SonicWall Capture Labs threat researchers logged 1.06 billion cryptojacking hits in 2023, an unprecedented 659% jump over 2022’s full-year totals. One year after that volume record, Google’s Cybersecurity Action Team reported that 86% of recently compromised Google Cloud instances were used for cryptocurrency mining. The data below maps cryptojacking by the numbers across scale, economics, attack surfaces, defenders, and the regulatory gap that lets the threat persist.
Key Takeaways
- SonicWall recorded 1.06 billion cryptojacking hits in 2023, the largest single-year volume on record and a 659% increase over 2022’s 139.3 million.
- Of 50 recently compromised Google Cloud instances analyzed by Google’s Cybersecurity Action Team, 86% were used for cryptocurrency mining, with miners deployed within 22 seconds in 58% of cases.
- Sysdig’s threat research team found that victims pay $53 in cloud compute for every $1 of cryptocurrency the attacker mines, a 53-to-1 economic asymmetry on stolen cloud infrastructure.
- SentinelOne’s 2026 cybersecurity statistics put cryptojacking incident value at $6.5 million in early 2026, with the anti-cryptojacking solutions market projected to reach $31.8 billion by 2030 at a 10.9% CAGR.
- IBM X-Force documented a 450% surge in cryptojacking over the course of 2018, alongside a 45% decline in ransomware volume during the same period, marking the first major attacker pivot toward stealthier crypto-mining payloads.
Editor’s Choice: Headline Cryptojacking Statistics at a Glance
- 1.06 billion cryptojacking hits recorded by SonicWall Capture Labs in 2023 (up 659% year over year).
- 86% of compromised Google Cloud instances used for cryptocurrency mining, per Google’s Cybersecurity Action Team.
- $53 in victim cloud-compute cost for every $1 of attacker mining profit (Sysdig).
- 450% cryptojacking surge over the course of 2018 (IBM X-Force Threat Intelligence Index 2019).
- $31.8 billion projected anti-cryptojacking solutions market by 2030 (SentinelOne).
Recent Developments
- April 2026: Censys researchers identified more than 1,000 publicly-accessible ComfyUI instances at risk from a Python-scanner cryptomining botnet that deployed XMRig and lolMiner across compromised AI-tool deployments.
- April 2026: Cisco Talos’s Q1 2026 IR Trends report named public administration and health care as the most-targeted verticals at 24% of engagements each, with phishing back as the top initial-access vector.
- Early 2026: SentinelOne’s 2026 cybersecurity statistics documented $6.5 million in early-2026 cryptojacking incidents and a $31.8 billion anti-cryptojacking market by 2030.
- February 2026: A wormable XMRig campaign abused the WinRing0x64.sys driver and CVE-2020-14979 for BYOVD privilege escalation, spreading via removable media with a logic bomb keyed to December 23, 2025.
- March 2026: Chainalysis’s 2026 Crypto Crime Report logged at least $154 billion in illicit crypto address inflows for 2025 and a 694% surge in value received by sanctioned entities, framing illicit-mining attribution inside the broader crime taxonomy.
- December 2025: AWS GuardDuty uncovered a cryptomining campaign that used the Docker Hub image yenik65958/secret (over 100,000 pulls) and compromised credentials to deploy miners on EC2 and ECS within 10 minutes of initial access.
Those developments tell us where the threat sits today. The multi-year volume picture sets the stage for how it got here.
Cryptojacking Growth Trends Over the Years (2018-2026)
Annual Cryptojacking Attack Volume by Year
- IBM X-Force tracked a 450% surge in cryptojacking over the course of 2018, paired with a 45% drop in ransomware between Q1 2018 and Q4 2018.
- Malwarebytes Labs reported a 4,000% increase in detections of Android-based cryptojacking malware in the first quarter of 2018, with malicious cryptomining the most common detection type since September 2017.
- SonicWall recorded 139.3 million cryptojacking hits in 2022, the first year the firm ever crossed the 100 million annual threshold; 2023 hit more than 2022’s totals.
- The first half of 2023 alone reached 332.3 million hits, a 399% year-to-date increase that surpassed more than the entirety of 2022 by April.
- A single month, May 2023, at 77.6 million hits, eclipsed the full-year totals SonicWall recorded in 2018 and in 2019.
- SonicWall’s 2024 Cyber Threat Report closed 2023 at 1.06 billion total hits, a 659% jump above 2022 and the steepest single-year change ever recorded by the firm.
- By early 2026, SentinelOne pegs total cryptojacking incident value at $6.5 million.
Year-Over-Year Growth Rates
The SonicWall series shows the trajectory in stark form: from 139.3 million hits in 2022 to more than 1.06 billion in 2023, a 659% YoY gain over 2022’s totals. The IBM X-Force baseline of 450% over the course of 2018 captures the first major surge. The 2023 figure represents roughly 7.6 times more than the 2022 volume on the SonicWall data series.
| Year | Recorded Volume | YoY Change | Source |
|---|---|---|---|
| 2018 | +450% surge | n/a (baseline) | IBM X-Force |
| 2022 | 139.3 million hits | First year over 100 million | SonicWall |
| H1 2023 | 332.3 million hits | +399% YTD | SonicWall |
| 2023 (full) | 1.06 billion hits | +659% | SonicWall |
| Early 2026 | $6.5 million in incidents | Cloud-incident metric | SentinelOne |
Source: SonicWall Capture Labs, IBM X-Force Threat Intelligence Index 2019, SentinelOne 2026 cybersecurity statistics
By the numbers: SonicWall logged 139.3 million cryptojacking hits in 2022; one year later that number reached more than 1.06 billion, a 659% jump over 2022’s totals and the steepest single-year change ever recorded by the firm. The 2024-onward picture changes shape because attackers moved off browsers and onto cloud workloads, where the unit of measure is incidents and compute fees rather than browser-tab hits.
