Cryptojacking exposes cloud and browser resource theft risks

At a glance

What this is: Cryptojacking is unauthorized cryptocurrency mining that silently consumes device and cloud resources, with cloud accounts and browser scripts creating the biggest scale risk.

Why it matters: It matters because IAM, secrets, and cloud governance teams need to treat resource abuse as an identity and access problem, not just a malware problem.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.

👉 Read DigiCert's blog on what cryptojacking is and how it works

Context

Cryptojacking is unauthorized use of computing resources to mine cryptocurrency, and it is easier to miss than conventional malware because the attacker wants the victim to keep running. In cloud and browser environments, that makes the problem look like routine performance degradation or cost drift until the mining load becomes obvious.

For identity teams, the important point is that cryptojacking often begins with exposed credentials, over-permissive cloud access, or a compromised website rather than with a noisy payload. That pushes it squarely into IAM, secrets management, and workload governance territory, especially where cloud resource access is not tightly scoped or monitored.

Key questions

Q: How should security teams stop cryptojacking in cloud environments?

A: Security teams should restrict who can create and scale compute, monitor for unexpected API activity, and revoke exposed secrets immediately. Cryptojacking is easiest when attackers can turn valid cloud access into mining capacity without triggering obvious security alerts. Identity scope, billing telemetry, and workload detection should be correlated so that resource abuse is visible quickly.

Q: Why do exposed cloud credentials create such a fast cryptojacking risk?

A: Exposed cloud credentials give attackers a legitimate entry point, so they do not need to break in before they start using compute. That means mining can begin within minutes of exposure if the secret is public or reused. The risk is not just compromise, but how much infrastructure the credential can create or control.

Q: What breaks when cloud permissions are broader than the workload needs?

A: Broad cloud permissions allow an attacker to provision miners, expand instances, and hide cost growth inside normal administration activity. When the role can create infrastructure freely, cryptojacking becomes a scaling problem rather than a single-host infection. Least privilege must limit resource creation, not only data access.

Q: Who is accountable when cryptojacking starts from exposed secrets?

A: Accountability usually spans the team that owns secret storage, the platform owner that granted the permissions, and the security function that failed to detect exposure. The practical lesson is that cryptojacking is a governance issue as much as a technical one. Teams need clear ownership for secret hygiene, access scope, and anomaly response.

Technical breakdown

Browser-based cryptojacking and injected JavaScript

Browser-based cryptojacking works when attackers place mining JavaScript into a website or ad path, then rely on the visitor’s browser to execute the code. The script uses the browser session’s CPU while the tab stays open, so the attack is temporary but highly scalable. Compromised websites, malicious ad networks, and injected third-party scripts are the common delivery paths. This model depends on the user’s device doing the work and on the attacker staying hidden long enough to profit.

Practical implication: web security teams need script controls, ad filtering, and content integrity checks on pages that can execute third-party code.

Malware-based cryptojacking on endpoints and servers

Malware-based cryptojacking installs a miner directly on a device or server and keeps running in the background, often using idle cycles to avoid easy detection. Unlike a browser script, it survives reboots and can spread laterally if the environment has weak segmentation or shared credentials. Social engineering and bundled software remain common entry paths. Once established, the miner competes with legitimate workloads for CPU, memory, and power, which makes performance monitoring and process inspection the earliest clues.

Practical implication: endpoint teams should combine EDR, patching, and user training with process-level monitoring for abnormal compute consumption.

Cloud cryptojacking through exposed credentials and over-permissive access

Cloud cryptojacking is the highest-impact version because an attacker with valid cloud access can create many miners quickly and scale up compute spend before detection. The weak point is usually not the mining code itself but the access path: exposed keys, overly broad roles, permissive policies, or container and orchestration weaknesses. In practice, the attacker uses legitimate cloud APIs to spin up resources, which makes the activity look like normal administration unless identity, billing, and workload telemetry are correlated.

Practical implication: cloud teams need least privilege, secrets hygiene, and anomaly detection on API activity and spend patterns, not just malware scanning.

Threat narrative

Attacker objective: The attacker aims to generate cryptocurrency profit by converting someone else’s compute, power, and cloud spend into mining revenue.

1. Entry occurs through browser injection, phishing-delivered malware, or publicly exposed cloud credentials that give the attacker a foothold in a device, website, or account.
2. Escalation happens when the attacker keeps the miner hidden, uses idle compute, or creates additional cloud resources through valid API access to increase mining capacity.
3. Impact is resource theft at scale, including degraded performance, higher cloud bills, hardware stress, and potential exposure of broader cloud environments if the attacker stays resident.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Cryptojacking is an identity abuse problem before it is a malware problem. The article’s cloud examples show that the mining workload is only the end state. The real failure is access that is broad enough, exposed enough, or poorly monitored enough for an attacker to turn legitimate compute into a revenue stream. For IAM and cloud teams, the question is not just whether the miner can be detected, but why the identity path made resource theft possible in the first place.

