The Silent Heist: How Cryptojackers Stole
Millions Without Anyone Noticing
Your computer is working harder than it should. Your electricity bill crept up last month. Your fan never stops.
You think it's normal. It isn't.
Cryptojacking is the most invisible crime in cybersecurity. Unlike ransomware — which announces itself with a terrifying popup — or data theft — which triggers breach notifications — cryptojacking leaves no trace except a slower PC and a higher electricity bill.
The attacker's business model is elegant in its cruelty: use your hardware, consume your electricity, pay nothing, collect everything.
And it worked. For years. At massive scale.
This is the story of how it happened.
The Anatomy of a Cryptojacking Attack
Before we get to the real incidents, you need to understand the attack chain. Because once you see it, you'll understand why these campaigns ran undetected for so long.
Step 1 — The Bait
The most common entry point isn't a sophisticated exploit. It's a website.
A victim searches for a free version of expensive software — Photoshop, Microsoft Office, a game. They land on a site with fake reviews, fake virus scan badges, and fabricated download counts in the millions. Everything looks legitimate. There's a green checkmark. "Scanned and verified."
One click. 847 MB downloading. Progress bar moving.
Nothing suspicious.
Step 2 — Installer Deception
The installer opens. The software appears to install perfectly. "Installation complete." There's even a shortcut on the desktop.
What the user sees: a working application.
What actually happened: XMRig — the world's most widely used cryptomining software — was silently extracted to %APPDATA%\svchost32.exe during installation. The installer was a wrapper. The real payload was always the miner.
Traditional antivirus: silent. No alert. No detection. XMRig is open-source and legitimate software — it's only the deployment that's malicious.
Step 3 — Persistence (The Part Most People Don't Know About)
This is where the attack becomes truly dangerous. Three mechanisms activate simultaneously:
Registry Autorun
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsOptimizer" = %APPDATA%\svchost32.exe
Every Windows login — the miner restarts automatically.
Task Scheduler
A scheduled task fires every five minutes. Kill the process, it relaunches in seconds. Self-healing malware.
Windows Defender Exclusion
Add-MpPreference -ExclusionPath %APPDATA%
The entire AppData folder is now invisible to Windows security. The miner will never be scanned again.
At this point, the malware is effectively permanent. A normal user cannot remove it without causing system instability.
Step 4 — Process Injection
XMRig doesn't run as itself. That would be too visible.
Instead, it injects its mining code directly into explorer.exe — the core Windows shell process that every user trusts and every security tool whitelists.
The injection sequence:
OpenProcess(PROCESS_VM_WRITE, PID=explorer.exe)
VirtualAllocEx → allocate executable memory region
WriteProcessMemory → write XMRig payload into explorer
CreateRemoteThread → execute mining code inside explorer.exe
Result: Task Manager now shows explorer.exe — a completely legitimate Windows process — consuming 94% CPU. Nothing looks wrong. Because nothing looks like anything.
Step 5 — Live Mining
The attack is complete. The miner connects to pool.minexmr.com over encrypted HTTPS on port 4444 — traffic that looks identical to normal web browsing to any firewall.
The CPU runs at maximum capacity, 24 hours a day. The attacker's Monero wallet receives deposits every few minutes. The victim's electricity bill increases by $14–22 per month.
Why Monero and not Bitcoin?
Three reasons, and they all matter:
Monero's RandomX algorithm is CPU-optimized. The victim's regular laptop is genuinely useful to the attacker. Bitcoin mining requires $15,000+ ASIC hardware — a stolen CPU produces essentially zero Bitcoin.
Every Monero transaction is completely untraceable. Ring signatures hide the sender. Stealth addresses hide the recipient. The blockchain shows nothing useful to investigators.
No special hardware needed. Any computer works. Yours works.
Average time before detection: three weeks.
In some documented cases: over three years.
Real Attacks. Real Scale. Real Losses.
1. The MikroTik Campaign — 415,000 Routers (2018)
In July 2018, a security researcher noticed something strange: traffic from MikroTik routers was quietly connecting to Coinhive — a browser-based Monero mining service.
