your standard incident response timeframes. While not as critical as data breaches, cryptojacking indicates system compromise that could escalate to more serious attacks. Document response times for compliance reporting.

What cloud-specific monitoring is required for cryptojacking detection?
Monitor cloud resource consumption metrics, container runtime behavior, serverless function execution patterns, and unexpected auto-scaling events. Implement cloud security monitoring tools that can correlate resource usage with legitimate business activities and alert on unauthorized mining activities.

Conclusion

Effective cryptojacking protection requires layered detection across your entire infrastructure stack, from browser-based script monitoring to cloud resource usage analysis. The key is correlating resource consumption patterns with legitimate business activities to identify unauthorized mining operations before they impact performance or compliance.

Your compliance program benefits significantly from robust cryptojacking detection capabilities, as these controls demonstrate comprehensive system monitoring and incident response readiness across multiple frameworks. Security teams that implement behavioral analysis beyond simple signature detection will catch sophisticated attacks that evade traditional security tools.

Remember that cryptojacking often serves as the initial foothold for more serious attacks. Treating these incidents as indicators of broader compromise, rather than isolated performance issues, strengthens both your security posture and compliance documentation.

SecureSystems.com provides practical, results-focused compliance and security services for startups, SMBs, and agile teams across SaaS, fintech, healthcare, e-commerce, and public sector. We specialize in making compliance achievable for organizations that don’t have a 20-person security team — with clear timelines, transparent pricing, and hands-on implementation support. Whether you need SOC 2 readiness, ISO 27001 implementation, HIPAA compliance, penetration testing, or ongoing security program management, our team of security analysts, compliance officers, and ethical hackers gets you audit-ready faster. Book a free compliance assessment to find out exactly where you stand and get a roadmap for implementing comprehensive threat detection that meets your compliance requirements while actually protecting your business.

Leave a Comment

icon 4,206 businesses protected this month
J
Jason
just requested a PCI audit