Proton
An illustration of cryptojacking.

Cryptojacking made headlines back in 2017 when hackers hit a series of high profile websites (including several operated by the UK and Australian governments(new window)).

Whenever somebody visited an infected site, the hackers were able to hijack the visitor’s computer and use its processing power to mine cryptocurrency.

Unfortunately, while the media covered the attacks at length, they didn’t do a great job of explaining what cryptojacking actually is.

In this article, we’ll explain what cryptojacking attacks are, how they work, and what you can do to protect yourself.

Read this first: How cryptocurrencies work

To understand cryptojacking, you first need a very basic understanding of cryptocurrency mining.

Cryptocurrencies like Bitcoin aren’t backed or maintained by a bank or government. Instead, it is a decentralized currency that uses a distributed database, also known as the blockchain. The blockchain is updated regularly with information about all of the transactions that took place since the last update. Each new set of transactions is combined into a ‘block’ using a complex mathematical process.

This is where mining comes in. Cryptocurrencies rely on individuals to provide the computing power needed to produce new blocks. To make the process worthwhile, cryptocurrencies reward people who supply these computing resources with cryptocurrency. The people who trade computing resources for currency are called “miners.”

Crucially, only miners who successfully process a new block get paid.

Most major cryptocurrencies have armies of miners running dedicated computer rigs built specifically to complete the necessary calculations as quickly as possible. These rigs often use dozens of powerful graphics cards (GPUs), which are well suited to performing repetitive computations.

All this activity requires a lot of electricity. The Bitcoin network currently uses more than 73TWh of energy per year(new window). That puts the network on par with Austria in terms of energy consumption and gives it a carbon footprint comparable to that of Denmark.

Naturally, then, there are plenty of people who want the benefits of cryptocurrency mining without having to pay the electricity bill.

What is cryptojacking?

Cryptojacking allows hackers to get paid for cryptocurrency mining without having to pay for expensive mining hardware or deal with skyrocketing electric bills.

A cryptojacking attack tricks victims into mining cryptocurrency on behalf of the attacker, either temporarily or on an extended basis. The attack uses the victim’s hardware to secretly mine cryptocurrency and then forwards any cryptocurrency rewards to the attacker’s digital wallet.

It’s a surprisingly simple process, and in many cases, goes completely unnoticed.

In most cases, cryptojacking attacks aren’t used to produce the most common cryptocurrencies, like Bitcoin or Ethereum. Instead, they target currencies based on the process used to compute new blocks.

As noted earlier, many cryptocurrency miners use rigs made up of powerful graphics cards (GPUs), because they are well suited to the repetitive calculations required by most major cryptocurrencies. By contrast, the CPUs found in most PCs, laptops, and smartphones are not well suited to this task. As a result, even thousands of devices compromised by a cryptojacking attack would find it extremely difficult to compete for mining rewards.

However, cryptocurrencies like Monero(new window) use different methods (or ‘hashing functions’) that are difficult to compute using a GPU. This makes cryptojacked devices much more effective at mining them(new window). Unsurprisingly, cryptojackers focus on mining these currencies with the devices they’ve hijacked.

How do cryptojacking attacks work?

As recently as 2017, most cryptojacking attacks were built into websites using JavaScript. When a victim loaded an infected website, a hidden script would enlist unused system resources to mine cryptocurrency in the background. Some websites were built specifically for this purpose, but in most cases malicious code was injected into popular legitimate websites.

In many cases, cybercriminals simply adapted code released by mining service Coinhive(new window), which was developed to allow consensual background mining. The idea was that instead of displaying ads, websites could monetize traffic by asking visitors to mine cryptocurrency in the background as they browsed the site. Unfortunately, the code used to achieve this turned out to be easily repurposed for cryptojacking attacks, contributing to Coinhive’s eventual shutdown in 2018.

These attacks are known as ‘drive-by’ cryptojacking and can persist long after a victim leaves the infected page. The malicious scripts typically open ‘pop-under’ windows that are hidden from view and continue the mining process until the browser is closed completely, or the machine is shut down.

While this type of attack still exists, it has become far less common. Modern browsers and firewalls are designed to block cryptojacking scripts, making these attacks much less effective.

Instead, most cryptojacking attacks now target a different type of system: Java-based smartphone apps. These malicious apps exclusively target Android devices, because both iOS and Windows Mobile apps are written in different programming languages.

These attacks take the form of ‘trojan horses’ — a type of malicious software that poses as an innocuous app such as a simple game. Whenever the app is open or running in the background, it uses the device’s hardware to mine cryptocurrency.

