Coinhive cryptojacker is currently the most prevalent malware online

Cryptojackers are profitable, widespread and can operate under the radar. They also raise a victim's electric bill and clog up their CPU. What's not to like?
salon cryptomining

Welcome to the age of cryptojackers.

The most prevalent malware online today is Coinhive, the popular software often used to hijack computers and mine cryptocurrency, according to new research from the cybersecurity firm Check Point. The scheme is known as cryptomining or, more commonly, cryptojacking.

Cryptocurrency has constantly been in the headlines as prices regularly reach record highs, fueling public interest. High prices and more people involved means the mining process is increasingly difficult, so scammers have turned to cryptojacking in order to make up for lost ground.

“The more CPUs participate in the mining process, the more complicated it becomes to successfully mine the currency,” said Lotem Finkelsteen, Check Point threat intelligence researcher said. “In this way the currency inventors control the amount of currencies circulate into the market. Meaning, one should invest more computational resources to keep or improve his mining ratio he had a month ago. Thus threat actors work to recruit as many CPUs as they can to their mining pools; and why not using random CPUs of website users?”


In much of the world, however, cryptojackers offer better returns than ransomware, because many victims are too poor to pay large ransoms. That’s why poorer countries have been heavily targeted by cryptojacking. As a bonus, the malware can regularly go under the radar and thus operate for long periods.

Behind Coinhive, cryptojacking malware like Cryptoloot and Rocks also saw a huge jump in use in Dec. 2017. All the cryptojackers are performing the same procedure, but have different implementations and dozens of variants.

Hardware and electricity are two of the biggest expenses for cryptocurrency miners. Using cryptojackers, hackers can circumvent those expenses and put them onto unknowing victims instead. Cryptojackers can use 100 percent of a target’s CPU power.

In addition to an expensive electric bill, that can result in overloaded CPUs and crashed processes that terminates whatever the user may be doing in favor of the mining operation that is clogging up the CPU.

Update: A previous version of this article cited Check Point’s statistic that “Some cryptojackers can use up to 65 percent of a target’s CPU power.” The article has been updated to say that crptojackers can and do often use up to 100 percent of a target’s CPU power thanks to a reader pointing out the error.


In response to questions about the CPU usage of cryptojackers, Check Point’s Lotem Finkelsteen said: “We address the Crypto mining threat as a whole.  This means, online miners as well as on memory miner. We should differentiate between them. ‪’On-memory’ miners are crafted to stay persistent on the infected machine, sacrificing the consumed power for a noiseless mining. Where JS miners like CoinHive are designed to exploit as much CPU resources as they can, as long as the web tab is open – with the understanding that mining is short-term and noisy. Here in fact the difference is found.”

Latest Podcasts