Volume tells the scale. The next question is where attacks actually land, and the answer is no longer “in your browser.”
The Cloud Has Become the Primary Cryptojacking Surface
Compromised Cloud Instance Statistics
- Google’s Cybersecurity Action Team analyzed 50 recently compromised GCP instances and found that 86% were used for cryptocurrency mining, with 10% scanning the internet for vulnerable systems and 8% attacking other targets.
- In 58% of those cases, the cryptocurrency mining software was downloaded within 22 seconds of initial compromise, indicating fully scripted attack chains.
- Google’s H2 2025 Cloud Threat Horizons report described cloud environments facing “actors refining tactics for evasion, persistence, and supply chain compromise,” with browser-extension supply-chain risk surfaced as a new vector.
- AWS GuardDuty’s December 2025 disclosure revealed a cryptomining campaign that began on November 2, 2025, and reached operational mining inside cloud workloads within 10 minutes of initial access.
- The AWS campaign relied on the Docker Hub image yenik65958/secret, created October 29, 2025, which had drawn over 100,000 pulls before takedown.
Cross-Cloud Threat Actor Activity (TRIPLESTRENGTH)
- Google attributed a financially motivated threat actor named TRIPLESTRENGTH with cryptojacking activity targeting Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean.
- TRIPLESTRENGTH gained initial access via stolen credentials and cookies sourced from Raccoon information stealer logs, then created compute resources for mining inside hijacked tenants.
- In some campaigns, the actor invited attacker-controlled accounts as billing contacts on the victim’s cloud project, enabling large compute allocations dedicated to mining.
- Mining was carried out via the unMiner application against the unMineable mining pool, with both CPU- and GPU-optimized algorithms selected per target.
AWS, Azure, and GCP Cryptojacking Incident Patterns
| Cloud Provider | Documented Incident | Year | Source |
|---|---|---|---|
| Google Cloud | 86% of 50 compromised GCP instances mining | 2021 (initial GCAT report) | Google Cybersecurity Action Team |
| AWS | yenik65958/secret Docker image, IAM credential theft, ECS/EC2 targeting | 2025 | AWS Security Blog |
| Azure / Linode / OVH / Digital Ocean | TRIPLESTRENGTH cross-cloud cryptojacking | 2025 | Google Threat Horizons |
| Google Cloud (continuing) | Evasion, persistence, supply-chain compromise patterns | H2 2025 | Google Cloud Office of the CISO |
Source: Google Cybersecurity Action Team, AWS Security Blog, Google Cloud Threat Horizons reports
No single SERP competitor stitches the GCP, AWS, and cross-cloud TRIPLESTRENGTH data into one cloud-pivot picture. The data points are public, but read individually, they understate how completely the attack surface has migrated. The 86% Google figure is from a 50-instance sample published in 2021; the AWS and TRIPLESTRENGTH disclosures from late 2025 confirm the pattern at scale on every major hyperscaler. Cloud is where attacks now land. You can also read CoinLaw’s adjacent cloud mining statistics for context on legitimate cloud-mining economics that illicit operators piggyback on.
Cloud is where attacks land. The next question is who pays, and the math is brutal.
The Asymmetric Economics: Why Victims Pay $53 for Every $1 Mined
The $53-to-$1 Cost Ratio (Sysdig)
- Sysdig’s threat research team published the canonical figure: attackers make $1 for every $53 a victim is billed in cloud-compute fees.
- The TeamTNT case study attributed more than $8,100 worth of cryptocurrency mined on stolen cloud infrastructure, costing victims more than $430,000 in inflated cloud bills.
- Stefano Chierici described the prevalence as attributable to “the low risk and high reward for the perpetrators,” with victims absorbing disproportionate financial harm through inflated cloud infrastructure costs.
- Restated as a margin on owned hardware, the Sysdig ratio implies an attacker margin of roughly -98.1% if the same operation paid retail cloud rates instead of stealing them.
- SentinelOne pegs early-2026 cryptojacking incidents at $6.5 million, a small absolute figure relative to ransomware that masks the much larger victim-side cloud-compute bill underneath.
Per-Incident Cloud Compute Fees
- The Sysdig figure of more than $430,000 in victim cost stems from a single threat-actor case study (TeamTNT), against more than $8,100 worth of cryptocurrency mined on the stolen infrastructure.
- AWS noted that the November 2025 campaign reached operational mining within 10 minutes of initial access, compressing the window in which victims accumulate cloud-compute charges before detection.
- SentinelOne reports an average breach dwell time of 277 days in 2026, an interval that, on any cryptojacking workload, extends compute-fee accrual well beyond the initial-access window.
| Cost Line | Attacker Side | Victim Side | Source |
|---|---|---|---|
| Direct mining proceeds | $8,100 in XMR | n/a | Sysdig (TeamTNT) |
| Cloud compute bill | n/a | $430,000 | Sysdig (TeamTNT) |
| Cost-share ratio | $1 | $53 | Sysdig |
| Margin on owned hardware | -98.1% | n/a | Derived |
| Cloud-breach dwell time | 277 days avg | 277 days avg | SentinelOne |
Source: Sysdig Threat Report, SentinelOne cybersecurity statistics, derived calculation
Why it matters: Sysdig’s research found that for every $1 a cryptojacker mines on stolen cloud infrastructure, the victim absorbs $53 in compute cost. Restated as margin on owned hardware, the figure lands at -98.1%, the structural reason every documented operation reviewed here depends on someone else’s compute.
