Cryptojacking in cloud environments: are your controls keeping up?

TL;DR: Cryptojacking steals CPU, GPU, and cloud compute from infected browsers, endpoints, and cloud accounts, and attackers often reach exposed AWS credentials in just 17 minutes, according to Entro Security's analysis. The threat shows that visibility, least privilege, and anomaly detection matter as much for cost control as for security.

NHIMG editorial — based on content published by DigiCert: What is Cryptojacking?

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.

Questions worth separating out

Q: How should security teams stop cryptojacking in cloud environments?

A: Security teams should restrict who can create and scale compute, monitor for unexpected API activity, and revoke exposed secrets immediately.

Q: Why do exposed cloud credentials create such a fast cryptojacking risk?

A: Exposed cloud credentials give attackers a legitimate entry point, so they do not need to break in before they start using compute.

Q: What breaks when cloud permissions are broader than the workload needs?

A: Broad cloud permissions allow an attacker to provision miners, expand instances, and hide cost growth inside normal administration activity.

Practitioner guidance

• Tighten cloud role scope Review whether service roles can create, resize, or persist compute beyond their operational need.
• Harden secrets discovery and revocation Continuously scan for exposed API keys, tokens, and certificates across code repositories, logs, and build output.
• Correlate identity, cost, and workload telemetry Alert on abnormal API activity, unexpected instance growth, and unexplained spend spikes in the same time window.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Browser-level mitigation options, including ad-blocking and anti-tracking controls for malicious JavaScript.
• Step-by-step guidance for detecting abnormal CPU usage and mining-like processes on endpoints and servers.
• Cloud posture measures such as CSPM checks, least-privilege access design, and monitoring for unexplained resource spikes.
• Network-side monitoring patterns for connections to mining pools and command-and-control infrastructure.

👉 Read DigiCert's blog on what cryptojacking is and how it works →

Cryptojacking in cloud environments: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →