The Silent Heist: How Cryptomining Malware Became Cybercrime's Favorite Background Job

Somewhere between the headline-grabbing ransomware attacks and the data breaches that trigger class-action lawsuits, a quieter criminal enterprise has been running up victims' electricity bills, burning out their hardware, and funneling hundreds of millions of dollars to threat actors — including sanctioned nation-states. Cryptojacking, the unauthorized use of someone else's computing resources to mine cryptocurrency, recorded over a billion attack incidents in 2023 alone [1]. The crime is growing faster than nearly any other category of cyber threat, yet it attracts a fraction of the enforcement attention directed at ransomware.

This investigation examines the scope of the problem, who profits, who pays, and whether the security community's relative indifference to cryptojacking is justified.

The Scale of the Problem

SonicWall's threat research unit recorded 1.06 billion cryptojacking hits in 2023, a 659% increase over the prior year [1]. In the first half of 2023 alone, cryptojacking volume reached 332.3 million — more than the total for the previous three full years combined [2]. While 2024 estimates suggest a slight retreat to roughly 870 million incidents, the numbers remain an order of magnitude higher than the pre-2023 baseline of 57–140 million annual attacks [1].

Source: SonicWall Cyber Threat Reports

Data as of Mar 1, 2025CSV

Precise infection counts are harder to pin down. Unlike ransomware, which announces itself, cryptominers are designed to go unnoticed. Many victims discover the malware, remove it, and never file a report [3]. What is clear is that the attack surface extends well beyond desktop PCs: Linux servers, cloud containers, IoT devices, and mobile phones are all viable targets [4].

The cryptocurrency of choice is overwhelmingly Monero (XMR). Its CryptoNight-derived hashing algorithm is optimized for consumer CPUs, making it profitable to mine on ordinary workstations — unlike Bitcoin, which requires specialized ASIC hardware [5]. XMRig, the open-source Monero mining tool, accounted for 43% of all cryptomining detections in Check Point's 2023 report [6]. Monero's built-in privacy features — stealth addresses, ring signatures, and confidential transactions — make it nearly impossible to trace illicit mining proceeds once they reach a wallet.

Cisco Talos estimated that an adversary controlling 2,000 infected machines could generate roughly $500 per day, or $182,500 per year, in Monero [7]. Scale that to the botnets security researchers have documented — some comprising tens of thousands of nodes — and the annual haul reaches into the tens of millions of dollars per campaign.

What Victims Actually Lose

Cryptojacking is often dismissed as a nuisance rather than a serious financial harm. The reality is more complex.

Electricity costs are the most direct expense. A workstation running a cryptominer at full load can consume 200–400 watts above its idle draw. Across a fleet of hundreds or thousands of corporate machines, that translates to monthly power bills climbing by hundreds or thousands of dollars — costs that are absorbed invisibly into general overhead [8]. IBM has noted that for businesses running large networks or cloud infrastructure, cryptojacking leads to materially higher energy bills and inflated cloud service charges [9].

Hardware degradation compounds the problem. Sustained high CPU or GPU utilization causes elevated thermal stress, accelerated electromigration in silicon, and increased fan wear [8]. Server-class hardware rated for a five-year lifecycle under normal workloads may need replacement a year or two early when cryptominers keep utilization pegged near 100% for months at a time. Malwarebytes has documented cases where cryptojacking caused phones to overheat to the point of physical damage [10].

Performance degradation reduces employee productivity. Applications slow down, build times increase, and virtual desktop infrastructure becomes sluggish — all without a clear root cause visible to IT support until someone specifically checks for mining processes.

Security exposure may be the most significant hidden cost. As Arctic Wolf and other security firms have noted, the presence of a cryptominer often indicates a broader compromise: unpatched systems, misconfigured cloud workloads, or compromised credentials that could equally well be used for data theft or ransomware deployment [11].

Attack Vectors: From Browser Scripts to Supply Chains

The cryptojacking threat has gone through distinct evolutionary phases.

2017–2019: The Coinhive era. Browser-based mining dominated. Coinhive and its imitators injected JavaScript into websites that mined Monero using visitors' CPUs. When Coinhive shut down in March 2019, many observers assumed cryptojacking would die with it [12].

2020–2022: Server-side pivot. Attackers shifted to compromising servers through unpatched vulnerabilities (notably Log4Shell in late 2021) and brute-forcing RDP endpoints on port 3389. Fileless PowerShell-based miners became increasingly common, running entirely in memory and using native Windows tools to avoid detection [13]. Trend Micro documented campaigns exploiting Atlassian Confluence vulnerabilities (CVE-2023-22527) to deploy full cryptomining ecosystems on enterprise servers [14].