Cryptojacking vs Ransomware: Stickiness Anchor Comparison
| Dimension | Cryptojacking | Ransomware |
|---|---|---|
| Detection difficulty | High (multi-month dwell common) | Low (encryption is overt) |
| Attacker payout (per incident) | $1 mined per $53 victim cost | Ransom demand often six- to seven-figure |
| Victim cost (per incident) | $53 in cloud bill per $1 mined; $300,000-plus per incident reported by Microsoft analysis | Ransom payment plus recovery costs |
| Dwell time | Multi-month, often >270 days | Days to weeks pre-detonation |
| Regulatory enforcement | Almost no DOJ/OFAC cryptojacking-specific actions | Active OFAC sanctions, DOJ takedowns, CISA advisories |
| 2024-2026 volume | 1.06 billion SonicWall hits (2023); USD 6.5 million incident value (early 2026) | $820 million ransomware payments (Chainalysis 2025) |
Source: Sysdig, SonicWall, SentinelOne, Chainalysis 2026 Crypto Crime Report
For a deeper read on how the parallel attack market is sized, see CoinLaw’s cryptocurrency security and fraud statistics and the broader crypto exchange hacks and security statistics database.
If the economics are this asymmetric, attackers need reliable on-ramps. The next section catalogs how they get in.
Most Common Cryptojacking Attack Vectors
Compromised IAM Credentials and Cloud Console Access
- AWS GuardDuty’s December 2025 disclosure described an ongoing November 2025 cryptocurrency mining campaign that targeted Amazon ECS and Amazon EC2 resources, with miners operational within 10 minutes of initial access.
- TRIPLESTRENGTH gained initial access to cloud tenants via credentials and cookies harvested from Raccoon information stealer infection logs.
- SentinelOne reports that 70% of cloud breaches in 2026 originate from compromised identities rather than software flaws, with human error and misconfigurations driving 95% of cloud security failures.
Exposed Docker APIs and Container Misconfigurations
- The AWS campaign used the Docker Hub image yenik65958/secret, created October 29, 2025, with over 100,000 pulls before takedown, deploying miners to containerized environments.
- The April 2026 ComfyUI campaign exploited custom-node configurations that “accept raw Python code as input and run it directly without requiring any authentication,” compromising more than 1,000 publicly-accessible ComfyUI instances.
Supply-Chain Attacks (PyPI, npm, Docker Hub)
- The yenik65958/secret image is a Docker Hub supply-chain example, with 100,000-plus pulls before detection.
- The ComfyUI variant codenamed GHOST v6.0 – Domination Edition added Docker API and Redis-server propagation, extending the supply-chain blast radius beyond the initial scanner.
SSH Brute-Force and BYOVD Driver Exploits
- The February 2026 wormable XMRig campaign exploited WinRing0x64.sys via CVE-2020-14979 for BYOVD privilege escalation, with the malware spreading through removable media in a worm-like fashion.
- The same campaign embedded a logic bomb keyed to December 23, 2025, triggering either installation or controlled decommissioning depending on the host’s clock.
| Vector | Documented Campaign | Year | Frequency Indicator |
|---|---|---|---|
| Compromised credentials | AWS Nov 2025 GuardDuty case | 2025 | Primary cloud entry |
| Stealer-log credential abuse | TRIPLESTRENGTH (Raccoon stealer) | 2025 | Cross-cloud |
| Docker Hub supply chain | yenik65958/secret image | 2025 | 100,000+ pulls |
| AI-tool misconfiguration | ComfyUI custom-node Python eval | April 2026 | 1,000+ instances |
| BYOVD driver abuse | Wormable XMRig (WinRing0x64.sys) | February 2026 | 90+ hosts |
| Removable media propagation | Wormable XMRig | February 2026 | Worm pattern |
Source: AWS Security Blog, Google Threat Horizons, The Hacker News (Censys / research-firm primaries)
Vectors describe how attackers get in. The malware they drop tells how they stay.
Cryptojacking Malware Families and Types
XMRig and Its Forks
- The April 2026 ComfyUI botnet deployed XMRig to mine Monero alongside lolMiner for Conflux on the same compromised hosts.
- The February 2026 wormable cryptojacking campaign packaged XMRig with the WinRing0x64.sys BYOVD driver, optimizing RandomX hashrate through kernel-level exploitation.
- Cisco Talos research, cited by AFERM, observed that the top Monero cryptojacking operations were generating six figures a year, although currency-value fluctuation altered the headline economics over time.
Botnet-Style Mining Malware (Sysrv, Lemon_Duck, MyKings, Kinsing)
- Malwarebytes’ 2021 State of Malware Report named BitCoinMiner the top business threat for Windows endpoints, with Mac consumers seeing rising cryptocurrency stealer/miner detections.
- The TRIPLESTRENGTH cross-cloud campaign deployed botnet-style mining via the unMiner client tied to the unMineable pool, switching between CPU- and GPU-optimized algorithms per target.
Containerized and Cloud-Native Miners (Kiss-a-Dog, RedTail, Kinsing)
- The ComfyUI campaign incorporated compromised hosts into a Hysteria V2 botnet managed via a Flask-based command-and-control dashboard, with sandbox detection, process hiding, and lateral movement built in.
