Cryptojacking: What is It And What You Need To Know In 2022

January 26, 2022 - Cory Kujawski

Cryptojacking is the illegal practice of using a computer or mobile device to mine cryptocurrencies without the user's knowledge or permission. Many websites are infected with cryptojackers today. In this article, we'll cover what cryptojacking is, how it works, and the steps you can take to protect your website in 2022.

What is cryptojacking?

Cryptojacking is malicious Javascript hosted on unscrupulous and compromised websites that steals site visitors' CPU to mine cryptocurrencies. As you know, hackers are always looking for ways to profit from the equipment they compromise.

Given the prolific number of vulnerabilities being discovered and exploited, now is a good time to come up to speed on how hackers can profit through cryptojacking. Exploits like Log4j can be used to infect websites with profitable malicious code, not just Magecart. Hackers often take advantage of cryptocurrency mining to make their operations profitable; this is nothing new. We have seen home routers, corporate servers, and even compromised AWS credentials being used to earn cryptocurrency through mining. With cryptojacking, this is possible by simply including some malicious javascript into your website's source code. Only users who notice their computer running non-stop would know it was even present. 

How does it work?

Cryptojacking works by stealing other people's processing power and using it to mine cryptocurrencies. This is usually achieved with javascript running behind the scenes on websites, but it's also possible to hijack machines and servers to run full-blown cryptocurrency mining software, which could be installed either by malware or by rogue employees.

It's a bit like someone else borrowing your car to drive  deliveries and earn money behind your back, using up your gas and leaving you with added wear and tear on your vehicle in the process


Image via ENISA

When you visit a website running a crypto miner don't expect to be informed, asked for consent, or have to do anything to start the mining process. Simply visiting a website is all it takes for thieves to steal your CPU. And it's not exactly a harmless act.

While researching Cryptojacking our laptops heated up and fans kicked on. Cryptojacking not only degrades the performance of users' computer but shortens the life of their computer's components. For site owners, cryptojacking degrades page performance as well as user experience, ultimately driving visitors away from your site. 

Hackers aren't limited when choosing how they are going to inject a miner into your website. In the course of our research, we found thousands of live samples including cryptoloot, coinimp, jsecoin, crypto-webminer, cryptonoter, monerominer, deepminer, and coin-have.

There's a questionably low bar of entry to set up a mining operation. Simply signing up for a mining pool and pasting a couple lines of code into the source of a website is all it takes for an attacker to set up shop. They honestly don't even have to understand how it works. The code used by the mining operations is top-notch. It's designed using the latest technology to get the most out of a computer CPU. Hackers implement web assembly, a portable binary code in javascript capable of utilizing low-level languages such as C, so miners are able to get the most from the CPU of website users. This not only gives them the best access to your CPU for computation but has the added benefit of being really hard to detect by reading the source code of a website. In the industry, we refer to this technique as obfuscation.

How prolific is cryptojacking?

We are seeing compromised websites as low as personal blogs up to top Alexa-ranked websites being affected by Cryptojacking. No single vulnerability is being exploited to compromise these websites but we are seeing an uptick in mining operations online. This will only be exacerbated by the recent Log4j vulnerabilty. Right now there are about 3,000 websites serving Cryptojacking scripts to users online. This is growing daily. We are actively monitoring for new activity daily to continue to protect our customers.

What can you do to prevent cryptojacking?

So, what can you do about cryptojacking? The first step is to know the signs.  Then, as you may guess, there are two different ways of mitigating its effects: detection and defense. Detecting cryptojacking isn't always easy, but defense is even trickier.


The first thing to consider is whether or not your website is being cryptojacked. Here are some things to check:

Are you getting HTTP requests for Bitcoin and Monero transactions on your site?

Are you getting suspicious JavaScript errors when accessing your site?

Does your computer heat up and run the fan when you access your website?

If you're concerned about cryptojacking on your business network, you could also use a network monitoring tool to look for unusual resource usage. 

No matter how it's done, mining cryptocurrency is a massive resource hog, which gives some telltale signs, such as abnormally high CPU or GPU usage.  Especially in off-business hours when machines should be less active. A simple way to look for abnormal use would be to set up alerts for when CPU usage exceeds a certain threshold in off-hours or on machines that don't typically perform CPU-intensive tasks.


From the user's perspective, the most obvious defense against cryptojacking would be to block javascript from running on their browser, but this could make for a pretty poor internet experience. However, there are plenty of browser plugins, such as No Coin and MinerBlock, that can help the user block known cryptojacking scripts.

For a site owner, things are a bit more difficult. In order to definitively prevent cryptojacking on your website, you need full visibility into the code running on your website, as well as any third-party connectors and plugins, and the ability to unilaterally block unwanted code. 

A client-side security platform, like Ensighten MarSec, will let you perform frequent audits of your website's javascript content and security, and will help you block unknown scripts from ever running on the client-side, thus blocking injection-based attacks like formjacking, payment card skimming, and yes, cryptojacking.

To learn more about how MarSec can help defend your site against cryptojacking attacks, schedule a demo today. 

Cory Kujawski

Cory Kujawski

Cory built and orchestrated Threat Intelligence for Ensighten by developing collection, ingestion, and dissemination processes.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now