What Is Crypto Malware and How Cryptojacking Works

What to know

Crypto malware is a type of malware that secretly uses a victim's computing resources — primarily the CPU and GPU — to mine cryptocurrency for the attacker. Unlike ransomware, which locks files and demands payment, crypto malware operates silently in the background, draining hardware and electricity while the attacker collects all the profit.

This article breaks down how cryptocurrency works, what mining actually does, how cryptojacking turns it into a weapon, and what the CoinHive saga taught us about the blurry line between monetization and malware.

A quick primer on cryptocurrency

Cryptocurrency is a type of digital currency that does not rely on banks or any centralized authority. Instead, it uses a peer-to-peer network maintained by users around the world. Transactions are secured with cryptography (hence the name) and recorded on a public distributed ledger called the blockchain.

When transactions occur, they are broadcast to nodes across the network. Multiple transactions get grouped into a block. In proof-of-work blockchains like Bitcoin, special nodes called miners compete to solve a complex cryptographic puzzle associated with that block. The first miner to solve it gets to add the block to the chain, and all the other nodes validate it. Once validated, the block is permanent.

There are thousands of cryptocurrencies. Bitcoin and Ethereum are the two most widely known, but the underlying concept is the same across all proof-of-work coins: computational power secures the network.

How mining works

Mining is the process of using your computer's processing power to help validate blockchain transactions. When a miner successfully solves the cryptographic puzzle for a new block, they are rewarded with cryptocurrency. This is completely legal and is a fundamental part of how proof-of-work networks maintain themselves.

The catch is that making any real money from mining requires serious hardware. Professional mining operations use rows of high-end GPUs or purpose-built ASIC machines running around the clock. The electricity costs alone can be enormous. Whether mining is profitable depends largely on your hardware investment and your electricity rate.

This economic reality is exactly what makes crypto malware attractive to attackers: why pay for your own hardware and electricity when you can use someone else's?

From mining to cryptojacking

Cryptojacking is the act of using unauthorized access to someone's device to mine cryptocurrency without their knowledge. The victim pays all the electricity bills and absorbs all the hardware wear while the attacker takes the profit.

A single compromised computer might not mine much. But when the attack scales to thousands or tens of thousands of machines, the combined output becomes significant. This is what makes cryptojacking a viable criminal business model — volume over individual yield.

What crypto malware does on your machine

Crypto malware is the delivery mechanism for cryptojacking. Once it infects a system, it installs mining software that runs silently in the background. The malware is designed to persist over long periods without detection, often throttling its resource usage to avoid obvious symptoms.

The impact on victims includes:

• Increased electricity bills — mining is energy-intensive, and the cost shows up on the victim's power bill

• Degraded performance — CPU and GPU usage spikes cause slowdowns, lag, and overheating

• Hardware damage — sustained high loads can shorten component lifespan and cause premature failures

• Higher cooling costs — devices running at full load generate more heat, increasing cooling requirements

For businesses, the effects multiply. Entire server farms or employee workstations running mining software can rack up significant costs before anyone notices something is wrong.

Browser-based cryptojacking

Not all cryptojacking requires installing malware on a device. Attackers can embed cryptocurrency mining code directly into websites. When a user visits a compromised site, the code runs in their browser and uses their CPU for mining as long as they remain on the page. Once they close the tab, the mining stops.

This approach is stealthier than traditional malware because it leaves no files on the victim's system. The only signs are a sluggish browser and a suddenly loud fan.

The CoinHive story

The most notable example of browser-based cryptojacking came from CoinHive, a service launched in 2017. CoinHive provided a JavaScript snippet that website owners could embed in their pages. When visitors loaded the site, the code would use a portion of their computing power to mine Monero (a privacy-focused cryptocurrency).

CoinHive marketed itself as a legitimate alternative to display advertising. Instead of showing ads, websites could generate revenue by borrowing visitors' CPU cycles. Some sites were transparent about it and openly informed their users. This was legal and, in concept, not unreasonable.

But the problems started quickly:

• Many site owners used CoinHive secretly without telling visitors their computers were being used for mining

• Attackers injected CoinHive code into hacked websites without the site owner's knowledge, turning thousands of legitimate sites into unwitting mining operations

• The code spread across the internet as cybercriminals adopted it as a quick monetization tool for any site they could compromise

Because of its widespread abuse, security tools began flagging CoinHive's code as malicious regardless of whether it was deployed with consent. The service ultimately shut down in March 2019, citing declining Monero values and the loss of viability after a Monero hard fork reduced mining efficiency.

Why crypto malware persists

Despite fluctuating cryptocurrency values and increasing difficulty in mining, cryptojacking remains a prevalent attack. The economics still work at scale: the attacker has zero infrastructure cost, and each compromised device adds a small amount of mining output. Botnets running crypto malware across thousands of machines can generate steady income with minimal risk compared to other forms of cybercrime.

Additionally, crypto malware is harder to detect than many other threats. There is no ransom note, no stolen data, and no obvious breach. The malware just quietly consumes resources, and many victims never realize they have been compromised.

How to protect yourself

• Monitor system performance — unexplained CPU or GPU spikes, especially when idle, can indicate mining activity

• Use reputable security software — modern antivirus tools detect known crypto mining malware

• Keep software updated — crypto malware often exploits known vulnerabilities in outdated systems

• Use browser extensions that block mining scripts (such as No Coin or minerBlock)

• Check Task Manager or Activity Monitor regularly for unfamiliar processes consuming high CPU

• Be cautious with downloads — crypto malware is commonly distributed through pirated software, malicious email attachments, and compromised websites

Key takeaways

• Crypto malware mines cryptocurrency using the victim's hardware and electricity without their consent

• Cryptojacking scales through volume — thousands of compromised machines make the attack profitable

• Browser-based mining (like CoinHive) showed that cryptojacking does not even require traditional malware

• The attack is stealthy by design — no ransom demands, no data theft, just silent resource drain

• Monitoring CPU usage and keeping security tools updated are the best defenses