Browser Cryptocurrency Mining

2 min. read

Cybercriminals have embraced the anonymous nature of cryptocurrency as a new preferred method of profit. Unit 42® released details about attackers hijacking web browsers to mine for compute resources and exchange for cryptocurrency. With the increasing value of cryptocurrency, such as bitcoin and Ethereum, and a better business model with higher returns than malware– and exploit-type attacks, it’s no surprise these types of attacks are becoming more commonplace.

 

How It Works

Cybercriminals will compromise a website and abuse a legitimate tool on that site to gain access to the compute resources of site visitors’ systems. Using this access, attackers will essentially steal compute resources and exchange them for cryptocurrency credit. This all occurs without the users’ consent or knowledge throughout the duration of their site visits.

The malicious activity itself doesn’t cause long-term damage to systems, and ends as soon as users leave the malicious or compromised site. Additionally, the site will still provide users with its normal, intended functionality. However, users likely experience a noticeable slowdown in system performance.

 

How to Defend Against It

If you believe your system is being affected by this type of attack, leaving the site or closing your browser will, in most cases, end the attack. Additionally, you should practice good cybersecurity hygiene. This means avoiding unfamiliar websites, clicking on links or downloading attachments from unknown email senders, keeping products updated with the latest security patches, enabling multi-factor authentication, and using reputable security products.

Browser Cryptocurrency Mining FAQs

Browser mining uses a website visitor’s CPU resources to perform cryptocurrency mining without installing local software. JavaScript code embedded in the webpage executes cryptographic hash functions in the background. Mining begins automatically when the user loads the page and continues as long as the session remains active.
Cryptojacking is the unauthorized use of computing resources to mine cryptocurrency. Adversaries deliver the mining code via malware, browser scripts, or cloud workloads. In browser-based attacks, cryptojacking scripts execute silently and consume CPU cycles, often throttled to avoid detection while extracting economic value from compromised systems.
Drive-by mining occurs when a user’s browser executes mining code without consent during normal site interaction. Unlike traditional malware, no file is downloaded. The mining script runs via JavaScript or WebAssembly, typically embedded in a compromised webpage or malicious ad network, leveraging client-side resources in real time.
A JavaScript miner is a lightweight script designed to perform cryptocurrency mining in the user’s browser. It typically uses the device’s CPU to compute hashes, often targeting Monero due to its CPU-optimized algorithm. These miners can be embedded directly into web pages and executed without user awareness or installation.
Coinhive was a widely used JavaScript-based Monero miner that allowed websites to monetize traffic by mining cryptocurrency in visitors’ browsers. Though marketed as a legitimate service, it became synonymous with cryptojacking when threat actors deployed it without user consent. Coinhive shut down operations in 2019 due to declining profitability and abuse.
A web miner refers to any client-side mining software embedded in a webpage that uses browser resources to mine cryptocurrency. Web miners operate via JavaScript or WebAssembly, executing hash calculations during browser sessions. They can be deployed legitimately with user consent or maliciously in cryptojacking campaigns.
CPU hijacking is the unauthorized consumption of processor resources, typically for mining or distributed attacks. In browser cryptojacking, scripts silently hijack CPU cycles to perform hash computations, degrading performance. Hijacking may occur via embedded code, compromised browser extensions, or inline scripts delivered through ad injection or third-party services.
Browser-based malware executes within the browser context, often leveraging JavaScript, extensions, or malicious ads. It can steal credentials, inject mining scripts, hijack sessions, or redirect traffic. Because it operates without installing traditional executables, it bypasses many endpoint defenses and targets trust in web interfaces and browser functionality.
Browser exploitation targets vulnerabilities in rendering engines, plugins, or JavaScript APIs to gain control over the browser or underlying system. Attackers may execute code, steal session tokens, bypass sandbox restrictions, or inject persistent scripts. Exploits often deliver payloads via malvertising, compromised sites, or infected extensions.
A hidden miner is a stealthy cryptocurrency mining script embedded in a webpage or app that operates without user awareness. It may run in off-screen iframes, minimized browser windows, or hidden tabs, consuming CPU resources continuously while evading visibility in standard browser UI or task managers.
A mining payload is the component of a malware or browser script responsible for executing the hashing algorithm used in cryptocurrency mining. Delivered via exploit kits, phishing, or JavaScript, the payload runs in memory or browser sandboxes and initiates continuous computation against a target coin’s network.
Monero mining involves performing hash operations on the RandomX algorithm to validate transactions and earn XMR, Monero’s native cryptocurrency. Its CPU-friendly design and privacy-focused architecture make it the preferred target for browser-based and malware-driven miners. Monero's obfuscated ledger conceals illicit mining profits from blockchain analysis.
Stealth mining refers to techniques that reduce detection by throttling CPU usage, limiting execution to idle periods, or operating in off-screen browser contexts. Scripts monitor system load and user activity to adapt mining intensity, prolonging activity without triggering performance complaints or security alerts.
Background mining runs while the user is active on another tab or has minimized the browser. Attackers use persistent browser contexts, service workers, or hidden iframes to maintain execution. Mining continues until the session ends, draining device resources silently and reducing system responsiveness.
Browser resource abuse occurs when scripts or extensions consume excessive CPU, memory, or power for unauthorized tasks. Mining operations, DDoS bots, and credential harvesters can hijack browser processes. In cloud workspaces or VDI environments, such abuse degrades shared infrastructure and triggers anomalous usage patterns.

