Cryptojacking

Everything looks normal: systems online, stable servers, no unusual alerts. Yet your resources may be powering someone else’s mining operation without your knowledge. That’s the perfect environment for cryptojacking to thrive.

In 2025, attacks that turn other people’s machines into hidden miners have evolved to exploit exposed APIs, poorly configured containers, and camouflaged traffic. The process is quiet, hard to trace, and capable of impacting performance, costs, and security without leaving immediate signs.

Understanding how these operations work — and why they continue to grow — is essential for protecting any digital infrastructure. In the next sections, you’ll see real cases that reveal how far cryptojacking has advanced.

What Is Cryptojacking?

Cryptojacking is an attack in which cybercriminals use someone else’s computers, smartphones, servers, or IoT devices to mine cryptocurrency without permission. The attacker exploits the victim’s CPU, GPU, and electricity to generate profit — all without being noticed.

This type of digital threat has grown significantly in recent years, especially because it’s discreet and difficult to detect.

How Cryptojacking Works in Practice

1. Malicious scripts on websites
   The attacker injects mining code into pages or ads. When someone visits the site, the script automatically starts mining using the visitor’s browser.
   
2. Malware installed on the device
   This can happen through phishing, fake downloads, or exploitation of vulnerabilities. The malware runs silently in the background, often with no obvious symptoms, turning the device into part of a mining botnet.
   
3. Mining targeted at specific coins
   Attackers usually mine coins that work efficiently with regular CPUs and GPUs, such as Monero, which offers transaction privacy and makes tracing more difficult.
   

Main Signs of Cryptojacking

• Sudden device slowdown
  
• Fans running at maximum speed for no clear reason
  
• Unusual overheating
  
• Very high CPU/GPU usage even with few apps open
  
• Faster battery drain and increased energy consumption
  

These signs usually appear gradually, which makes it easy for the attack to persist for long periods.

Why Has Cryptojacking Become So Common?

• Low risk for the attacker: identifying the source is difficult
  
• High return: mining with someone else’s resources eliminates costs
  
• Scalability: thousands of infected devices create massive mining networks
  
• Stealth: it doesn’t demand ransom, doesn’t delete files, and can run for months unnoticed

Impacts of Cryptojacking on Users and Companies

• Performance degradation in computers and servers
  
• Higher electricity costs
  
• Risk of hardware damage due to overheating
  
• Loss of productivity in corporate environments
  
• Possibility of additional attacks through vulnerabilities opened by the malware
  

Companies that operate with blockchain, cloud servers, and virtual machines are frequent targets due to their high computing capacity.

Real Cryptojacking Cases in 2025: Confirmed Attacks, Methods, and Impacts

Recent cases in 2025 show that cryptojacking has evolved to target corporate infrastructure, DevOps environments, cloud servers, and even compromised websites.

These attacks have become more sophisticated, exploiting exposed APIs, misconfigured containers, anonymous networks, and obfuscation techniques that make detection harder.

Below are the most relevant real cases reported in 2025:

1. JINX-0132 — Advanced Campaign in DevOps Environments (2025)

The JINX-0132 operation was identified in early 2025 and quickly stood out for directly targeting the core of corporate infrastructure: DevOps tools.

These systems automate deployments, manage containers, and orchestrate applications — which makes them extremely attractive targets for attackers seeking high computational power for hidden cryptocurrency mining.

Key points:

• It targets widely used DevOps tools such as Docker, Gitea, Consul, and Nomad. These platforms are often connected to the internal network and, in many cases, exposed on public ports without strong authentication — creating an entry point for the attack.
  
• It exploits misconfigurations or exposed APIs to deploy hidden miners. As soon as a vulnerable service was found, a cryptocurrency miner was immediately installed inside the environment. The process was automated, allowing dozens or even hundreds of machines to be compromised in sequence.
  
• It uses public tools, making traditional detection more difficult. This approach avoids antivirus detection because legitimate tools are harder to block, and it reduces costs since there’s no need to develop custom malware.
  
• Some compromised servers controlled hundreds of clients, creating a distributed mining network.

This case shows how corporate environments with DevOps pipelines can be abused for illegal mining when monitoring is weak.

2. Self-Replicating Malware Exploiting Docker APIs + TOR Network (2025)

A global attack reported in 2025 drew attention for combining exposed Docker APIs with communication routed through the TOR network, forming a high-capacity mining botnet.

Researchers identified a campaign that quickly became one of the most significant cryptojacking cases of the year. The attack combined two critical elements: public Docker APIs exposed to the internet and hidden communication via TOR.

Highlights:

• The entry point was servers with Docker APIs left open to the internet, without authentication or proper access control.
  
• To avoid tracking, the malware communicated with command-and-control servers through the TOR network.
  
• Once a machine was compromised, the malware scanned for additional reachable hosts, tested ports and open APIs, and attempted to replicate itself using SSH persistence.
  
• It mined mainly Monero and Dero — coins favored in cryptojacking due to their anonymity.

This case reinforces that cloud servers and containerized environments remain among the most exploited targets.

3. Hidden Mining on Websites — 887 Active Domains (2024/2025)

A recent study analyzed cryptomining activity in browsers and identified:

• 887 websites hosting mining scripts without user consent
  
• Growing use of WebAssembly, obfuscation techniques, and disposable domains
  
• Scripts injected into compromised sites, ads, and invisible iframes

Browser-based attacks remain relevant because they silently affect everyday users and often go unnoticed.

Trends Observed in 2025 Cases

• Exploitation of cloud and DevOps environments
  Attacks targeting servers with Docker, exposed APIs, and automated pipelines dominate the landscape.
  
• Use of anonymous networks to conceal operations
  TOR stands out as a central component in distributed campaigns.
  
• More sophisticated scripts
  Obfuscation, WebAssembly, and dynamic injection are making detection increasingly difficult.
  
• Rapid scalability
  A single misconfigured server can turn into a large-scale botnet within hours.

How to Protect Yourself from Cryptojacking

1. Use up-to-date security solutions

Modern antivirus and anti-malware tools can detect unusual behavior, such as processes consuming CPU for no clear reason. The more updated the software, the greater the chance of identifying hidden miners, injected scripts, and components used in botnets.

2. Block unknown scripts in the browser

A large share of cryptojacking begins in the browser. Extensions like NoScript, ad blockers, and advanced filtering tools prevent mining code from running automatically when you visit a site. This significantly reduces the risk of web-based attacks.

3. Keep systems and services fully updated

Many cryptojacking campaigns exploit known vulnerabilities in operating systems, containers, libraries, and DevOps services. Applying updates on time removes the weaknesses that would allow attackers to deploy miners inside servers or applications.

4. Monitor CPU, GPU, and network usage

High and persistent resource consumption can be one of the first signs of hidden mining activity. Implementing observability tools and automated alerts helps identify machines being misused, especially in cloud environments and DevOps pipelines.

5. Train teams and users

Phishing, malicious attachments, and suspicious downloads remain common entry points for miner installers. Regular training helps reduce clicks on dangerous links and strengthens the overall security posture of the organization.

Cryptojacking in the Current Security Landscape

IBM X-Force has reported a continued rise in cryptojacking across corporate environments, especially on Linux machines commonly used on servers.

Reports from Zscaler show that web-based mining scripts remain active even after services like Coinhive shut down.

Fortinet has identified campaigns using botnets capable of exploiting vulnerabilities in outdated systems and installing miners automatically.

These findings confirm that the threat continues to grow and is well distributed across multiple sectors.

Reflections and Key Takeaways on Cryptojacking

Cryptojacking has become one of the most persistent threats in the digital landscape. Beyond harming performance and increasing costs, it also opens the door to additional attacks.

In this context, operating with reinforced attention is no longer optional. Proper configurations, continuous monitoring, and effective protection tools are essential to keep critical systems from becoming part of an underground mining network.