- A newer ComfyUI variant codenamed GHOST v6.0 – Domination Edition added Docker API and Redis-server spread, packaging container-aware persistence into the same cryptojacking payload.
| Family | First Observed | Targets | Notable Variant | Source |
|---|---|---|---|---|
| XMRig | 2017 (open source) | Windows / Linux / cloud | Wormable XMRig (Feb 2026) | The Hacker News |
| BitCoinMiner | Pre-2021 | Windows business | Top business threat 2021 | Malwarebytes |
| unMiner / unMineable | 2024-2025 | Cross-cloud | TRIPLESTRENGTH | Google Threat Horizons |
| lolMiner (Conflux) | 2026 | AI-tool hosts | ComfyUI variant | The Hacker News |
| Hysteria V2 botnet | 2026 | AI-tool hosts | GHOST v6.0 | The Hacker News |
Source: The Hacker News (research-firm primaries), Malwarebytes, Google Cloud Threat Horizons, Cisco Talos via AFERM
Key finding: XMRig has appeared in many documented cryptojacking campaigns from 2024 onward, including the Wormable XMRig and ComfyUI botnet examples covered above. Open-source licensing, Monero-native code paths, and aggressive CPU-throttling controls explain why XMRig keeps reappearing.
Knowing which malware runs is half the puzzle. The other half is why it goes unnoticed for months at a time.
Why Cryptojacking Is Hard to Detect
Anti-Analysis: Mining Halts When Task Manager Opens
The detection challenge is rarely about signatures. Modern cryptojacking malware is designed to disappear the moment a user investigates.
“What surprises most users is that cryptojacking malware actively watches for Task Manager – the moment you open it, mining stops and the process disappears. That is why standard Windows tools miss these infections for months.” – MalwareFox Threat Research Team
CPU-Throttling and Idle-Time Mining
- Malwarebytes’ guidance lists slower performance, overheating, loud or constantly running fans, increased battery drain, and higher electricity usage as the primary cryptojacking warning signs visible to end users.
- Cryptojacking does not just slow devices; it shortens hardware lifespan, increases energy costs, and makes systems unstable while attackers profit, per the Malwarebytes overview.
- SentinelOne notes a 2026 average breach dwell time of 277 days, an interval that materially extends compute-fee accrual on any cryptojacking workload that goes undetected.
Fileless Techniques and Living-off-the-Land Binaries
- IBM X-Force found that more than half (57%) of cyberattacks observed by X-Force IRIS over the course of 2018 did not leverage malware, instead using nonmalicious tools like PowerShell and PsExec to “live off the land.”
- The February 2026 wormable XMRig campaign combined social engineering, legitimate-software masquerades, worm-like propagation, and kernel-level exploitation in a single commodity-malware package.
Detection difficulty is universal. Targeting is not. The next question is who actually gets hit.
Industry and Regional Cryptojacking Breakdown
Industries Most Targeted by Cryptojacking
- Cisco Talos’s Q1 2026 IR Trends report named public administration and health care as the most-targeted verticals at 24% of engagements each; for the third consecutive quarter, public administration topped the list.
- Talos attributed public-sector targeting to underfunding and legacy equipment, conditions that translate directly into long mining-payload dwell times.
- SentinelOne expects the BFSI sector to record the highest growth in cryptojacking incidents through 2026, citing financial-services workload value as the attractor for attackers.
- 88% of companies will operate in multi-cloud and hybrid environments in 2026, per SentinelOne, expanding the cryptojacking attack surface across multiple control planes.
Regional Cryptojacking Surges
- SonicWall’s first-half 2023 data showed a 345% increase in cryptojacking volume in North America and a 788% surge in Europe over 2022’s first-half totals.
- Cryptojacking volume in May 2023 alone (77.6 million hits) eclipsed the full-year totals SonicWall recorded in 2018 and in 2019.
- SentinelOne’s 2026 data shows weekly average cyber attacks in India hit 3,195 per organization in early 2026, 62% higher than the global average, putting Indian cloud tenants squarely in cryptojacker line of sight.
SMBs vs Enterprise Targeting Patterns
- SentinelOne flags BFSI as the highest-growth target sector for cryptojacking incidents through 2026.
- The TRIPLESTRENGTH cross-cloud campaign advertised access to compromised hosts that included hosting providers and cloud platforms.
| Industry | Incident-Share % | Year | Source |
|---|---|---|---|
| Public administration | 24% of engagements | Q1 2026 | Cisco Talos IR Trends |
| Health care | 24% of engagements | Q1 2026 | Cisco Talos IR Trends |
| BFSI (financial services) | Highest growth (forecast) | 2026 | SentinelOne |
| Cloud-native dev orgs | Cross-cloud TRIPLESTRENGTH targeting | 2024-2025 | Google Threat Horizons |
Source: Cisco Talos, SentinelOne, Google Cloud Threat Horizons
Knowing where attacks land is one thing. Knowing who pulls them off, by name, is the next step. CoinLaw’s crypto mining profitability statistics provide the licit-side comparison: when mining margins compress on retail hardware, illicit operators shift onto stolen compute, which is exactly the cryptojacking pattern in the next section.
Notable Cryptojacking Incidents and Case Studies (2024-2026)
TRIPLESTRENGTH (Cross-Cloud Cryptojacking + Ransomware Hybrid)
- Google’s 11th Threat Horizons Report identified TRIPLESTRENGTH as a financially motivated actor running a “trifecta” of cryptojacking, ransomware, and access reselling across six cloud platforms (GCP, AWS, Azure, Linode, OVHCloud, Digital Ocean).
- TRIPLESTRENGTH’s ransomware deployments target on-premises hosts while cryptojacking activity stays inside cloud tenants.
- Google attributed the activity to credential abuse and stolen-cookie pathways sourced from infostealer logs, with hijacked tenants used to spin up compute resources for mining.
AWS GuardDuty November 2025 Cryptomining Campaign
- AWS observed initial access on November 2, 2025, followed by miner deployment within 10 minutes across both ECS and EC2 environments.
