What Is Cryptojacking and How to Detect and Remove It From Your Servers

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Cryptojacking is the most financially straightforward post-compromise activity available to attackers: exploit a vulnerability, deploy XMRig or a similar mining tool, collect Monero. The victim's cloud bill spikes, their applications slow down, and the attacker earns money continuously until detected and evicted.
Detection is achievable because mining software has distinctive behaviors: sustained high CPU utilization, outbound connections to mining pool infrastructure, and specific file and process names that appear in forensics.
Linux Server Detection
Check CPU utilization for sustained high usage:
# Top processes by CPU usage: look for unrecognized processes above 80% CPU
top -bn1 | head -20
# More detailed: show command with arguments
ps aux --sort=-%cpu | head -20
# Check for processes sustaining high CPU for extended periods
sar -P ALL 1 5 # CPU utilization per core: mining pegs individual cores
Search for known mining process names:
# Common cryptominer process names
ps aux | grep -Ei '(xmrig|minergate|cpuminer|ethminer|t-rex|nbminer|gminer|lolminer|nanominer|phoenixminer|claymore)' | grep -v grep
# Search running processes for mining pool connection strings
ls -la /proc/*/exe 2>/dev/null | grep -Ei '(xmrig|miner|kswapd0|kdevtmpfsi)'
Check network connections to mining pools:
# Look for outbound connections to common mining pool ports (3333, 4444, 5555, 7777, 14433, 45700)
ss -tulpn | grep -E ':(3333|4444|5555|7777|14433|45700)'
# Check DNS resolutions for mining pool domains
ss -tulpn | awk '{print $5}' | grep -v '127.0.0.1\|0.0.0.0\|:::' | sort -u
# Check /etc/hosts for mining pool entries or crypto-related entries
cat /etc/hosts | grep -Ev '^#|^$|localhost|127.0.0.1|::1'
Search the filesystem for mining software:
# Find XMRig configuration files
find / -name 'config.json' -newer /etc/passwd 2>/dev/null | xargs grep -l 'pool\|wallet\|xmr\|monero' 2>/dev/null
# Find recently modified or created executables (attackers often drop miners in /tmp, /dev/shm, /var/tmp)
find /tmp /var/tmp /dev/shm /run -type f -executable 2>/dev/null
# Find world-writable executables
find / -type f -perm -o+w -name '*.sh' 2>/dev/null | head -20
Check persistence mechanisms (where attackers hide to survive reboots):
# Cron jobs: mining software often installs cron entries to restart after kill
crontab -l
sudo crontab -l # Root crontab
ls -la /etc/cron* /var/spool/cron/*
# Systemd services: look for unusual service names
systemctl list-units --type=service | grep -v 'loaded active running'
cat /etc/systemd/system/*.service | grep -E '(ExecStart|WorkingDirectory)' | head -30
# /etc/rc.local or init.d scripts
cat /etc/rc.local 2>/dev/null
ls /etc/init.d/ | grep -v 'default\|README'
AWS EC2 and Cloud Environment Detection
AWS GuardDuty: built-in cryptomining detection:
If GuardDuty is enabled (it should be: see the GuardDuty guide), it automatically detects cryptocurrency mining activity via:
CryptoCurrency:EC2/BitcoinTool.B!DNS: DNS queries to cryptocurrency mining domainsCryptoCurrency:EC2/BitcoinTool.B: network connections to cryptocurrency mining infrastructureResource:EC2/PortProbeUnprotectedPort: attackers scanning for exploitable instances to deploy miners
# CLI: Check for GuardDuty cryptomining findings
aws guardduty list-findings \
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
--finding-criteria '{"Criterion": {"type": {"Equals": ["CryptoCurrency:EC2/BitcoinTool.B!DNS","CryptoCurrency:EC2/BitcoinTool.B"]}}}'
CloudWatch for CPU spikes:
# Find EC2 instances with sustained high CPU in the last 24 hours
aws cloudwatch get-metric-statistics \
--namespace AWS/EC2 \
--metric-name CPUUtilization \
--dimensions Name=InstanceId,Value=INSTANCE-ID \
--start-time $(date -u -d '24 hours ago' +%Y-%m-%dT%H:%M:%SZ) \
--end-time $(date -u +%Y-%m-%dT%H:%M:%SZ) \
--period 3600 \
--statistics Average \
--output json | jq '.Datapoints[] | select(.Average > 80)'
AWS CloudTrail: detect how the attacker got in: Once a mining instance is identified, CloudTrail shows what API calls preceded the compromise: this tells you the initial access vector (stolen key, public bucket, exposed EC2 metadata service):
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=ResourceName,AttributeValue=INSTANCE-ID \
--start-time $(date -u -d '72 hours ago' +%Y-%m-%dT%H:%M:%SZ) \
--output json | jq '.Events[] | {EventTime, EventName, Username, SourceIPAddress}'
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Kubernetes Cryptomining Detection
Kubernetes clusters are high-value targets: thousands of CPUs controlled by a single credential compromise or misconfigured API server.
