36%
Of cloud compromises result in cryptomining as the attacker's monetization method (Sysdig 2025)
< 2 min
Median time attackers take to begin deploying mining software after gaining initial cloud access
$0.10
Revenue per hour per compromised cloud CPU: low per instance, but attackers run thousands simultaneously
90%+
CPU utilization sustained by XMRig: the most common cryptomining tool: on compromised Linux servers

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Cryptojacking is the most financially straightforward post-compromise activity available to attackers: exploit a vulnerability, deploy XMRig or a similar mining tool, collect Monero. The victim's cloud bill spikes, their applications slow down, and the attacker earns money continuously until detected and evicted.

Detection is achievable because mining software has distinctive behaviors: sustained high CPU utilization, outbound connections to mining pool infrastructure, and specific file and process names that appear in forensics.

Linux Server Detection

Check CPU utilization for sustained high usage:

# Top processes by CPU usage: look for unrecognized processes above 80% CPU
top -bn1 | head -20

# More detailed: show command with arguments
ps aux --sort=-%cpu | head -20

# Check for processes sustaining high CPU for extended periods
sar -P ALL 1 5  # CPU utilization per core: mining pegs individual cores

Search for known mining process names:

# Common cryptominer process names
ps aux | grep -Ei '(xmrig|minergate|cpuminer|ethminer|t-rex|nbminer|gminer|lolminer|nanominer|phoenixminer|claymore)' | grep -v grep

# Search running processes for mining pool connection strings
ls -la /proc/*/exe 2>/dev/null | grep -Ei '(xmrig|miner|kswapd0|kdevtmpfsi)'

Check network connections to mining pools:

# Look for outbound connections to common mining pool ports (3333, 4444, 5555, 7777, 14433, 45700)
ss -tulpn | grep -E ':(3333|4444|5555|7777|14433|45700)'

# Check DNS resolutions for mining pool domains
ss -tulpn | awk '{print $5}' | grep -v '127.0.0.1\|0.0.0.0\|:::' | sort -u

# Check /etc/hosts for mining pool entries or crypto-related entries
cat /etc/hosts | grep -Ev '^#|^$|localhost|127.0.0.1|::1'

Search the filesystem for mining software:

# Find XMRig configuration files
find / -name 'config.json' -newer /etc/passwd 2>/dev/null | xargs grep -l 'pool\|wallet\|xmr\|monero' 2>/dev/null

# Find recently modified or created executables (attackers often drop miners in /tmp, /dev/shm, /var/tmp)
find /tmp /var/tmp /dev/shm /run -type f -executable 2>/dev/null

# Find world-writable executables
find / -type f -perm -o+w -name '*.sh' 2>/dev/null | head -20

Check persistence mechanisms (where attackers hide to survive reboots):

# Cron jobs: mining software often installs cron entries to restart after kill
crontab -l
sudo crontab -l  # Root crontab
ls -la /etc/cron* /var/spool/cron/*

# Systemd services: look for unusual service names
systemctl list-units --type=service | grep -v 'loaded active running'
cat /etc/systemd/system/*.service | grep -E '(ExecStart|WorkingDirectory)' | head -30

# /etc/rc.local or init.d scripts
cat /etc/rc.local 2>/dev/null
ls /etc/init.d/ | grep -v 'default\|README'

AWS EC2 and Cloud Environment Detection

AWS GuardDuty: built-in cryptomining detection:

If GuardDuty is enabled (it should be: see the GuardDuty guide), it automatically detects cryptocurrency mining activity via:

  • CryptoCurrency:EC2/BitcoinTool.B!DNS: DNS queries to cryptocurrency mining domains
  • CryptoCurrency:EC2/BitcoinTool.B: network connections to cryptocurrency mining infrastructure
  • Resource:EC2/PortProbeUnprotectedPort: attackers scanning for exploitable instances to deploy miners
# CLI: Check for GuardDuty cryptomining findings
aws guardduty list-findings \
  --detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
  --finding-criteria '{"Criterion": {"type": {"Equals": ["CryptoCurrency:EC2/BitcoinTool.B!DNS","CryptoCurrency:EC2/BitcoinTool.B"]}}}'

CloudWatch for CPU spikes:

