Cloud Cryptojacking
What is Cloud Cryptojacking?
Cloud CryptojackingUnauthorized use of a victim's cloud compute resources to mine cryptocurrency, generating costly bills while the attacker earns the rewards.
Cloud cryptojacking is the abuse of compromised cloud accounts, exposed credentials, vulnerable containers, or insecure CI/CD pipelines to spin up compute resources that mine Monero or other ASIC-resistant coins. Attackers prefer large GPU or burstable instances and often deploy XMRig inside Kubernetes pods or serverless functions to blend in with legitimate workloads. The financial impact falls on the victim, who pays for the consumed CPU, GPU, and egress, sometimes accruing tens of thousands of dollars in hours. Detection relies on cost anomaly alerts, CPU saturation metrics, outbound traffic to mining pools, and CSPM rules; prevention focuses on least-privilege IAM, MFA, secret scanning, and image signing.
● Examples
- 01
Leaked AWS keys used to launch a fleet of GPU EC2 instances running XMRig.
- 02
A compromised CI runner that mines Monero between legitimate builds.
● Frequently asked questions
What is Cloud Cryptojacking?
Unauthorized use of a victim's cloud compute resources to mine cryptocurrency, generating costly bills while the attacker earns the rewards. It belongs to the Cloud Security category of cybersecurity.
What does Cloud Cryptojacking mean?
Unauthorized use of a victim's cloud compute resources to mine cryptocurrency, generating costly bills while the attacker earns the rewards.
How does Cloud Cryptojacking work?
Cloud cryptojacking is the abuse of compromised cloud accounts, exposed credentials, vulnerable containers, or insecure CI/CD pipelines to spin up compute resources that mine Monero or other ASIC-resistant coins. Attackers prefer large GPU or burstable instances and often deploy XMRig inside Kubernetes pods or serverless functions to blend in with legitimate workloads. The financial impact falls on the victim, who pays for the consumed CPU, GPU, and egress, sometimes accruing tens of thousands of dollars in hours. Detection relies on cost anomaly alerts, CPU saturation metrics, outbound traffic to mining pools, and CSPM rules; prevention focuses on least-privilege IAM, MFA, secret scanning, and image signing.
How do you defend against Cloud Cryptojacking?
Defences for Cloud Cryptojacking typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cloud Cryptojacking?
Common alternative names include: Cloud crypto mining abuse, Resource-jacking.
● Related terms
- cloud-security№ 186
Cloud Key Leak
Accidental exposure of long-lived cloud access keys in public repositories, container images, logs, or client-side code, often abused within minutes.
- cloud-security№ 505
IAM Privilege Escalation
Abusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights.
- cloud-security№ 598
Kubernetes Cluster Attack
An intrusion against a Kubernetes (K8s) cluster that abuses exposed APIs, weak RBAC, or vulnerable workloads to gain control of the control plane or worker nodes.
- cloud-security№ 211
Container Escape
An exploit that breaks the isolation boundary between a container and its host, giving the attacker code execution on the underlying node or kernel.
- cloud-security№ 255
CSPM Finding
An alert produced by a Cloud Security Posture Management tool when a cloud resource violates a security benchmark, policy, or compliance rule.