The vulnerability was CVE-2018-14847, a flaw in MikroTik's Winbox service that allowed unauthenticated read access to the credential database. An attacker could pull admin credentials from any exposed router without logging in.
The campaign started in Brazil. 72,000 routers in the first wave. The attacker then evolved their technique — instead of injecting Coinhive into every page (too visible, too noisy), they inserted it only into error pages. A user hitting a 404 would unknowingly mine for the attacker. No one looked at error pages.
By the time researchers tracked the full scope: 415,000 routers across 15+ countries were compromised. ISP infrastructure. Home networks. Small business firewalls. All quietly mining Monero in the background.
The attacker also installed a backdoor, a Task Scheduler entry for automatic updates, and a persistence mechanism — meaning that even after Winbox was patched, compromised routers continued mining until they were individually cleaned.
The lesson: a single unpatched vulnerability in widely deployed infrastructure can become a mining empire.
2. Tesla's AWS Infrastructure (February 2018)
In February 2018, security researchers at RedLock discovered that Tesla's Kubernetes management dashboard was accessible from the public internet — with no password.
Kubernetes is the system that manages cloud infrastructure. Access to the dashboard meant access to everything: configuration files, environment variables, running containers, and crucially — the AWS credentials stored inside them.
The attackers didn't announce themselves. They accessed Tesla's AWS environment and quietly spun up mining workloads using the Stratum mining protocol. To avoid detection, they were deliberate:
- CPU usage was intentionally throttled to stay below monitoring thresholds
- Mining traffic was routed through Cloudflare, making the destination IP invisible
- The mining pool wasn't a known blacklisted address
Tesla's own security monitoring didn't catch it. RedLock found it during an external audit.
The researchers reported it through Tesla's bug bounty program and received exactly $3,133.70 — a number that in hacker culture reads as "leet" (1337). Whether intentional or not, it became a memorable footnote.
The data exposed during the breach included telemetry data, vehicle mapping, and internal service credentials. The cryptojacking was the visible symptom. The access was the real concern.
The lesson: a misconfigured cloud dashboard with no authentication is an open door. The attacker doesn't need to break anything — they just walk in.
3. Government Websites — UK, US, Australia (February 2018)
On February 11, 2018, cybersecurity researcher Scott Helme received an unusual alert: his browser was trying to execute mining code while he was visiting a UK government website.
He traced it to Browsealoud — a popular accessibility plugin used by hundreds of government and public sector websites to read page content aloud for visually impaired users. The plugin was used by the UK's NHS, ICO, the UK court system, and dozens of US and Australian government portals.
Someone had compromised Browsealoud's content delivery infrastructure and injected the Coinhive mining script into the plugin itself.
Every visitor to every affected website — reading a council tax page, checking court dates, accessing NHS information — was unknowingly mining Monero for an anonymous attacker. No download. No installation. Just loading a webpage.
The attack affected an estimated 4,200+ websites in a single deployment. Because the malicious code came from a trusted, whitelisted third-party source, browser security policies didn't block it.
This is the supply chain attack in its purest form: you don't attack the target directly. You attack something the target trusts completely.
Browsealoud was taken offline within hours of discovery. The attacker collected Monero for approximately four hours before detection.
The lesson: third-party scripts are your attack surface. If you don't control it, you can't trust it.
4. TeamTNT — Docker and AWS Credential Theft (2020–2021)
TeamTNT was different. Where most cryptojacking campaigns were opportunistic, TeamTNT was systematic.
The group specifically targeted Docker daemon APIs exposed to the public internet on port 2375 — a configuration mistake that leaves the container management interface completely open, with no authentication required.
Their tooling was sophisticated:
- masscan and pnscan for high-speed internet scanning to find exposed Docker ports
- mimipenguins and mimipy — Linux adaptations of the Windows credential-dumping tool Mimikatz — to extract passwords from memory
- Black-T, their custom malware framework, which could identify and kill competing miners on the same host before deploying XMRig
The credential theft component elevated TeamTNT beyond typical cryptojackers. They weren't just stealing CPU — they were harvesting AWS access keys from environment variables in compromised containers, then using those keys to spin up additional cloud infrastructure for mining.