Publicly exposed credentials create a compute-to-cash window that attackers can monetise quickly. The minute-scale access timing associated with exposed AWS keys means defenders are often reacting after the first profit-seeking actions have already begun. That compresses the value of slow governance cycles and puts emphasis on runtime visibility, secret discovery, and blast-radius reduction. Practitioners should treat exposed access as an immediate operating risk, not a background hygiene issue.

Cloud cryptojacking shows why least privilege must include resource creation rights, not just data access rights. Many identity programmes focus on whether a role can read data, but cryptojacking exploits whether an identity can create, scale, and persist compute. That expands least privilege into billing, orchestration, and quota controls. The implication is that access governance must account for the ability to consume infrastructure, not only to reach information.

Resource theft becomes easier when security telemetry is split between endpoint, cloud, and identity teams. The attack may begin in a browser, land in a malware process, and finish in cloud spend. Each team can see one fragment and miss the chain. That fragmentation creates a governance blind spot because no single control plane is responsible for the abuse pattern. Practitioners need a joined view of access, workload, and cost anomalies to identify cryptojacking early.

Identity blast radius is the better way to frame cryptojacking risk than simple infection count. A single compromised credential can enable many miners, many instances, or long-lived background abuse even when the initial compromise looks small. That makes the business impact nonlinear. The more cloud authority a token carries, the more quickly a trivial foothold becomes a material financial event, which is why identity scope determines the scale of the loss.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For broader lifecycle context, review NHI Lifecycle Management Guide to connect provisioning, rotation, and offboarding controls to the access paths cryptojacking depends on.

What this signals

Identity scope will matter more than malware signatures. As cloud environments and browser-delivered scripts keep blurring the line between application behaviour and abuse, teams should expect cryptojacking to show up first as cost drift, not as a clear endpoint alert. With 72% of organisations already reporting or suspecting NHI breaches, the governance gap is clearly systemic.

Compute abuse is becoming a lifecycle problem, not a one-off incident. Secret exposure, role overreach, and unmanaged service access all create the conditions for silent mining. The programme response should join credential hygiene, cloud telemetry, and workload governance rather than treating them as separate disciplines.

Resource theft is the named concept to watch here: when access is broad enough to create infrastructure at scale, attackers can monetise compute before defenders notice. That means the most useful operational signal is not just malicious code, but any identity that can turn permissions into spend without an obvious business reason.

For practitioners

• Tighten cloud role scope Review whether service roles can create, resize, or persist compute beyond their operational need. Remove wildcard permissions, separate read from provision rights, and require just-enough access for admin tasks.
• Harden secrets discovery and revocation Continuously scan for exposed API keys, tokens, and certificates across code repositories, logs, and build output. Revoke and rotate any secret that could let an attacker provision mining infrastructure.
• Correlate identity, cost, and workload telemetry Alert on abnormal API activity, unexpected instance growth, and unexplained spend spikes in the same time window. A miner often looks normal in one dataset and suspicious in another.
• Block browser-delivered mining code Use content security controls, ad filtering, and script governance on sites that can load third-party JavaScript. Treat compromised ad paths and injected scripts as a browser security issue, not only a web content issue.
• Train staff to spot resource-theft phishing Teach users that phishing can deliver cryptomining malware as easily as credential theft. Users who recognise unexplained slowdown, fan noise, and battery drain can surface infections sooner.

Key takeaways

• Cryptojacking succeeds when identities can create or control compute faster than teams can notice the abuse.
• The strongest evidence in this threat pattern is the combination of exposed secrets, excessive cloud permissions, and unexplained cost growth.
• Teams should treat resource creation rights, secret exposure, and cross-domain telemetry as the core controls that determine blast radius.

Key terms

• Cryptojacking: Cryptojacking is the unauthorized use of someone else’s compute to mine cryptocurrency. In practice, attackers exploit browser sessions, malware, or cloud credentials to convert victim resources into mining output while avoiding hardware, power, and infrastructure costs.
• Cloud Posture Management: Cloud posture management is the ongoing review of cloud configuration, permissions, and exposure to reduce attack paths. For cryptojacking, it matters because misconfigured access, public secrets, and excess provisioning rights can turn into rapid resource theft.
• Resource Abuse Telemetry: Resource abuse telemetry is the combined signal from identity activity, workload behaviour, and spend patterns that shows when infrastructure is being used outside normal purpose. It is more useful than a single alert because cryptojacking often looks benign in isolation.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: What is Cryptojacking? Read the original.