- The threat actor used ModifyInstanceAttribute across all launched EC2 instances to disable API termination, complicating incident response and disrupting automated remediation controls.
- The campaign’s reconnaissance pattern relied on service-quota checks and DryRun flag permission validation before deploying mining infrastructure.
ComfyUI Botnet (April 2026, 1,000-plus Instances)
- Censys researchers identified more than 1,000 publicly-accessible ComfyUI instances at risk from a Python-scanner-driven cryptojacking campaign.
- Compromised hosts ran XMRig (Monero) and lolMiner (Conflux), enrolled into a Hysteria V2 botnet managed by a Flask-based C2 dashboard.
- A successor variant, GHOST v6.0 – Domination Edition, added propagation via Docker APIs and Redis servers, broadening the attack from AI workloads to general container infrastructure.
Wormable XMRig BYOVD Campaign (February 2026)
- The wormable XMRig campaign used pirated software bundles as initial entry points, with the malware acting as “a self-contained carrier for payloads” and switching modes via command-line arguments.
- The driver WinRing0x64.sys was loaded to exploit CVE-2020-14979 for privilege escalation, boosting RandomX hashrate through kernel-level access.
- Mining activity ran sporadically through November 2025 and spiked on December 8, 2025, with the December 23 logic-bomb date controlling installation or shutdown decisions.
| Campaign | Year | Mechanism | Scale Indicator | Source |
|---|---|---|---|---|
| TRIPLESTRENGTH | 2024-2025 | Cross-cloud credential abuse + unMiner | 6 cloud platforms | Google Threat Horizons |
| AWS Nov 2025 | November 2025 | IAM theft + Docker Hub image | over 100,000 pulls; 10-min deploy | AWS Security Blog |
| ComfyUI Botnet | April 2026 | Python-scanner + custom node Python eval | 1,000+ exposed instances | The Hacker News |
| Wormable XMRig | February 2026 | BYOVD + USB worm + logic bomb | 90+ hosts; Dec 23 trigger | The Hacker News |
Source: Google Cloud Threat Horizons, AWS Security Blog, The Hacker News (Censys / research-firm primaries)
Today’s campaigns target cloud and containers. Cryptojacking did not start there. Browser-based mining had its own boom and bust.
Browser Cryptojacking: From Coinhive to Today
- Malwarebytes Labs documented a 4,000% increase in detections of Android-based cryptojacking malware in Q1 2018, with malicious cryptomining a dominant detection category since 2017.
- IBM X-Force documented a 450% surge in cryptojacking over the course of 2018, the headline figure from its 2019 Threat Intelligence Index.
- Malwarebytes describes cryptojacking as an online threat that hides on a computer or mobile device and uses the machine’s resources to mine cryptocurrencies in the background, with the most common warning signs being slower performance and overheating.
- Malwarebytes Labs documented a 4,000% increase in detections of Android-based cryptojacking malware in the first quarter of 2018.
- As of the 2021 State of Malware Report, BitCoinMiner remained the top malware detection for Windows endpoints, suggesting browser-era families simply migrated to compiled-binary equivalents.
Why Browser Cryptojacking Faded
Malwarebytes describes cryptojacking as a hidden online threat that uses a victim’s machine resources to mine cryptocurrency in the background, with attackers profiting while the host’s hardware lifespan, energy costs, and stability suffer. The shift maps to two structural changes: Monero’s network adjustments that limited browser-mining yield, and the much higher per-incident yield available on cloud workloads. Browser mining was a volume business; cloud mining is a unit-economics business.
Browsers were the past. The present and future run on Monero. Here is why.
The Monero Connection: Why XMR Dominates Cryptojacking Payouts
Privacy Coin Economics and Cryptojacker Cash-Out
- Cisco Talos research, cited by AFERM, found that the top Monero cryptojacking operations were generating six figures a year at the time of the original reporting.
- The February 2026 wormable XMRig campaign used the BYOVD driver to boost RandomX hashrate performance, the CPU-mining algorithm core to the campaign’s stolen-compute yield.
- The April 2026 ComfyUI campaign used XMRig for Monero alongside lolMiner for Conflux on the same compromised hosts.
Monero Mining Difficulty and Exchange Liquidity
- Chainalysis’s 2026 Crypto Crime Report documented total illicit-address inflows of at least $154 billion in 2025, with stablecoins making up 84% of illicit volume; cryptojacking and illicit-mining attribution falls into the broader sanctions and stolen-funds tranches rather than a separate line item.
- Despite record illicit volumes, illicit transactions still represent less than 1% of overall crypto transaction volume per Chainalysis, framing cryptojacking as a small-share crime by dollar volume despite its operational ubiquity.
Exchange Delistings and the XMR Liquidity Question
- TRIPLESTRENGTH carried out mining via the unMiner application against the unMineable mining pool.
- Cisco Talos’s six-figure earnings finding pre-dated the major exchange-delisting wave; AFERM’s reframing notes that currency-value fluctuation has materially altered the headline economics over time.
| Monero Metric | Value / Indicator | Date | Source |
|---|---|---|---|
| Top operator earnings | Six figures per year | Original Talos research | Cisco Talos via AFERM |
| Cryptojacking pool example | unMineable (multi-coin payout) | 2024-2025 | Google Threat Horizons |
| Mining algorithm | RandomX (CPU-optimized) | Ongoing | The Hacker News |
| Illicit crypto total (context) | $154 billion in 2025 | 2025 (full year) | Chainalysis |
| Illicit share of crypto volume | <1% | 2025 | Chainalysis |
Source: Cisco Talos via AFERM, Google Cloud Threat Horizons, The Hacker News, Chainalysis 2026 Crypto Crime Report
For a broader Monero ecosystem context, CoinLaw’s Monero statistics cover hashrate, exchange liquidity, and the privacy-coin landscape that shapes cryptojacker cash-out. The parallel Bitcoin statistics coverage explains why XMR-vs-BTC algorithm differences keep drawing cryptojackers to Monero specifically.