One compromised Docker host could yield credentials to an entire AWS organization. The blast radius extended far beyond the original target.
TeamTNT also implemented a "killer" module that specifically hunted for and terminated other cryptominers running on the same system — treating the victim's hardware as contested territory to be monopolized.
The lesson: exposed management interfaces are not just your problem. They're the attacker's resource.
5. CP3O — The Cloud Fraud (2024)
Charles O. Parks III — known online as "CP3O" — didn't deploy malware. He didn't need to.
Parks created fraudulent accounts with AWS, Azure, and Google Cloud, using false identities and business names. He then used those accounts to provision massive quantities of high-GPU cloud instances for cryptocurrency mining. When the bills came due, he simply didn't pay — and moved to new fraudulent accounts.
The total unpaid cloud infrastructure bill: $3.5 million.
The Monero and Bitcoin he mined was converted to cash through peer-to-peer exchanges with no KYC requirements, then spent on a Porsche, luxury hotels, jewelry, first-class flights, and NFTs.
The US Department of Justice charged Parks in 2024. The case illustrated that cryptojacking doesn't always require technical sophistication — it can be pure identity fraud at cloud scale.
The lesson: cloud providers are also victims. Billing anomalies and unusual resource provisioning patterns are attack signals, not just operational noise.
The Numbers Behind the Threat
- 43% of all malware detections globally are cryptominers (Check Point Research, 2021)
- MyKings botnet: 525,000 infected machines simultaneously. $8,500/day at peak. Ran undetected for three years.
- WinstarNssMiner: 500,000 Windows PCs infected in exactly 3 days in May 2018
- WannaMine: used the same EternalBlue exploit as WannaCry — but silently stole CPU instead of encrypting files
- PowerGhost: fileless malware that lived entirely in RAM — traditional antivirus detected only 8% of variants
How to Detect It
The symptoms are easy to dismiss. That's by design.
On an individual machine:
- Open Task Manager — any unknown process above 70% CPU for extended periods
- Check
HKCU\Software\Microsoft\Windows\CurrentVersion\Runfor unrecognized entries - Audit Windows Defender exclusions — legitimate software rarely adds them silently
- Monitor outbound connections to ports 4444, 3333, 14444 — standard mining pool ports
- Fan running constantly, PC slower than usual, electricity bill higher than expected
On a network or cloud infrastructure:
- Unexpected spikes in CPU utilization across multiple hosts
- Outbound traffic to known mining pool domains
- New or unauthorized scheduled tasks and registry entries
- Kubernetes or Docker management interfaces exposed without authentication
- Cloud billing anomalies — unexpected instance types or regions
Tools that actually catch it:
Traditional antivirus catches approximately 8% of fileless cryptominers. You need EDR with behavioral analysis and in-memory scanning — CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint.
The Uncomfortable Truth
Every attack described above shared at least one of three root causes:
Unpatched software — EternalBlue was patched in March 2017. WannaMine was still using it in 2018. MikroTik's CVE had a patch available. Most victims hadn't applied it.
Misconfigured services — Tesla's Kubernetes had no password. Thousands of Docker daemons had port 2375 open to the world. These weren't sophisticated bypasses. They were open doors.
Trusted third parties — Browsealoud was whitelisted by every security policy on every affected site. No one audited what it was actually doing.
The attackers didn't need zero-days. They needed patience and a scanner.
Conclusion
Cryptojacking persists because it's profitable and nearly invisible. There's no victim notification requirement for a stolen CPU. There's no breach disclosure law for electricity theft. The attack can run for months before anyone notices — and even then, the cause is rarely obvious.
The fan running loud. The slow PC. The higher bill.
These are not IT problems. They are symptoms of an active attack.
CAISD (Cyberscope Advanced Intelligence & Security Division) creates cinematic cybersecurity simulations to make complex attack chains understandable — for security teams, developers, and anyone who uses a computer.
Full simulation of the cryptojacking infection chain: youtube.com/@CAISD_Official
Contact: caisd.ofc@gmail.com
Top comments (0)