2023–2026: Supply chain and multi-vector campaigns. The current phase combines multiple attack vectors. Supply chain compromises through npm and PyPI packages have become a major delivery mechanism. ReversingLabs found that 14 of 23 crypto-related malicious campaigns in 2024 targeted npm, with the rest hitting PyPI [15]. A September 2025 incident saw popular npm libraries including debug and chalk hijacked with malicious code targeting cryptocurrency wallets [16]. Meanwhile, USB-based malware campaigns like "Universal Mining" continue to spread cryptominers across dozens of countries through infected removable drives [17].

Browser-based cryptojacking has also returned in a more sophisticated form. Unlike the Coinhive era, modern campaigns use multi-stage loaders with WebAssembly support checks, Web Workers for background execution, and WebSocket-based command-and-control channels — making them harder to detect with simple script-blocking extensions [12].

Why Cryptominers Are So Hard to Catch

Cryptojacking consistently exhibits longer dwell times than ransomware or data-theft malware. The reason is structural: a ransomware operator wants to be noticed (that is how the extortion works), while a cryptominer's profitability depends on remaining invisible.

Several technical properties help cryptominers evade endpoint detection:

• CPU throttling: Modern cryptominers adjust their resource consumption dynamically, dropping to 20–30% CPU usage when user activity is detected and ramping up only during idle periods or known backup windows [18]. This keeps resource monitors from triggering alerts based on static thresholds.

• Process masquerading: Miners frequently rename their executables to resemble legitimate system processes or embed themselves within signed, trusted binaries.

• Legitimate network traffic: Mining pool communication uses standard HTTPS or Stratum protocol connections that blend in with normal web traffic. Because the destination is a mining pool rather than a known C2 server, reputation-based network filters may not flag it [19].

• Fileless execution: PowerShell-based miners that run entirely in memory leave no artifacts on disk for traditional antivirus signature scans to detect [13].

• Fallback infrastructure: Advanced campaigns install rootkits, reverse shells, or hidden C2 check-ins alongside the miner, creating pathways for future exploitation if the miner itself is discovered [18].

The result is that stealth cryptominers can persist for weeks or months — generating steady revenue the entire time — while noisier threats like ransomware are typically detected within hours or days [18].

Source: OpenAlex

Data as of Jan 1, 2026CSV

The Nation-State Connection

The characterization of cryptojacking as a petty, victimless nuisance becomes harder to sustain when examining its overlap with state-sponsored operations.

North Korea's Lazarus Group is the most prominent example. Since 2017, North Korean hackers have stolen an estimated $3 billion in digital assets to fund the regime's nuclear weapons and ballistic missile programs [20]. While the most dramatic thefts involve direct exchange hacks — including a $290 million attack on KelpDAO reported in April 2026 [21] — cryptojacking and cryptomining operations provide a steadier, lower-profile revenue stream. U.S. government estimates suggest cybercrime now accounts for close to half of North Korea's foreign currency earnings [21].

The U.S. Treasury has sanctioned individuals specifically for laundering cryptocurrency proceeds on behalf of Lazarus Group [22]. The DOJ has stated that the group is part of Pyongyang's strategy to "undermine global cybersecurity and generate illicit revenue in violation of sanctions" [23].

The North Korean case is the most documented, but it is not unique. Iranian threat actors have also been linked to cryptomining operations that generate revenue while circumventing financial sanctions, though the evidentiary record is thinner.

This state-sponsored dimension transforms the risk calculus. Every dollar mined on a cryptojacked corporate server is not just an electricity charge shifted to the victim — it may be funding weapons programs or sanctions evasion by designated threat actors. That makes the "it's just wasted electricity" framing incomplete at best.

Legal Liability: An Unsettled Question

When a corporate network is cryptojacked through an unpatched vulnerability, who pays? The legal landscape remains largely unsettled, with few cases reaching final adjudication.

The most significant prosecution to date involved Charles O. Parks III, who pleaded guilty in 2024 to wire fraud for operating a large-scale cryptojacking scheme that defrauded two major cloud providers of more than $3.5 million in computing resources. He faces up to 20 years in prison [24].

But Parks was the attacker. The question of downstream liability — whether the employer, the software vendor, the managed service provider, or the insurer bears responsibility — remains largely unresolved. Courts have recognized that unpatched vulnerabilities can be central to liability determinations in data breach cases, and legal scholars at the National Academies have argued that holding defendants liable for harm caused by known, unaddressed security vulnerabilities would be "a reasonable extension of traditional legal principles" [25][26].

