TL;DR: Cryptojacking steals CPU, GPU, and cloud compute from infected browsers, endpoints, and cloud accounts, and attackers often reach exposed AWS credentials in just 17 minutes, according to Entro Security's analysis. The threat shows that visibility, least privilege, and anomaly detection matter as much for cost control as for security.
NHIMG editorial — based on content published by DigiCert: What is Cryptojacking?
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
Questions worth separating out
Q: How should security teams stop cryptojacking in cloud environments?
A: Security teams should restrict who can create and scale compute, monitor for unexpected API activity, and revoke exposed secrets immediately.
Q: Why do exposed cloud credentials create such a fast cryptojacking risk?
A: Exposed cloud credentials give attackers a legitimate entry point, so they do not need to break in before they start using compute.
Q: What breaks when cloud permissions are broader than the workload needs?
A: Broad cloud permissions allow an attacker to provision miners, expand instances, and hide cost growth inside normal administration activity.
Practitioner guidance
- Tighten cloud role scope Review whether service roles can create, resize, or persist compute beyond their operational need.
- Harden secrets discovery and revocation Continuously scan for exposed API keys, tokens, and certificates across code repositories, logs, and build output.
- Correlate identity, cost, and workload telemetry Alert on abnormal API activity, unexpected instance growth, and unexplained spend spikes in the same time window.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- Browser-level mitigation options, including ad-blocking and anti-tracking controls for malicious JavaScript.
- Step-by-step guidance for detecting abnormal CPU usage and mining-like processes on endpoints and servers.
- Cloud posture measures such as CSPM checks, least-privilege access design, and monitoring for unexplained resource spikes.
- Network-side monitoring patterns for connections to mining pools and command-and-control infrastructure.
👉 Read DigiCert's blog on what cryptojacking is and how it works →
Cryptojacking in cloud environments: are your controls keeping up?
Explore further
Cryptojacking is an identity abuse problem before it is a malware problem. The article’s cloud examples show that the mining workload is only the end state. The real failure is access that is broad enough, exposed enough, or poorly monitored enough for an attacker to turn legitimate compute into a revenue stream. For IAM and cloud teams, the question is not just whether the miner can be detected, but why the identity path made resource theft possible in the first place.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when cryptojacking starts from exposed secrets?
A: Accountability usually spans the team that owns secret storage, the platform owner that granted the permissions, and the security function that failed to detect exposure. The practical lesson is that cryptojacking is a governance issue as much as a technical one. Teams need clear ownership for secret hygiene, access scope, and anomaly response.
👉 Read our full editorial: Cryptojacking exposes cloud and browser resource theft risks