Cryptojacking

Expanded Definition

Cryptojacking is unauthorized compute abuse for cryptocurrency mining, but in NHI security it is best understood as an identity-enabled workload hijack. Attackers rarely need to “break” the machine first. They often exploit exposed secrets, overprivileged service accounts, browser sessions, CI/CD tokens, or cloud credentials to turn legitimate infrastructure into mining capacity. That distinction matters because the control problem is not only malware removal, but also governance over who or what can execute, persist, and scale resource consumption.

Industry usage is still evolving because some teams treat cryptojacking as a malware category while others treat it as a cloud abuse or access abuse issue. For operational security, NHI Management Group recommends treating it as a privileged access and secret hygiene problem that can manifest across endpoints, containers, and cloud workloads. The most common misapplication is assuming cryptojacking requires visible malware, which occurs when exposed credentials or misconfigured automation let miners run under trusted identities.

For broader NHI governance context, see the Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0.

Examples and Use Cases

Implementing cryptojacking controls rigorously often introduces performance and observability overhead, requiring organisations to weigh tighter resource governance against added tuning and investigation cost.

• A public-facing container is provisioned with a leaked cloud access key, and the attacker launches a miner until billing spikes force incident response.
• A browser session left active on an admin workstation is used to inject mining scripts, turning normal user activity into hidden CPU consumption.
• A CI/CD token stored in plain text in a build pipeline is abused to deploy a mining container alongside legitimate release artifacts.
• An overly permissive service account can start new instances in a cloud account, allowing the attacker to scale mining jobs without further intrusion.
• Secrets sprawl makes these scenarios harder to detect, which is why the Ultimate Guide to NHIs stresses visibility, rotation, and offboarding as baseline controls.

Detection guidance is also consistent with the NIST Cybersecurity Framework 2.0, especially where anomalous resource use and access patterns should trigger containment.

Why It Matters in NHI Security

Cryptojacking is important in NHI security because it exposes a deeper control failure: if an attacker can use identities, tokens, or sessions to mine cryptocurrency, the same access can usually be used for data theft, lateral movement, or infrastructure sabotage. The visible cost is often just higher CPU, memory, and cloud bills, but the real risk is that privileged non-human identities were already too permissive or too persistent. NHI Management Group reports that 97% of NHIs carry excessive privileges, and that makes unauthorized workload execution much easier once a single credential is compromised.

This is also where cloud governance, secret management, and Zero Trust intersect. The Ultimate Guide to NHIs shows that only 20% of organisations have formal processes for offboarding and revoking API keys, which helps explain why mining activity can persist after compromise. Practitioners should map detection to identity ownership, secret rotation, and workload authorization, not just malware cleanup. Organisations typically encounter this term only after unexplained spend, degraded performance, or abuse complaints, at which point cryptojacking becomes operationally unavoidable to address.