Mining in the shadows: cryptojacking exposed

As headlines focus on high-profile crypto thefts, a quieter but rapidly growing threat is infiltrating organizations worldwide: cryptojacking. This invisible cyberattack hijacks computing power to mine cryptocurrency, leaving victims with soaring energy bills, sluggish devices, and heightened security risks, all while remaining undetected.

Key points:

Cybercriminals covertly exploit computers, smartphones, and servers to mine cryptocurrency, often without the user’s knowledge or consent.
In 2024, the US Agency for International Development suffered a cryptojacking attack, which resulted in USD 500,000 in damages.
Malicious code is typically delivered through phishing emails, compromised websites, or infected browser extensions, enabling attackers to operate in the background and spread across networks.
Beyond financial and operational costs, cryptojacking signals deeper security vulnerabilities. Robust defense strategies – system monitoring, network analysis, and employee awareness – are critical to prevention.

Your phone’s battery overheats, your laptop fan whirls nonstop, and your electricity bill spikes. You shrug off these annoyances. But what if they are signs of an active cybercrime?

What is cryptojacking?

In the first half of 2025, cybercriminals stole over USD 2.1 billion through cryptocurrency-related attacks.¹ Most losses resulted from wallet compromises and phishing campaigns. While these incidents dominate headlines, a more insidious threat operates in the background: cryptojacking. This cyberattack involves criminals hijacking the computing resources of a victim’s device – such as computers, smartphones or servers – to mine cryptocurrency without the user’s knowledge.

Cryptojacking in action

In fall 2024, the US Agency for International Development (USAID) was notified by Microsoft of a security breach. An administrator account was compromised through a password spray attack,² leading to the creation of a second account. Both accounts were used to launch crypto mining operations via USAID’s Azure resources, resulting in an estimated USD 500,000 in damages. In response, USAID implemented stronger password policies, mandated multi-factor authentication (MFA), and enhanced security monitoring to prevent future attacks.³

How it works

Cryptojacking is driven by profit. Mining cryptocurrencies can be very lucrative but requires expensive hardware and high energy consumption. For attackers, hijacking victims’ devices and networks offers a way to mine coins for free.⁴

Attackers typically deliver cryptojacking malware through:⁵

Phishing emails with infected links or attachments
Compromised websites or online ads (also known as drive-by mining)
Malicious browser extensions or third-party plugins

Unlike ransomware, which locks users out, cryptojacking operates silently in the background – victims continue using their devices, unaware that their resources are being hijacked (see Picture 1). Some cryptojacking malware spreads like a worm, moving through networks, infecting multiple devices, and consuming their computing power along the way.

Picture 1: Inside the hidden mining process

A flow chart illustrating how cryptojacking malware infiltrates a device, hijacks its computing resources, and silently mines cryptocurrency without the user’s knowledge.

Source: Fortinet (2025)

This flow chart illustrates the process by which cryptojacking malware infiltrates a device, covertly hijacks its computing resources, and silently mines cryptocurrency without the user's awareness.

At first glance, cryptojacking might seem less harmful than ransomware or data breaches. However, its impact can be significant: higher electricity bills, potential hardware damage from overuse, and productivity losses due to slower system performance. More importantly, the presence of cryptojacking software signals deeper security vulnerabilities: if attackers can install cryptojacking malware, they may also introduce other malicious code.⁶

Signs of a silent attack

Cryptojacking is stealthy and designed to avoid detection, often running unnoticed for extended periods. Effective detection requires a multi-layered approach, including monitoring system performance, analyzing network traffic, and observing browser behavior. Warning signs include:⁷

Performance issues such as system slowdown, freezing, crashing, or overheating
High CPU/GPU⁸ usage with minimal activity
Unexplained spikes in energy consumption
Unusual outbound network traffic or large data transfers to unknown locations
Suspicious or unfamiliar processes running in the background

Defense strategy

Cryptojacking is a stealthy and increasingly common cyber threat that exploits the computing power of individuals and organizations to mine cryptocurrency illegally. While it may not cause immediate, visible damage like ransomware, it can significantly slow IT systems, raise operational costs, and increase security risks. Effective defense strategy requires monitoring, network analysis, and employee awareness.

The UBS security equity strategy invests in leading IT security companies that provide products and services to detect cyber threats and effectively protect individuals, companies and governments.

¹ Cointelegraph. USD 2.1bn crypto stolen in 2025 as hackers shift focus from code to users, 4.6.2025, blog.
² A password spray attack is a brute force attempt to enter a system by guessing a series of passwords.
³ SentinelOne. How to prevent cryptojacking?, blog, 1.6.2025; Medium.Cloud Security Threats. How USAID became a victim of cryptojacking and the rising danger of cloud-based attacks, blog, 3.2.2025.⁴ Mining cryptocurrencies involves solving complex mathematical problems by using powerful hardware and consumes significant amount of electricity and computing power.
⁵ Keepnet. What is cryptojacking? Definition, detection & protection, blog, 13.6.2025
⁶ Crowdstrike. What is cryptojacking?, blog, 4.10.2022.
⁷ Zscaler (2025): What is cryptojacking?, blog.
⁸ CPU usage – the percentage of a computer’s central processing unit’s capacity; GPU – graphic processing unit.