Inline script injection inserts malicious JavaScript directly into the HTML structure of a page, often within <script> tags. Unlike external payloads, inline scripts execute immediately during page render. Attackers exploit misconfigured CMS platforms, ad tags, or supply chain compromise to deliver mining or data exfiltration code.

Content delivery network abuse involves leveraging trusted CDN infrastructure to host or distribute malicious content. Attackers inject scripts into third-party libraries or hijack dependencies loaded via CDN URLs. Because CDNs serve from known-good domains, malicious scripts delivered this way often evade security controls and user suspicion.
Mining via iframe embeds a hidden or off-screen frame containing mining scripts from a remote source. The iframe isolates the malicious process from the visible page, allowing mining to run undetected. Attackers often use invisible or zero-pixel iframes and inject them dynamically to avoid static analysis.
Obfuscated JavaScript uses encoding, renaming, or control flow manipulation to conceal the script’s purpose. Attackers use obfuscation to hide mining logic, evade detection, and complicate reverse engineering. Techniques include base64 encoding, hexadecimal literals, dynamic function calls, and encrypted payloads decrypted at runtime in memory.
A mining script loader dynamically fetches and executes cryptomining code in the browser. It may use XMLHttpRequest, script tags, or WebSockets to retrieve payloads post-page load. Loaders often obfuscate source URLs, introduce execution delays, or chain multiple scripts to reduce visibility and bypass static detection.
A hashing algorithm transforms input data into a fixed-length digest. In cryptocurrency mining, algorithms like RandomX (Monero) or SHA-256 (Bitcoin) validate transactions and secure blockchains. Miners repeatedly compute hashes with variable input (nonces) to find a result that meets a network-defined difficulty threshold.
A WebAssembly miner uses WASM modules to perform mining operations with higher efficiency than JavaScript alone. WASM provides near-native execution speed in browsers. Attackers compile optimized mining logic into WASM, embed it in web pages, and invoke it via JavaScript for intensive, sustained hash computation.
Browser slowdown results from excessive CPU or memory consumption, often caused by hidden scripts performing cryptographic calculations. Mining code running in the background can degrade rendering speed, input responsiveness, and tab switching. In enterprise environments, widespread slowdown may indicate coordinated resource abuse or endpoint compromise.
Resource exhaustion occurs when a system’s CPU, memory, or battery is consumed beyond operational thresholds. In browser mining, unregulated hash computation overwhelms client-side capacity, potentially crashing tabs, degrading battery life, or triggering thermal throttling. On shared systems, it can disrupt broader performance and stability.
Client-side mining executes cryptocurrency mining operations directly in the user’s browser or device, using JavaScript or WebAssembly. No installation is required. Scripts leverage local CPU cycles to perform hashing, often covertly. Attackers prefer this model for scalability, persistence, and evasion of traditional endpoint defenses.
The mining JavaScript API refers to any programmatic interface used to initiate, control, or monitor mining behavior in the browser. Common APIs include requestAnimationFrame, Web Workers, or WebAssembly interfaces used to distribute workload. Mining platforms may expose proprietary APIs for coin selection, throttle control, or statistics.
Cloudflare bypass refers to techniques used to circumvent protections enforced by Cloudflare, such as bot mitigation or script blocking. Attackers may use domain fronting, CDN misconfigurations, or referrer spoofing to deliver mining scripts hosted behind Cloudflare without triggering filters, exploiting the trust granted to CDN-originated content.