COINOTAG Logo

Cryptojacking

Cryptojacking is the unauthorized use of a victim's computer, phone, or server to secretly mine cryptocurrency, shifting hardware and electricity costs onto the device owner while the attacker keeps the coins. It typically arrives two ways: malware downloaded via phishing or fake apps, or JavaScript embedded in a website or ad ("drive-by mining"). Monero is the most commonly mined coin because it is private and CPU-friendly. Victims notice sluggish performance, overheating, faster battery drain, and unexplained CPU spikes. Left unchecked, the constant strain can shorten device lifespan or cause hardware failure. Good antivirus, ad blockers, and cautious browsing are the main defenses.

What Is Cryptojacking?

Cryptojacking is the unauthorized use of someone else's computer, phone, or server to mine cryptocurrency without their knowledge or consent. Instead of paying for the hardware and electricity that crypto mining normally requires, the attacker quietly offloads those costs onto the victim. The infected device keeps working normally on the surface, but a hidden script burns its processing power in the background to generate coins for someone else. It is the silent cousin of more dramatic threats like phishing or a rug pull: no funds are stolen directly, only your hardware, electricity, and battery life.

📷 A laptop with a CPU usage spike graph overlaid, fans spinning, illustrating a hidden mining script consuming resources in the background

Why Attackers Love It

Cryptojacking is attractive because it is low-risk and self-funding. There is no need to convince a victim to hand over a password or sign a malicious transaction — the script simply runs. The most commonly mined coin is Monero, and for good reason. Monero is a privacy coin that masks transaction trails, making the proceeds hard to trace. It also uses a hashing algorithm that mines efficiently on ordinary CPUs, so a botnet of everyday laptops and phones is actually productive — unlike Bitcoin, which needs specialized hardware to mine at any meaningful rate.

How Cryptojacking Works

There are two primary infection paths, and they behave very differently once active.

AttributeFile-based (host)Browser-based (drive-by)
Entry pointMalicious download, phishing attachment, fake appJavaScript embedded in a webpage or ad
PersistenceStays after reboot until removedStops when you close the tab
SpreadCan self-propagate across a networkLimited to visitors of the page
DetectionAntivirus / Task ManagerCPU spike that drops on tab close
Hardest hitIdle desktops, charging phones, serversAnyone browsing the infected site

File-based cryptojacking arrives through a download — a phishing email posing as an invoice, a cracked game, or a fake "ad-free" app. Once installed, the malware can survive reboots and even crawl across other devices on the same network, multiplying clean-up costs.

Browser-based cryptojacking, often called "drive-by mining," runs a script embedded directly in a website or a malicious advertisement. It mines only while the tab is open and usually stops the moment you close the browser — which is exactly why it is so easy to overlook.

📷 A two-column diagram comparing the file-based infection path (email -> download -> install -> persist) against the browser-based path (visit site -> script runs -> close tab -> stops)

A Brief History of Cryptojacking

Cryptojacking did not start as a crime. In September 2017, a service called Coinhive published a snippet of code that let websites borrow a visitor's CPU to mine Monero, pitched as an honest alternative to display ads. The file-sharing site Pirate Bay famously tested it. The problem was consent: copycats stripped out the permission prompt, and by 2018 roughly 32,000 websites were running Coinhive's miner — often without telling anyone. Coinhive shut down in 2019, but the technique had already evolved.

  • 2018 — Router-based: Around 200,000 MikroTik routers were compromised via the CVE-2018-14847 flaw, injecting a mining script into the web traffic of every device behind them. Infecting the network source, rather than a single site, dramatically widened the reach.
  • 2020 to present — Botnet-based: The Glupteba botnet silently installs miners on Windows PCs, steals login cookies, and has infected an estimated one million machines. Its standout trick is resilience: if its command server is taken down, Glupteba scans the Bitcoin blockchain for instructions hidden in the OP_RETURN field of low-value transactions, then resurrects itself with a new server address.
📷 A timeline graphic marking Coinhive (2017-2019), MikroTik router exploit (2018), and Glupteba botnet (2020-present)

A Worked Example: What Is It Actually Costing You?

The damage is rarely about a single coin — it is about electricity and hardware wear across many machines. Suppose a botnet hijacks 1,000 laptops, each drawing an extra 60 watts of power for 12 hours a day:

  • Extra energy per device per day: 60 W x 12 h = 0.72 kWh
  • Across 1,000 devices: 720 kWh per day
  • At an electricity price of $0.20 per kWh: $144 per day, or roughly $52,000 a year

That full bill is paid by the victims, not the attacker — and it ignores the long-term cost of shortened device lifespans from constant thermal stress. For the attacker, the mined Monero is nearly pure profit. This asymmetry is the entire economic logic behind cryptojacking.

Warning Signs and Risks

Modern cryptojacking scripts are built to activate when a device is idle or charging, precisely so you do not notice. Still, the symptoms add up:

  • Sluggish performance: sudden crashes, lag, or a laptop that feels a generation older overnight.
  • Overheating: fans running constantly, a hot chassis even at rest, or a phone that warms up while locked and charging.
  • High CPU during idle: open Task Manager (Windows) or Activity Monitor (macOS); an unexplained spike while you are doing nothing is a red flag.
  • Slow charging: if a docked phone takes noticeably longer to charge, something may be draining it in the background.

