How to detect crypto mining in your organization?

What is cryptojacking?

Cryptojacking is a situation in which someone uses company computing resources to mine cryptocurrencies without the organization’s consent. In practice, this means launching on a workstation, server, or sometimes in a cloud environment a process whose sole purpose is to perform calculations for a “mining pool” and transmit the results externally. The key word here is “unauthorized” — regardless of whether the activity is carried out by a cybercriminal or an employee who installs a miner on company equipment “just for a while.”

From the organization’s perspective, cryptojacking is primarily an operational and cost problem, and only later a technical one. It consumes CPU and GPU power, can saturate memory and I/O, and as a result reduces the performance of business services, shortens hardware lifespan, and increases energy consumption. In the cloud, the consequences are even more tangible because they translate into bills: instances run at higher capacity, autoscaling provisions additional resources, and costs rise even though from a business perspective “nothing has changed.”

It is also worth clearly distinguishing cryptojacking from legitimate, controlled load testing. Here, we are not talking about planned use of computing power within a project, but about hidden or policy-noncompliant use of company infrastructure for private gain. Therefore, in many organizations cryptojacking is treated similarly to resource abuse, and in a malware scenario — as part of a broader incident that may be only the “visible tip” of the problem.
In many jurisdictions, unauthorized mining on someone else’s infrastructure may constitute a violation of Article 267 of the Criminal Code (unauthorized access to an IT system) or Article 268a of the Criminal Code (disruption of an IT system).

The most common symptoms in an organization

Cryptojacking very rarely manifests itself in an unambiguous way. Unlike ransomware or system failures, it does not cause an immediate halt to operations. Instead, symptoms appear that can easily be mistaken for ordinary performance issues, aging hardware, or temporary overloads.

Therefore, in practice SOC and NOC most often encounter not a single alarming signal, but a set of minor irregularities that initially seem unrelated.

The most common symptoms include:

• a sudden and long-term increase in CPU or GPU load, visible both on workstations and servers, even though users are not performing operations requiring high computing power; it is characteristic that the high load persists also outside working hours,

• slowdown of systems and applications, especially those sharing resources with other services; users report slower system performance, but application monitoring does not indicate a clear cause,

• excessive hardware overheating and louder fan operation, which is particularly noticeable on workstations and laptops that previously operated stably under similar load,

• the appearance of unknown or suspiciously named processes, often impersonating system components or launched from unusual locations; these processes may restart after termination or run under different names,

• increased resource consumption in cloud environments, where instances begin operating under higher load or autoscaling mechanisms launch additional resources without changes on the application side,

• unusual device activity outside working hours, when infrastructure generates similar load at night, on weekends, or holidays, even though the organization does not conduct intensive operations at that time.

However, the key point is that a single symptom does not yet indicate cryptojacking. High CPU usage may result from a system update, backup, or new application tasks. Only a set of several symptoms occurring simultaneously should prompt a more detailed analysis.

In practice, it is precisely such “minor anomalies,” noticed in different parts of the infrastructure, that often turn out to be the first signal that part of the environment has begun working for someone else’s profit instead of the organization’s needs.

How cryptocurrency mining can be detected in an organization

Although the first symptoms of cryptojacking are most often noticeable at the workstation or server level, the most reliable signals appear in network traffic. Even if malicious software effectively hides in the operating system or limits resource consumption, it still must communicate with external infrastructure responsible for the mining process.

And this is where the advantage of network analysis appears. A process running locally can be disguised, renamed, or launched only periodically, but network communication cannot be completely hidden. Every miner must constantly exchange data with servers managing the mining process, which creates repetitive and relatively easy-to-notice traffic patterns.

In practice, SOC and NOC teams should pay particular attention to:

• outbound connections to unusual ports that are not used by standard applications operating in the organization; often these are ports characteristic of mining software, although increasingly traffic is masked as ordinary application traffic,

• regular communication with servers associated with mining pools, i.e., infrastructure that coordinates the cryptocurrency mining process and to which devices send calculation results,

• unusual or repetitive DNS queries directed to domains not related to the organization’s normal operations, and which sometimes change very frequently to make traffic blocking more difficult,

• constant, long-term data transfer generated by a single host that maintains communication with the same addresses for many hours or days, also outside working hours.

Importantly, such traffic is usually not very large. A miner does not need to transmit huge amounts of data, which is why this activity often blends into the background of everyday network communication. Only by looking at connection patterns over a longer period can it be noticed that one device maintains constant, repetitive contact with external infrastructure.

That is why in practice it is said that the network does not lie. Even if at the host level it is difficult to clearly identify the problem, traffic analysis allows quick identification of devices communicating in an unusual way and requiring further verification. This is precisely the point that becomes a natural transition from general observation to specific analysis in tools such as Sycope.

What detection of such activity looks like in Sycope

In practice, detecting traffic related to cryptocurrency mining should not require manual analysis of enormous amounts of network data. Therefore, in Sycope an analyst can easily search for connections that match patterns characteristic of cryptomining, without the need to delve into technical communication details.

The system uses ready-made sets of tags and rules associated with traffic generated by cryptocurrency miners, including lists of ports and characteristic communication types. This makes it possible to immediately identify hosts in the network that generate suspicious traffic, without the need to create custom, complex queries or analyze individual sessions.

Attackers may install cryptocurrency mining applications on compromised hosts, which is one of the consequences of malicious activity. Additionally, installation of such applications may be performed by employees of the organization who want to use free computing power — which usually constitutes a violation of the organization’s security policy.

After identifying such devices, the analyst can immediately check which IP addresses and domains the given hosts communicate with, how long connections are maintained, and whether the traffic is constant and repetitive in nature. This allows quick assessment of whether we are dealing with a real case of cryptojacking or merely unusual but legitimate application activity.