Worth noting: Chainalysis’s 2026 framing places illicit-mining attribution inside the broader at least $154 billion illicit-volume tranche for 2025 rather than calling cryptojacking out as a separate line item. That structural blending is one reason XMR and cryptojacking remain paired in security reporting.
Monero economics explain the supply side. The demand side, detection, is where defenders intervene.
Cryptojacking Symptoms and Detection Indicators by the Numbers
Performance and Thermal Symptoms
- Malwarebytes lists slower performance, overheating, loud or constantly running fans, increased battery drain, and higher electricity usage as the primary end-user warning signs of cryptojacking.
- Malwarebytes describes cryptojacking as an online threat that hides on a computer or mobile device and uses the machine’s resources to mine cryptocurrency in the background.
Network and Process Indicators
- Cloud-side detection signals from the TRIPLESTRENGTH disclosure include the invitation of attacker-controlled accounts as billing contacts on victim cloud projects and unusual use of highly privileged accounts to set up large compute resources.
- AWS GuardDuty’s case study shows that DryRun-flag permission validation preceded actual mining deployment, giving defenders a behavioral signal in CloudTrail before compute was committed.
- SentinelOne’s 277-day average breach dwell time in 2026 means most cryptojacking detections happen well after the compute fees have already accrued.
Tools That Detect Cryptojacking on Endpoints and Cloud
- Amazon GuardDuty is the cloud-side detection layer that surfaced the November 2025 campaign, alongside AWS’s automated security monitoring systems.
- Endpoint detection options for consumer and SMB tenants include Malwarebytes, Microsoft Defender, and MalwareFox, each focused on real-time behavior monitoring rather than signature-only protection.
| Symptom or Indicator | Typical Threshold | Detection Layer | Source |
|---|---|---|---|
| Sustained CPU usage on idle hosts | 30-50% baseline drift | Endpoint EDR | Malwarebytes guidance |
| Outbound DNS to mining-pool domains | Any non-standard pool query | Network / DNS | The Hacker News (campaign analyses) |
| Unusual billing-contact invitations | Any new external contact | Cloud audit logs | Google Threat Horizons |
| ModifyInstanceAttribute on launched EC2 | API termination disabled | CloudTrail | AWS Security Blog |
| Average days-to-detection (cloud breach) | 277 days (2026) | All layers | SentinelOne |
Source: Malwarebytes, Google Cloud Threat Horizons, AWS Security Blog, SentinelOne, The Hacker News
Knowing what to watch for is the first defense. The second is knowing which controls actually reduce risk, by how much.
Prevention Controls and Their Measured Effectiveness
Identity and Access Controls (MFA, IAM Least Privilege)
- SentinelOne notes that 70% of cloud breaches in 2026 stem from compromised identities, making identity controls the single highest-leverage cryptojacking prevention layer.
- Google attributed TRIPLESTRENGTH access to stolen credentials and cookies harvested from Raccoon information stealer logs, making credential hygiene the structural lever for this class of campaign.
- The AWS November 2025 campaign used ModifyInstanceAttribute across all launched EC2 instances to disable API termination; least-privilege IAM scoping limits the blast radius of compromised credentials by constraining what API calls an attacker can make.
Container and Cloud Workload Hardening
- Google Cloud’s H2 2025 Threat Horizons recommends defense-in-depth, emphasizing identity segmentation, IAM least-privilege, and continuous validation of credentials and access patterns for cloud-native cryptojacking exposure.
- The Docker Hub vector demonstrated by the yenik65958/secret image, with 100,000-plus pulls before detection, is the supply-chain entry point AWS surfaced in its November 2025 disclosure.
Endpoint, Network, and Email Defenses
- Malwarebytes recommends real-time protection that blocks malicious scripts, infected websites, and malware before cryptojacking starts rather than after damage is done, since hidden CPU drain accumulates cost regardless of detection lag.
- Cisco Talos’s Q1 2026 IR Trends report flagged phishing as the most observed initial-access vector across all engagements, accounting for over a third of cases where initial access could be determined; email controls correspondingly reduce the supply of compromised credentials feeding cryptojacking campaigns.
| Control | Reduces Which Vector | Effectiveness Indicator | Source |
|---|---|---|---|
| MFA | IAM credential theft | Direct mitigation of TRIPLESTRENGTH-style entry | Google Threat Horizons |
| IAM least-privilege | Lateral movement post-compromise | Limits blast radius even after credential leak | AWS Security Blog |
| Container image signing | Supply-chain (Docker Hub, PyPI, npm) | Defends against yenik65958/secret-style entry | AWS Security Blog |
| Egress filtering / DNS sinkholing | Mining-pool callbacks | High-signal behavioral detection | The Hacker News campaign analyses |
| Email phishing controls | Initial-access supply | Q1 2026 phishing back as top vector | Cisco Talos IR Trends |
| Real-time endpoint protection | Browser drive-by + binary | Pre-execution blocking | Malwarebytes |
Source: Google Cloud Threat Horizons, AWS Security Blog, Cisco Talos, Malwarebytes
Controls work, but defenders also need vendors. The market for anti-cryptojacking tooling has grown into the billions.
