What is illicit cryptocurrency mining?

An illicit cryptominer is potentially unwanted or malicious code designed to hijack the idle processing power of a targeted device and misuse it to mine cryptocurrency. The mining activity is usually hidden or runs in the background without obtaining consent from the user or admin.

4 min read

4 min read

How do illicit cryptocurrency miners work?

There are two main types of illicit cryptominers:

1. Binary-based – malicious applications downloaded and installed onto a targeted device with the intent to mine cryptocurrency. The majority of these applications are in the form of Trojan horse viruses.

2. Browser-based – malicious JavaScript embedded into a web page or section of a web page, designed to mine cryptocurrency via the browsers of the site’s visitors. This method is dubbed cryptojacking and has become increasingly popular with cybercriminals since mid-2017. ESET detects the majority of cryptojacking scripts as potentially unwanted applications (PUAs).


Most illicit cryptominers attempt to mine Monero or Ethereum. These cryptocurrencies offer cybercriminals several benefits over the better-known bitcoin: they have a higher level of transaction anonymity and, most importantly, can be mined with regular CPUs and GPUs instead of expensive and specialized hardware. Cryptomining and cryptojacking attacks have been detected on all popular desktop platforms, as well as on Android and iOS.

Why should SMBs care about illicit cryptominers?

30% of UK organizations fell victim to a cryptojacking attack in the previous month, a recent survey among 750 IT executives across the UK has found. These statistics document two things:

  1. Despite illicit cryptomining posing a threat with seemingly lower severity, organizations should not underestimate the risk it represents. Mining usually hijacks a large portion of hardware’s processing power reducing performance and productivity. The power-intensive process causes additional stress to the hardware components and can damage targeted devices, shortening their lifespans.
  1. Cryptocurrency miners expose vulnerabilities in an organization’s cybersecurity, which can lead to severe compromises and disruptions. Due to their higher and concentrated performance, business infrastructures and networks are a more valuable target than consumer devices, promising the attacker higher earnings within a shorter timeframe.

How to recognise a cryptocurrency mining attack?

Cryptomining and cryptojacking are typically associated with extremely high processor activity, which has noticeable side effects. Watch out for the following:

  • Visibly reduced performance and productivity
  • Unusual energy consumption
  • Suspicious network traffic such as file changes or failed log in attempts

On Android devices additional computational load causes:

  • Shorter battery life
  • Noticeably increased device temperature
  • Lower device productivity
  • Physical damage from “bloating” of the battery in worst case scenarios

How to keep your organisation protected from cryptocurrency miners?

  1. Protect your endpoints, servers and other devices with reliable and multilayered security solutions able to detect potentially unwanted (PUA) cryptomining scripts as well as cryptomining Trojans.
  2. Implement Intrusion Detection Software (IDS) that helps identify suspicious network patterns and communication potentially tied to illicit cryptocurrency mining (infected domains, outgoing connections on typical mining ports such as 3333, 4444 or 8333, signs of persistence, etc.).
  1. Increase network visibility by using a remote management console to enforce security policies and monitor system status.
  2. Train all employees (including top management and network administrators) in how to maintain good cyber-hygiene. Create and use strong passwords, reinforced with two-factor authentication, increasing the protection of company systems in case passwords are leaked or brute forced.

Additional measures

  1. Follow the principle of least privilege. All users should only have user accounts with as few permissions as possible, that allow them to complete their current tasks. This approach significantly lowers the risk of users and admins being manipulated into opening or installing cryptominers or other malicious software in a device connected to the company network.
  2. Use application controls that narrow the software allowed to run to a minimum, preventing the installation of cryptomining malware.
  3. Implement a good update and patching policy to significantly lower the chance of an organization being compromised via previously-known vulnerabilities as many advanced cryptominers use known exploits, such as EternalBlue, for their primary distribution.
  4. Monitor company systems for excessive power usage or other energy consumption anomalies that might point to unsolicited cryptomining activity.

Prevent cryptocurrency mining now


Get effective protection against cryptocurrency mining with ESET multilayered endpoint security solutions. Detect potentially unwanted (PUA) cryptomining scripts, cryptomining Trojan horses and benefit from a Ransomware Shield and LiveGrid® protection via the cloud and network attack protection. Combine ESET’s powerful scanning engine with ESET Cloud Administrator (ECA) and gain detailed network visibility.

Related topics