Detection of the MITRE ATT&CK technique

So how exactly can one attempt to detect the Resource Hijacking technique (https://attack.mitre.org/techniques/T1496/), i.e., the MITRE ATT&CK technique related to cryptocurrency mining?

Detection of such activity may be possible by monitoring communication to/from unusual ports, e.g., 3333, 4444, 5555, 6666, 7777, 8888, 9999, as well as the reputation of IP addresses and URLs associated with cryptocurrency hosts. Therefore, logs and flow data from sources such as network traffic (Web Proxy, Firewall, Load Balancer, IDS/IPS, NetFlow), DNS logs, application logs, Sysmon logs / security logs can be used to detect such activity.

In the Sycope NSM system, you can use the following query to search for such activities in network traffic:

lookupKeyExists(“sec-port-cryptomining”, {“Port”: serverPort }) or lookupKeyExists(“sec-port-cryptomining”, {“Port”: clientPort })

As you can see, analysis of this type of activity is simple and fast — especially if we have the appropriate tool for creating quick threat hunting queries. The most important aspect of this approach is that the path from the first suspicion to identifying a specific device usually takes only a few minutes. Thanks to this, the SOC or NOC team can quickly proceed to further host analysis and risk mitigation, instead of wasting time manually searching logs from many different systems.

What an organization should do if it detects such behavior

Detection of traffic indicating cryptocurrency mining does not necessarily mean a serious security incident, but it should always trigger a basic verification procedure. The key is to quickly limit resource usage and determine whether we are dealing with a single case of abuse or part of a larger security problem.

In practice, the first actions usually come down to several steps that allow the situation to be quickly stabilized and the necessary information for further analysis to be gathered.

Disconnect or limit communication of the suspicious host

If a device generates traffic characteristic of a cryptocurrency miner, it is worth temporarily isolating it from the network or at least limiting outbound traffic. This does not necessarily mean immediately shutting down the system, but rather stopping further resource usage and potential communication with external infrastructure. At the same time, it is advisable to preserve the possibility of analyzing the system in its current state before it is restarted or modified.

Check processes and running services on the device

The next step should be verification of what is actually running on the given host. It is worth checking the list of active processes, scheduled tasks, and services launched automatically at system startup. Miners often try to hide under names resembling system components or user applications, so it is important to pay attention to processes running from unusual locations or generating constant processor load.

Inform appropriate teams or persons responsible for security

Even if the problem seems local, the information should reach teams responsible for security and infrastructure administration. This makes it possible to check whether similar symptoms are already appearing in other network segments, locations, or cloud environments. In many cases, only after combining information from different parts of the organization does it turn out that the problem affects a larger number of devices.

Verify security policies and user permissions

The last, but very important step is to check how the mining software appeared in the environment. Was the user able to install applications independently? Was the device properly updated? Is administrative access not granted too broadly? Such analysis helps reduce the risk of a similar situation recurring in the future.

This basic checklist does not replace a full incident response procedure, but in most cases it allows quick determination of the scale of the problem and deciding whether further, more detailed security analysis is needed.

FAQ — the most common questions about cryptojacking in an organization

Can an employee legally mine cryptocurrencies on a company computer if it does not cause problems?

In most organizations, the answer is: no. Even if the user claims that the miner does not affect system performance, it still means using company resources for private purposes without the employer’s consent.

Additionally, even a small but constant load translates into higher energy consumption, faster hardware wear, and potential security risk, because mining software often communicates with external infrastructure over which the organization has no control. For this reason, installing such tools usually violates equipment usage regulations and security policies.

Which ports are most often used by cryptocurrency miners?

In practice, traffic is often encountered on ports such as 3333, 4444, 5555, or 7777, which are historically associated with popular cryptocurrency mining software.

The problem, however, is that modern tools and malware increasingly use other ports or tunnel traffic through standard services to make detection more difficult. Therefore, observing the port number alone is not sufficient to clearly determine the problem. It is much more important to analyze communication patterns and the persistence of outbound connections.

Is a classic antivirus sufficient to detect cryptojacking?

Sometimes yes, especially when known mining software or malware recognized by up-to-date signature databases is used. The problem is that many modern miner variants operate in a way that makes detection difficult or use legitimate system tools to launch mining processes.

Therefore, in practice it is more effective to combine information from endpoints with network traffic analysis. Even if a process on the host is not immediately recognized as a threat, its communication with mining infrastructure leaves clear traces in the network.

Does cryptocurrency mining always mean an attack on the organization?

Not always. In some cases, the source of the problem turns out to be an employee who independently installs a miner on company equipment or uses server resources for private purposes.

From the organization’s point of view, however, the effect is similar — infrastructure resources are used in an unauthorized manner, which generates costs and increases operational risk. Additionally, such activities may mask other security problems or make their detection more difficult.

What should I do if I detect cryptocurrency mining in my organization?

The most important thing is to quickly limit the risk and determine the source of the problem. First of all, it is worth:

• isolating the suspicious device or limiting its network communication,

• checking processes and installed software,

• analyzing system and network logs to determine when the activity began,

• verifying how the software entered the environment,

• and updating policies and safeguards to prevent similar situations in the future.

Such actions usually allow quick determination of whether the problem concerns a single device or a broader part of the infrastructure.

Cryptojacking has become a real, everyday operational problem, but thanks to network traffic visibility it can be detected quickly, before it begins to realistically affect infrastructure performance and costs. The Sycope platform makes it possible to do this in a simple and fast way, enabling SOC and NOC teams to efficiently move from the first signal to identifying the specific source of the problem.