The complication for cryptojacking specifically is that, unlike data breaches, there is typically no compromised personal information to trigger notification laws. The harm is economic (electricity, hardware wear, lost productivity) rather than informational, which means the regulatory frameworks designed for data protection — GDPR, state breach notification statutes — often do not apply. One legal analysis noted that if a business unknowingly transmits cryptomining code to other organizations through its own compromised infrastructure, it could face liability, but the legal theories remain untested [27].

The result is a gap: cryptojacking causes real financial harm, but victims often lack clear legal avenues to recover costs, and insurers have not yet developed standardized coverage for this category of loss.

Is Enforcement Proportionate to the Harm?

Here the evidence supports a genuine debate.

Source: Chainalysis / SonicWall / industry estimates

Data as of Feb 1, 2025CSV

The case that cryptojacking is overprioritized: Ransomware payments totaled an estimated $1.1 billion in 2023 and $813 million in 2024, according to Chainalysis [28]. Cryptojacking revenue, while harder to measure precisely, is estimated at roughly a quarter of that — and the per-victim impact is far lower. A cryptojacked workstation might cost its owner a few hundred dollars in electricity over several months. A ransomware attack can shut down a hospital, a pipeline, or a school district. As Infosecurity Magazine reported, the damages from cryptojacking are "far lower, which exposes criminals to fewer recriminations," and many victims simply erase the malware without reporting it [3]. From a triage perspective, security resources directed at ransomware prevention and response arguably save more total harm per dollar spent.

The case that cryptojacking is underprioritized: The SonicWall data showing a billion-plus annual attacks suggests an enormous exposed attack surface [1]. Every cryptojacked machine represents a compromised endpoint that could be used for ransomware, data theft, or lateral movement. The nation-state funding dimension adds a national security overlay that pure dollar comparisons miss. And the "victimless crime" framing — which multiple security researchers have contested [3][10] — may lead organizations to deprioritize patching and monitoring for cryptomining indicators, leaving them vulnerable to the more destructive attacks that often follow.

The Displacement Hypothesis

A harder question: if cryptojacking were eliminated tomorrow, would the threat actors simply move to ransomware and data theft?

IBM's X-Force research documented a direct inverse relationship, noting that cryptojacking rose 450% as cybercriminals pivoted away from ransomware toward "stealthier means of malicious activities" [29]. SonicWall's data from 2023 tells the same story: as ransomware volumes plateaued, cryptojacking exploded [1]. When law enforcement actions disrupted major ransomware operations, the landscape fragmented, with actors experimenting with lower-risk monetization strategies [30].

This pattern suggests cryptojacking may function as a lower-harm monetization channel — a way for criminal actors to generate revenue without the law enforcement heat, victim visibility, and operational complexity of ransomware. TRM Labs research on emerging ransomware groups shows that as enforcement pressure increases on one monetization strategy, actors redistribute across alternatives [30].

The implication is uncomfortable: aggressive enforcement against cryptojacking, without proportional increases in defensive capacity across the board, might push marginal actors toward more destructive alternatives. This does not mean cryptojacking should be ignored — particularly given the nation-state dimension — but it suggests that enforcement strategy should account for displacement effects rather than treating each threat category in isolation.

What Comes Next

The Monero price rally in early 2025 — a 45% gain from $196 to $285 between January and May — fueled a documented resurgence in cryptomining malware, according to G DATA researchers who tracked a spike in XMRig-based campaigns during that period [5]. As long as privacy-focused cryptocurrencies maintain value and CPU-mineable algorithms remain viable, the economic incentives for cryptojacking persist.

The attack surface continues to expand. Cloud-native infrastructure, containerized workloads, and CI/CD pipelines offer high-compute environments that are often provisioned with permissive defaults and minimal runtime monitoring. Supply chain attacks through package registries show no signs of abating, with three separate campaigns hitting npm, PyPI, and Docker Hub in a single 48-hour span in April 2026 [15].

Detection technology is improving — machine learning models analyzing CPU usage patterns can achieve near-perfect precision and recall in identifying cryptomining activity [31] — but these tools require deployment, tuning, and monitoring that many organizations have not prioritized for a threat they still regard as low-severity.

The evidence points to a threat that is simultaneously less harmful per incident than ransomware and far more pervasive, with connections to state-sponsored operations that elevate it above the nuisance category. Whether security budgets, law enforcement resources, and legal frameworks will adjust to reflect that reality remains an open question.