The deeper risk is hardware. Cryptojacking is a resource-intensive operation that runs around the clock, and persistent CPU strain shortens device lifespan and can lead to outright hardware failure. On servers and cloud infrastructure, it also inflates compute bills and can mask a foothold for worse attacks later.

How to Detect and Remove Cryptojacking

If you suspect an infection, work through these steps in order:

  1. Run a full antivirus scan with a reputable tool such as Microsoft Defender, then run an offline scan to catch trojans disguised as system files.
  2. Boot into Safe Mode (on Windows: press Win+R, type `msconfig`, enable Safe boot, restart) so suspicious programs cannot interfere.
  3. Uninstall unknown programs from the Control Panel and clear temporary files (search `%temp%`, select all, delete).
  4. Reset your browser settings to strip out any malicious extensions or injected scripts.
  5. Return to Normal Mode by disabling Safe boot in `msconfig`, then rescan to confirm the system is clean.

For a compromised website, manually inspect the HTML for unfamiliar mining scripts or use a website scanner to flag malicious code.

📷 A screenshot of Windows Task Manager showing the CPU column sorted high, with an unrecognized process at 95% usage highlighted

How to Avoid Getting Cryptojacked

Prevention is mostly good security hygiene — many of the same habits that protect you from other [common crypto scams](https://en.coinotag.com/guide/crypto-scams-to-avoid):

  • Don't click blindly. Verify links and senders before opening attachments; ignore unsolicited DMs offering rare mints or "free" opportunities.
  • Use an ad blocker or a privacy-focused browser to neutralize miners hidden in malicious ads.
  • Keep antivirus and your OS updated so known exploits (like the MikroTik flaw) are patched.
  • Consider disabling JavaScript on untrusted sites — effective, though it will break legitimate site features.

COINOTAG Perspective

At COINOTAG we see cryptojacking less as a single attack and more as a barometer of crypto's incentive structure: wherever computing power has direct monetary value, someone will try to steal it. The trajectory from a transparent Coinhive widget in 2017 to the blockchain-hardened Glupteba botnet shows attackers professionalizing fast — and security researchers worry that idle mining botnets could one day pivot to ransomware or DDoS once they reach scale. The practical takeaway is simple: treat your CPU like an asset. The same vigilance you apply to securing your wallet — patching software, verifying sources, watching for anomalies — is your best defense against having your hardware quietly conscripted into someone else's mining operation.

If you want to understand the legitimate side of the process these attackers exploit, our explainer on [how Monero mining works](https://en.coinotag.com/guide/mining-monero) is a useful next read.

Last updated: 6/15/2026

Related Terms

AI Crypto Wallet

An AI crypto wallet is a digital wallet that stores your private keys and balances like any wallet, but adds a machine-learning layer to automate transactions, detect fraud in real time, optimize gas fees, and deliver portfolio insights. Rather than manually timing trades or watching for suspicious activity, you let the wallet learn your patterns and act as a co-pilot. Most are non-custodial, so you still control the keys; the AI operates on the convenience and security layer, not custody. The result is an active assistant for managing on-chain assets across DeFi, trading, and everyday transfers, balanced against new privacy and over-reliance risks.

AI Trading Bot

An AI trading bot is automated software that uses artificial intelligence and machine learning to analyze market data, detect patterns, and execute trades on exchanges with little to no human intervention. Unlike traditional rule-based bots that only follow fixed if-then instructions, an AI bot adapts its strategy as markets change and learns from past outcomes through feedback loops. It is especially common in crypto, where markets trade 24/7 and prices move fast. Core components are data input, decision-making, and trade execution. AI bots remove emotion and react in milliseconds, but they still depend on strategy quality, clean data, secure API keys, and human oversight to perform safely.

Algorithmic Stablecoins: How Code-Backed Pegs Really Work

An algorithmic stablecoin is a crypto token that maintains a price peg (usually to the US dollar) through code-enforced supply rules rather than a bank account full of cash. Smart contracts automatically mint new tokens when the price drifts above the target and burn or contract supply when it drops below, using arbitrage incentives to nudge traders back toward equilibrium. Unlike fiat-backed stablecoins such as USDT or USDC, a purely algorithmic design holds little or no off-chain collateral, prioritizing decentralization and censorship resistance over hard reserves. This makes the model capital-efficient but fragile: when confidence breaks, the same feedback loop can drive the token toward zero in a death spiral.

What is an Altcoin? Complete Crypto Guide

Altcoins are cryptocurrencies other than Bitcoin, ranging from major networks like Ethereum to thousands of smaller tokens with diverse use cases.

AltVM (Alternative Virtual Machine)

An AltVM (Alternative Virtual Machine) is any blockchain execution environment that is not the Ethereum Virtual Machine (EVM). Where the EVM is a general-purpose engine running smart contracts sequentially, AltVMs are purpose-built to optimize for a single quality the EVM handles poorly: parallel transaction execution, lower latency, zero-knowledge proof generation, resource-oriented asset safety, or flexible languages such as Rust. Prominent examples include Solana's SVM, the Move VM (Aptos, Sui), Cairo VM (Starknet), CosmWasm and zkVMs. They do not aim to replace the EVM but to complement it inside an increasingly modular, multi-chain ecosystem where different applications pick the execution model that fits their needs.