How cryptojacking attacks spread

Since most cryptojacking attacks now come in the form of Android apps, it’s important to understand how those apps are distributed. There are three primary distribution channels:

  1. The official Play Store. While Google’s Play Store does have some checks in place to identify malicious apps, it’s surprisingly easy(new window) for hackers to sneak nefarious apps past those controls. Malicious apps are usually removed after a short time, but it’s important to understand that there are risks to downloading unknown apps, even when they come from official app stores.
  2. Third-party app stores. Popular third-party stores like the Amazon Appstore and APKMirror have less stringent (if any) checks for new apps, making them easy distribution channels for attackers.
  3. Phishing. Email is the classic attack vector for hackers and is a highly effective distribution channel for malware that poses as a game or similar fun app. Phishing emails are often extremely simple and include a link to download the cryptojacker from a third-party app store. And if you think you’d never fall for a phishing scam… think again(new window).

Learn more about how to prevent phishing attacks(new window)

How to tell if you’ve been cryptojacked

It’s not always easy to tell if your device is being cryptojacked. Unlike other malware variants like ransomware(new window), cryptojacking attacks are designed to go unnoticed.

However, there are warning signs to look out for. Most attackers are greedy, so their scripts often tell infected devices to use 100% of available resources for mining. As a result, cryptojacked devices often:

  • Get hot, causing fans to spin up quickly
  • Respond and run slowly
  • Run out of battery quickly (or use a lot of power)

If you suspect your Android device may have been hit by a cryptojacking attack, check which apps are currently open. If closing one app causes everything to return to normal — and particularly if that app is produced by an unknown developer — you may have a cryptojacker on your hands.

If you have any doubts about the legitimacy of an app, delete it immediately. In addition to cryptojacking, many malicious apps are designed to download further malicious apps in the background, which could pose an even greater threat.

If you’re using a Windows or macOS machine, check your Task Manager or Activity Monitor for resource usage. If your browser has suddenly started using far more resources than it should, try shutting it down completely and reopening it.

Regardless of the type of device you’re using, running regular antivirus scans is always a good idea.

How to prevent cryptojacking

These days, browser-based cryptojacking attacks aren’t a huge threat. If you keep your browser (including any security extensions), antivirus, and firewall products up to date, cryptojacking scripts should be blocked automatically.

However, if you have an Android device, cryptojacking poses a greater threat. And since even the official Play Store has been known to contain apps that include cryptojacking code(new window), simply avoiding third-party stores may not be enough.

With this in mind, here are a few tips you can use to keep your devices safe from cryptojackers:

  1. Be wary of any new app, particularly if it isn’t produced by a well-known author. Games and other fun apps are more likely to be malicious, particularly if there is no obvious way for them to make money (i.e., they are free and don’t contain in-app purchases or ads).
  2. Be very wary of apps that make your device hot or drain the battery quickly. This isn’t a perfect solution, because many games are badly coded and do this anyway. If you become suspicious, try Google searching the app name to see if it has been linked to cryptojacking.
  3. Periodically review your apps. Most of us have dozens of unused apps on our devices, many of which have significant system privileges. If you don’t use an app regularly, just delete it. You can always download it again later. (Also check out our guide to Android privacy(new window).)
  4. Be suspicious of emails, particularly from unknown senders. If an email claims to be from a friend but doesn’t “feel right,” check in with that friend using a different channel (e.g., text or phone call) to make sure it really is from them.

Staying secure in the Internet age is a constant battle. Cyber threats evolve over time and the rest of us are forced to play catch up.

If you’re worried about cryptojacking (or any other cyber threat) the best advice is simply this: don’t be too trusting. Treat everything on the Internet with a degree of skepticism.

And if something seems too good to be true, it probably is.

Best Regards,
The Proton Mail Team

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.

Related articles

The cover image for a Proton blog, showing a phone screen with a lock logo and three password fields surrounding the phone
Here's what to look for when choosing an enterprise password manager to streamline collaboration and protect your organization's sensitive data.
  • Privacy guides
Learn how to unsend an email, how it’s useful for personal or business emails, and how Proton Mail can help.
Proton Mail and Proton Calendar winter product roadmap
  • Product updates
  • Proton Calendar
  • Proton Mail
Preview upcoming updates to Proton Mail and Proton Calendar, including performance boosts, new features, and enhanced privacy tools.
Gantt chart displaying Proton Drive plans and development of new features
Discover the tools, features, and improvements coming to Proton Drive’s secure cloud storage and document editor this winter and spring.
laptop showing Bitcoin price climbing
  • Privacy guides
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.