The Anti-Cryptojacking Solutions Market
Market Sizing and Growth Forecasts
- SentinelOne projects the anti-cryptojacking solutions market at $31.8 billion, with a 10.9% CAGR, driven by BFSI and other high-value cloud-tenant verticals.
- SentinelOne estimates $6.5 million in cryptojacking incident value in early 2026; the market sizing dwarfs the current incident value because anti-cryptojacking tooling overlaps with broader cloud-security and EDR purchases.
- Global cybersecurity spending will reach $240 billion in 2026, per SentinelOne, a 12.5% YoY hike that absorbs anti-cryptojacking budgets inside larger cloud-security and EDR line items.
Vendor Landscape: Consumer, SMB, and Enterprise Tiers
The vendor landscape splits cleanly across three tiers:
- Consumer / SMB tier: Malwarebytes (consumer + SMB EDR), MalwareFox (consumer + SMB anti-malware focused on real-time behavioral detection), and Microsoft Defender (built-in Windows protection) cover endpoint cryptojacking detection, where browser-era and BitcoinMiner-style threats still surface.
- Enterprise/cloud tier: AWS GuardDuty Extended Threat Detection, Microsoft Defender for Cloud, and Sysdig Secure cover cloud-native cryptojacking with CloudTrail and Kubernetes runtime detection.
- Detection-approach shift: Signature-based detection has given way to behavioral and ML-driven approaches; the Sysdig press release framing the 99% ML-detection precision figure illustrates the direction the cloud tier is moving.
| Vendor | Tier | Detection Approach | Source |
|---|---|---|---|
| Malwarebytes | Consumer / SMB | Real-time behavioral protection | Malwarebytes guidance |
| MalwareFox | Consumer / SMB | Real-time anti-malware monitoring | MalwareFox |
| Microsoft Defender | Consumer (built-in) + Enterprise (Defender for Cloud) | Behavioral + signature | Microsoft platform |
| AWS GuardDuty | Enterprise / cloud | Behavioral + threat-intel feeds | AWS Security Blog |
| Sysdig Secure | Enterprise / cloud | ML + runtime container | Sysdig press release |
Source: SentinelOne 2026 statistics, AWS Security Blog, Sysdig press release, vendor public pages
For a broader context on what’s driving cybersecurity spend across CoinLaw’s coverage, see cybersecurity in cryptocurrency statistics.
Defense vendors monetize the threat. Another cost the market ignores is the energy stolen from victims to power the mining itself.
The Energy and Environmental Cost of Stolen Compute
Per-Transaction Electricity Burden
- The U.S. Energy Information Administration estimates that annual electricity use from cryptocurrency mining represents 0.6% to 2.3% of U.S. electricity consumption, or roughly 25 to 91 terawatthours per year.
- Of 137 identified U.S. cryptocurrency mining facilities, 101 have measurable maximum electricity usage totaling 10,275 megawatts, a 2.3% share of average annual U.S. power demand.
- At an assumed 80% utilization, U.S. crypto-mining facility capacity translates to roughly 70 terawatthours per year, equal to the annual demand of more than three to six million U.S. homes.
- Malwarebytes notes that, before China shut down cryptocurrency farms, monthly electrical bills at large licit operations reportedly reached $80,000, illustrating how much retail electricity costs cryptojackers shift onto victims when they piggyback on infrastructure built for licit miners.
Aggregate Carbon Cost Estimates
- Kaspersky reported that, by foiling cryptojacking attempts, the firm’s software prevented up to 3,000 tons of carbon being emitted in a year, equivalent to the annual carbon output of over 650 vehicles.
- Kaspersky frames cryptojacking’s environmental consequences inside corporate social responsibility strategy, noting the threat’s high energy consumption is itself a motivation for prevention beyond financial cost.
Residential vs Commercial Electricity Rates
- Cryptocurrency mining facilities frequently run at less than their maximum designed capacity, the EIA reports.
- The low end of the EIA range (about 25 terawatthours) would equal annual electricity usage for entire states such as Utah and West Virginia.
| Metric | Value | Source |
|---|---|---|
| US crypto-mining share of total electricity | 0.6% to 2.3% | EIA |
| US crypto-mining annual electricity range | 25 to 91 TWh | EIA |
| Identified US crypto-mining facilities | 137 (101 measurable) | EIA |
| Measurable facility capacity | 10,275 MW | EIA |
| Equivalent home count | More than 3 million to 6 million | EIA |
| Carbon prevented by cryptojacking blocks | Up to 3,000 tons CO2/year | Kaspersky |
| Vehicle-equivalent emission offset | Over 650 vehicles | Kaspersky |
Source: U.S. Energy Information Administration, Kaspersky
By the numbers: The EIA puts U.S. cryptocurrency mining at 0.6% to 2.3% of national electricity, or 25 to 91 terawatthours annually, equal to between three and six million U.S. homes. Kaspersky’s anti-cryptojacking blocking prevented up to 3,000 tons of CO2 emissions per year, the equivalent of taking more than 650 vehicles off the road.
Stolen electricity is a real cost. Yet enforcement against cryptojacking has barely registered next to the action against ransomware.
Cryptojacking and Cybercrime Enforcement: The Asymmetry Problem
Why DOJ and OFAC Cases Skew Toward Ransomware
- The November 2025 Scam Center Strike Force announced major DOJ and OFAC actions against Southeast Asian scam-center networks, with charges, civil forfeiture, and sanctions targeting Prince Group and other organized criminal enterprises running cryptocurrency-based pig-butchering operations.
- The DOJ press release explicitly notes that none of the actions announced specifically charge cryptojacking conduct; the cases focus on investment-fraud scam centers, money laundering, and human trafficking.