# Find EC2 instances with sustained high CPU in the last 24 hours
aws cloudwatch get-metric-statistics \
  --namespace AWS/EC2 \
  --metric-name CPUUtilization \
  --dimensions Name=InstanceId,Value=INSTANCE-ID \
  --start-time $(date -u -d '24 hours ago' +%Y-%m-%dT%H:%M:%SZ) \
  --end-time $(date -u +%Y-%m-%dT%H:%M:%SZ) \
  --period 3600 \
  --statistics Average \
  --output json | jq '.Datapoints[] | select(.Average > 80)'

AWS CloudTrail: detect how the attacker got in: Once a mining instance is identified, CloudTrail shows what API calls preceded the compromise: this tells you the initial access vector (stolen key, public bucket, exposed EC2 metadata service):

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=ResourceName,AttributeValue=INSTANCE-ID \
  --start-time $(date -u -d '72 hours ago' +%Y-%m-%dT%H:%M:%SZ) \
  --output json | jq '.Events[] | {EventTime, EventName, Username, SourceIPAddress}'
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Kubernetes Cryptomining Detection

Kubernetes clusters are high-value targets: thousands of CPUs controlled by a single credential compromise or misconfigured API server.

Check for suspicious pods with high resource consumption:

# List all pods with their CPU usage
kubectl top pods --all-namespaces | sort -k4 -rn | head -20

# Look for pods running privileged containers (attacker prerequisite for some mining setups)
kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged == true) | {name: .metadata.name, namespace: .metadata.namespace}'

# Check for pods using hostPID or hostNetwork (common in cryptomining malware)
kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.hostPID == true or .spec.hostNetwork == true) | {name: .metadata.name, namespace: .metadata.namespace}'

Check recent pod creation events:

# Recent events: look for pods created in unusual namespaces or with unusual names
kubectl get events --all-namespaces --sort-by='.lastTimestamp' | tail -50 | grep -i 'created\|started'

# Check for pods in default namespace (often used by attackers who compromise admin creds)
kubectl get pods -n default

Falco: runtime security for Kubernetes: Falco is an open-source runtime security tool that detects cryptomining-specific behaviors:

  • Execution of xmrig or known miner binaries
  • Outbound connections to known mining pool IPs
  • Container spawning shells (attacker interaction)
# Install Falco via Helm
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco --namespace falco --create-namespace

# Check Falco alerts
kubectl logs -n falco -l app=falco | grep -i 'miner\|xmrig\|crypto'

Eradication and Post-Compromise Steps

Do not just kill the process: find and remove persistence:

# 1. Kill the mining process
sudo kill -9 $(pgrep -f xmrig)

# 2. Remove persistence mechanisms
# Remove cron entries
crontab -r  # Root's crontab
sudo crontab -r

# Remove systemd service if installed
sudo systemctl stop miner.service
sudo systemctl disable miner.service
sudo rm /etc/systemd/system/miner.service
sudo systemctl daemon-reload

# 3. Delete the mining binary and config files
sudo rm -rf /tmp/xmrig /dev/shm/xmrig /var/tmp/kdevtmpfsi
sudo find / -name 'config.json' -newer /etc/passwd 2>/dev/null | xargs grep -l 'pool\|wallet' | xargs rm -f

# 4. Remove attacker-created user accounts
cat /etc/passwd | awk -F: '{if ($3 >= 1000 && $3 < 65534) print $1}'
# Review: delete any accounts not created by you
sudo userdel -r suspicioususer

# 5. Remove attacker SSH keys
cat ~/.ssh/authorized_keys  # Review for unauthorized keys
cat /root/.ssh/authorized_keys

After eradication:

  1. Rotate all credentials that could have been compromised (IAM keys, SSH keys, service account passwords)
  2. Identify the initial access vector (the attacker's entry point) and close it: if you do not close the entry point, re-infection is guaranteed
  3. Review cloud spending for the affected period: many cloud providers will negotiate credits for cryptomining incidents when reported promptly
  4. For AWS, open a Support case reporting the incident: AWS has an incident response team that can assist and may provide billing credits

The bottom line

Cryptojacking detection follows three signals: sustained CPU above 90% from an unrecognized process, outbound connections to mining pool ports (3333, 4444, 5555), and presence of XMRig or similar mining binaries in /tmp or /dev/shm. Enable AWS GuardDuty (it detects cryptomining DNS queries automatically) and run Falco for Kubernetes. Eradication requires finding and removing all persistence mechanisms: cron jobs, systemd services, and attacker SSH keys: before killing the mining process, or re-infection is guaranteed.