Check for suspicious pods with high resource consumption:
# List all pods with their CPU usage
kubectl top pods --all-namespaces | sort -k4 -rn | head -20
# Look for pods running privileged containers (attacker prerequisite for some mining setups)
kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged == true) | {name: .metadata.name, namespace: .metadata.namespace}'
# Check for pods using hostPID or hostNetwork (common in cryptomining malware)
kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.hostPID == true or .spec.hostNetwork == true) | {name: .metadata.name, namespace: .metadata.namespace}'
Check recent pod creation events:
# Recent events: look for pods created in unusual namespaces or with unusual names
kubectl get events --all-namespaces --sort-by='.lastTimestamp' | tail -50 | grep -i 'created\|started'
# Check for pods in default namespace (often used by attackers who compromise admin creds)
kubectl get pods -n default
Falco: runtime security for Kubernetes: Falco is an open-source runtime security tool that detects cryptomining-specific behaviors:
- Execution of xmrig or known miner binaries
- Outbound connections to known mining pool IPs
- Container spawning shells (attacker interaction)
# Install Falco via Helm
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco --namespace falco --create-namespace
# Check Falco alerts
kubectl logs -n falco -l app=falco | grep -i 'miner\|xmrig\|crypto'
Eradication and Post-Compromise Steps
Do not just kill the process: find and remove persistence:
# 1. Kill the mining process
sudo kill -9 $(pgrep -f xmrig)
# 2. Remove persistence mechanisms
# Remove cron entries
crontab -r # Root's crontab
sudo crontab -r
# Remove systemd service if installed
sudo systemctl stop miner.service
sudo systemctl disable miner.service
sudo rm /etc/systemd/system/miner.service
sudo systemctl daemon-reload
# 3. Delete the mining binary and config files
sudo rm -rf /tmp/xmrig /dev/shm/xmrig /var/tmp/kdevtmpfsi
sudo find / -name 'config.json' -newer /etc/passwd 2>/dev/null | xargs grep -l 'pool\|wallet' | xargs rm -f
# 4. Remove attacker-created user accounts
cat /etc/passwd | awk -F: '{if ($3 >= 1000 && $3 < 65534) print $1}'
# Review: delete any accounts not created by you
sudo userdel -r suspicioususer
# 5. Remove attacker SSH keys
cat ~/.ssh/authorized_keys # Review for unauthorized keys
cat /root/.ssh/authorized_keys
After eradication:
- Rotate all credentials that could have been compromised (IAM keys, SSH keys, service account passwords)
- Identify the initial access vector (the attacker's entry point) and close it: if you do not close the entry point, re-infection is guaranteed
- Review cloud spending for the affected period: many cloud providers will negotiate credits for cryptomining incidents when reported promptly
- For AWS, open a Support case reporting the incident: AWS has an incident response team that can assist and may provide billing credits
The bottom line
Cryptojacking detection follows three signals: sustained CPU above 90% from an unrecognized process, outbound connections to mining pool ports (3333, 4444, 5555), and presence of XMRig or similar mining binaries in /tmp or /dev/shm. Enable AWS GuardDuty (it detects cryptomining DNS queries automatically) and run Falco for Kubernetes. Eradication requires finding and removing all persistence mechanisms: cron jobs, systemd services, and attacker SSH keys: before killing the mining process, or re-infection is guaranteed.