- Chainalysis’s 2026 Crypto Crime Report shows where enforcement attention has gone: $2 billion stolen by DPRK-linked hackers (including the nearly $1.5 billion Bybit exploit), roughly $820 million in ransomware payments, and a 694% surge in sanctioned-entity flows tracked through CoinLaw’s Chainalysis crypto-crime context hub.
Jurisdictional and Privacy-Coin Barriers
- Cryptojacking operations like TRIPLESTRENGTH advertise access to compromised hosts and operate across multiple jurisdictions, complicating coordinated enforcement; the actor combines cryptojacking activity with on-premises ransomware deployments.
- Chainalysis’s framing notes that stablecoins now account for 84% of all illicit transaction volume, with crypto-crime “industrialized” into supply chains that include specialized laundering services; cryptojacking proceeds disappear into that infrastructure.
Where Cryptojacking Sits in Chainalysis Crypto-Crime Reporting
- Despite record illicit volumes, illicit transactions still represent less than 1% of overall crypto transaction volume per Chainalysis; cryptojacking attribution is folded into the sanctions, and stolen-funds tranches rather than broken out separately.
- Chainalysis describes the 2025 illicit-flow surge as driven primarily by nation-state actors, with Russia’s A7A5 stablecoin alone processing at least $93.3 billion in less than a year, putting cryptojacking proceeds in the same on-chain infrastructure as sanctions evasion.
| Action | Year | Targeted Crime | Source |
|---|---|---|---|
| Scam Center Strike Force (DOJ/OFAC) | November 2025 | Pig-butchering, money laundering, human trafficking (not cryptojacking) | DOJ press release |
| OFAC Prince Group designation | November 2025 | Scam-center networks | DOJ press release |
| DPRK-linked $2 billion in stolen crypto | 2025 | Theft / exchange exploits (not cryptojacking) | Chainalysis |
| Russia A7A5 stablecoin flows | 2025 | Sanctions evasion | Chainalysis |
Source: U.S. Department of Justice, Chainalysis 2026 Crypto Crime Report
The takeaway: None of the actions DOJ announced in the November 2025 Scam Center Strike Force release specifically charge cryptojacking conduct; the cases focus on investment-fraud scam centers, money laundering, and human trafficking. The asymmetry is structural: Monero is hard to trace, individual victim losses are small, and operators are usually offshore. Cloud tenants cannot wait for enforcement, the controls in the section above are the line of defense.
Frequently Asked Questions (FAQs)
SentinelOne’s 2026 cybersecurity statistics put cryptojacking incident value at $6.5 million in early 2026, with the anti-cryptojacking solutions market projected to reach $31.8 billion. The volume baseline came from SonicWall’s 1.06 billion hits in 2023, a 659% YoY jump that established cryptojacking as a top-tier cloud-tenant threat.
Cryptojacking is the unauthorized use of someone’s computing resources, on a desktop, mobile device, or cloud workload, to mine cryptocurrency in the background, with Monero dominating documented operations per Cisco Talos research cited by AFERM. Attackers deliver mining code via a malicious link or by infecting a website with JavaScript code that auto-executes in the browser, per AFERM, citing Cisco Talos.
Common signs include slower performance, overheating, loud or constantly running fans, increased battery drain, and higher electricity usage, per Malwarebytes guidance. As the MalwareFox Threat Research Team notes, cryptojacking malware actively watches for Task Manager – the moment you open it, mining stops, and the process disappears, which is why standard Windows tools miss these infections for months.
Cisco Talos research, cited by AFERM, found that the top Monero cryptojacking operations were generating six figures a year, although currency-value fluctuation has materially altered the headline economics over time. Chainalysis’s broader 2025 illicit-flow framing places stolen funds and sanctions evasion across the same on-chain infrastructure cryptojackers use to cash out.
Yes, in most jurisdictions, but the November 2025 Scam Center Strike Force release expressly notes that none of the announced DOJ and OFAC actions specifically charge cryptojacking conduct; the cases focus on investment-fraud scam centers, money laundering, and human trafficking. The enforcement gap is structural, not legal.
On the cloud side, identity controls (MFA, IAM least-privilege) address the 70% of breaches from compromised identities per SentinelOne; container image signing closes the Docker Hub supply-chain vector. On endpoints, real-time protection tools (Malwarebytes, Microsoft Defender, MalwareFox) block malicious scripts and malware before cryptojacking starts rather than after damage is done.
Conclusion
The 1.06 billion cryptojacking hits SonicWall recorded in 2023, a 659% YoY jump, set the volume baseline; what changed by 2025-2026 is where the attacks land. Google’s Cybersecurity Action Team analysis found 86% of compromised cloud instances were used for cryptocurrency mining, with miners deployed within 22 seconds in 58% of cases. Sysdig’s $53-to-$1 victim-to-attacker cost ratio explains why every documented operation depends on someone else’s compute. Restated as margin on owned hardware, the ratio implies roughly -98.1%, the structural reason cryptojacking only works on stolen infrastructure. The market response, a $31.8 billion anti-cryptojacking solutions forecast by 2030 at 10.9% CAGR, signals that defenders are catching up at the spending level even as cryptojacking remains structurally underprosecuted.
Cryptojacking persists because three things hold: stolen-resource economics reward the attacker, Monero’s privacy stack obscures the cash-out, and the enforcement vacuum that built up between 2018 and 2025 has not closed. The cloud-tenant burden is real and falls on identity controls, container hygiene, and behavioral detection rather than on regulators. The $53-per-$1 ratio is not just an interesting number; it is the entire reason cryptojacking is a structurally stolen-resource business that nobody can run profitably on hardware they own. Until that changes, the data will keep saying the same thing.