Frequently asked questions

How do you detect cryptojacking on a Linux server?

Check for processes consuming more than 80-90% CPU ('ps aux --sort=-%cpu | head -20'), search for known mining process names ('ps aux | grep -Ei xmrig'), check for outbound connections to mining pool ports ('ss -tulpn | grep -E :(3333|4444|5555)'), and search /tmp and /dev/shm for newly created executables. On AWS, GuardDuty automatically detects cryptomining DNS queries and network connections.

How do you remove cryptomining malware from a Linux server?

Remove in this order: kill the mining process, delete the mining binary (commonly in /tmp or /dev/shm), remove all persistence mechanisms (cron entries, systemd services, init.d scripts, authorized_keys entries), and identify and close the initial access vector. If you kill the process without removing persistence, the attacker's cron job or systemd service will restart it within minutes.

How do attackers gain access to servers for cryptojacking?

The most common initial access methods for cryptojacking campaigns are: unpatched internet-facing services (Log4Shell, Confluence RCE, Atlassian vulnerabilities, Docker API exposed without authentication); stolen SSH credentials or SSH keys (via credential stuffing, phishing, or leaked keys in public GitHub repos); misconfigured cloud environments (publicly accessible AWS S3 buckets with write access, EC2 metadata service SSRF leading to IAM credential theft); and compromised CI/CD pipelines where build systems with cloud credentials are exploited to spawn compute resources.

How do I prevent cryptojacking on cloud infrastructure?

Six controls for cloud environments: enable cloud-native threat detection (AWS GuardDuty, Azure Defender) which has specific findings for crypto mining activity (CryptoCurrency:EC2/BitcoinTool.B); set AWS Budget alerts to trigger when compute spend increases more than 20% month-over-month; restrict outbound network access from compute instances to known good destinations (cryptominers must reach mining pool IPs/domains); disable the EC2 metadata service IMDSv1 and require IMDSv2 to prevent SSRF-based credential theft; use network ACLs to block outbound connections on common mining pool ports (3333, 4444, 9999, 14444); and enable Container Security scanning in your registry to catch mining images before deployment.

What is the business impact of cryptojacking compared to ransomware?

Cryptojacking and ransomware have fundamentally different impact profiles. Cryptojacking is designed to be invisible: it steals CPU cycles and electricity over weeks or months, costing $500-$5,000 per compromised cloud instance in unexpected compute bills before detection. It rarely destroys data or disrupts operations. Ransomware is designed to be maximally disruptive: it encrypts data, halts operations, and demands payment. The attacker tradeoff is time-vs-impact: cryptojacking provides sustained low-level income with lower detection risk; ransomware delivers a large one-time payment with high detection certainty. For defenders, cryptojacking is easier to recover from but harder to detect without proactive monitoring.

How do cryptojacking attacks spread laterally within a compromised environment?

Once a cryptojacker gains initial access to a single host, lateral movement is the next objective: more CPU means more mining revenue. The most common lateral movement techniques observed in cryptomining campaigns are SSH key harvesting and credential reuse, Docker and Kubernetes API exploitation, and cloud credential theft. SSH key harvesting works by reading the ~/.ssh/known_hosts and ~/.ssh/id_rsa files on the compromised host: these often contain keys that authenticate to other servers in the same environment. Miners that find valid SSH keys automatically propagate themselves to every host in the known_hosts list. For containerized environments, attackers look for an exposed Docker socket (/var/run/docker.sock): access to this socket provides full control of the container runtime, allowing the attacker to spawn new privileged containers on any connected host. In Kubernetes, a compromised pod with access to the Kubernetes API server can list and spawn pods across the cluster. In cloud environments, the EC2 metadata service (169.254.169.254) is queried for IAM credentials: any role attached to the instance that has permissions to launch compute resources is used to spawn additional EC2 instances or Fargate tasks running mining containers. To limit lateral movement from a cryptojacking compromise: restrict SSH key permissions so application accounts cannot SSH to other servers, disable Docker socket mounts in container definitions, implement Kubernetes network policies and RBAC to limit what a compromised pod can do, and use IMDSv2 with hop limit 1 to prevent containers from accessing EC2 instance metadata.

Sources & references

  1. Sysdig: 2025 Cloud Threat Report on Cryptomining
  2. MITRE ATT&CK T1496: Resource Hijacking
  3. AWS GuardDuty: CryptoCurrency Finding Types

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.