Frequently asked questions
How do you detect cryptojacking on a Linux server?
Check for processes consuming more than 80-90% CPU ('ps aux --sort=-%cpu | head -20'), search for known mining process names ('ps aux | grep -Ei xmrig'), check for outbound connections to mining pool ports ('ss -tulpn | grep -E :(3333|4444|5555)'), and search /tmp and /dev/shm for newly created executables. On AWS, GuardDuty automatically detects cryptomining DNS queries and network connections.
How do you remove cryptomining malware from a Linux server?
Remove in this order: kill the mining process, delete the mining binary (commonly in /tmp or /dev/shm), remove all persistence mechanisms (cron entries, systemd services, init.d scripts, authorized_keys entries), and identify and close the initial access vector. If you kill the process without removing persistence, the attacker's cron job or systemd service will restart it within minutes.
How do attackers gain access to servers for cryptojacking?
The most common initial access methods for cryptojacking campaigns are: unpatched internet-facing services (Log4Shell, Confluence RCE, Atlassian vulnerabilities, Docker API exposed without authentication); stolen SSH credentials or SSH keys (via credential stuffing, phishing, or leaked keys in public GitHub repos); misconfigured cloud environments (publicly accessible AWS S3 buckets with write access, EC2 metadata service SSRF leading to IAM credential theft); and compromised CI/CD pipelines where build systems with cloud credentials are exploited to spawn compute resources.
How do I prevent cryptojacking on cloud infrastructure?
Six controls for cloud environments: enable cloud-native threat detection (AWS GuardDuty, Azure Defender) which has specific findings for crypto mining activity (CryptoCurrency:EC2/BitcoinTool.B); set AWS Budget alerts to trigger when compute spend increases more than 20% month-over-month; restrict outbound network access from compute instances to known good destinations (cryptominers must reach mining pool IPs/domains); disable the EC2 metadata service IMDSv1 and require IMDSv2 to prevent SSRF-based credential theft; use network ACLs to block outbound connections on common mining pool ports (3333, 4444, 9999, 14444); and enable Container Security scanning in your registry to catch mining images before deployment.
What is the business impact of cryptojacking compared to ransomware?
Cryptojacking and ransomware have fundamentally different impact profiles. Cryptojacking is designed to be invisible: it steals CPU cycles and electricity over weeks or months, costing $500-$5,000 per compromised cloud instance in unexpected compute bills before detection. It rarely destroys data or disrupts operations. Ransomware is designed to be maximally disruptive: it encrypts data, halts operations, and demands payment. The attacker tradeoff is time-vs-impact: cryptojacking provides sustained low-level income with lower detection risk; ransomware delivers a large one-time payment with high detection certainty. For defenders, cryptojacking is easier to recover from but harder to detect without proactive monitoring.
How do cryptojacking attacks spread laterally within a compromised environment?
Once a cryptojacker gains initial access to a single host, lateral movement is the next objective: more CPU means more mining revenue. The most common lateral movement techniques observed in cryptomining campaigns are SSH key harvesting and credential reuse, Docker and Kubernetes API exploitation, and cloud credential theft. SSH key harvesting works by reading the ~/.ssh/known_hosts and ~/.ssh/id_rsa files on the compromised host: these often contain keys that authenticate to other servers in the same environment. Miners that find valid SSH keys automatically propagate themselves to every host in the known_hosts list. For containerized environments, attackers look for an exposed Docker socket (/var/run/docker.sock): access to this socket provides full control of the container runtime, allowing the attacker to spawn new privileged containers on any connected host. In Kubernetes, a compromised pod with access to the Kubernetes API server can list and spawn pods across the cluster. In cloud environments, the EC2 metadata service (169.254.169.254) is queried for IAM credentials: any role attached to the instance that has permissions to launch compute resources is used to spawn additional EC2 instances or Fargate tasks running mining containers. To limit lateral movement from a cryptojacking compromise: restrict SSH key permissions so application accounts cannot SSH to other servers, disable Docker socket mounts in container definitions, implement Kubernetes network policies and RBAC to limit what a compromised pod can do, and use IMDSv2 with hop limit 1 to prevent containers from accessing EC2 instance metadata.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
