A crypto malware is a type of malware that allows threat actors to use someone else’s computer or server to mine for cryptocurrencies. It has become one of the most prominent malware types since 2017. Why?

Crypto malware’s rise in popularity probably has a lot to do with the fact that cryptomining is a resource-intensive process that jacks up a user’s electricity bill for one and uses up his or her computer’s processing power, disallowing other tasks to be performed at the same time. 

Other interesting terms…

Read More about “Crypto Malware

Crypto Malware

A Brief History of Crypto Malware

The first crypto malware, which mined dogecoins using the Harvard University’s Odyssey computer cluster, was discovered in 2014. That discovery was soon followed by a similar attack that same year, albeit to illegally mine bitcoins, using the National Science Foundation (NSF)’s supercomputers.

But crypto malware actually made headlines only from 2017 onward, as cybercriminals doubled their effort to hijack insufficiently secured computers, servers, and even browsers to fill their own cryptocurrency wallets. One particularly interesting attack involved former U.S. Federal Reserve employee Nicholas Berthaume who illicitly mined for bitcoins using his employer’s computers.

The volume of crypto malware grew 4,000% from 500,000 in 2017 to 4 million in 2018. In 2019, two crypto malware variants that mined Monero coins—Coinhive and XMRig—were the most distributed malware worldwide. In the first half of 2020, five of the most commonly detected crypto malware variants were:

  • XMRig
  • JSEcoin
  • WannaMine
  • RubyMiner
  • NRSMiner

The figure below shows their distribution.

Source: Statista

Cryptojacking and Crypto Malware

Cryptojacking is the act of using crypto malware to use someone else’s computer for cryptomining illegally. It is usually done in the two ways described below.

In some cases, victims are tricked into installing a malicious cryptomining code into their computers through phishing-like tactics. The users receive a legitimate-looking email that encourages them to click a link. The link runs the code that installs the cryptomining script onto their computers. The script runs in the background every time the victims use their computers.

In other cases, cybercriminals inject a malicious script into a vulnerable website or ad that gets delivered to multiple sites. The script automatically runs when victims visit the infected website, or the infected ad pops up in their browsers. In this scenario, the malicious code does not get stored in the victims’ computers, making the malware hard if not impossible to detect.

The point is, regardless of the method used, the malicious code solves complex mathematical problems on victims’ computers and sends the solutions to a hacker-controlled server.

You can learn more about cryptojacking in this definition.

Infamous Crypto Malware throughout the Years

We have seen various crypto malware make their way into victims’ computers over time. Some have gained infamy, such as:

  • PowerGhost: Known to infect corporate networks primarily in countries like India, Turkey, Brazil, and Colombia so that cybercriminals can get the biggest bang for their buck.
  • Graboid: The first crypto malware with wormlike capabilities that allow it to spread through unprotected containers in virtual networks. It has infected more than 2,000 Docker deployments by October 2019.
  • MinerGate: Notorious for its evasion tactic of halting its operation when the victim’s computer is in use. It detects mouse movements and pauses mining activities to avoid discovery.
  • BadShell: Uses Windows processes to evade detection. It uses PowerShell to inject the malware into running processes, Task Scheduler to keep running, and registries to store the malware’s binary code.
  • Facexworm: A malicious Chrome extension that uses Facebook Messenger to infect users’ computers. While it was initially an adware dropper, it now targets cryptocurrency exchanges and delivers malicious cryptomining code.
  • WinstarNssmMiner: Known for crashing a victim’s computer if it is removed.
  • CoinMiner: Notorious for seeking out and halting running cryptocurrency mining processes (if the victim is into mining, that is) so it can execute and deliver coins to its operator.


While cryptocurrency mining is not illegal, doing it using someone else’s computer or server is a malicious act. Spreading and profiting from infecting users’ computers with crypto malware can be considered a cybercrime and is punishable by law.