Skip to content

Cryptocurrency service found

What has been found

Cryptocurrency service found.

A Cryptocurrency service was found. This may be a sign of Cryptojacking where your infrastucture is being abused to mine cryptocurrencies.

Why this is a potential risk

The presence of a cryptocurrency service poses several risks:

  • Resource Abuse: Mining consumes significant CPU/GPU cycles, electricity, and bandwidth. This degrades performance of legitimate business operations and can increase infrastructure costs.

  • Indicator of Compromise: Unauthorised mining services often signal a deeper system compromise. Attackers who deploy cryptojacking software may also establish persistence mechanisms, backdoors, or privilege escalation tools.

  • Expanded Attack Surface: Exposed mining services can act as entry points for additional attacks, including ransomware deployment, data exfiltration, and lateral movement across the network.

  • Detection Evasion: Cryptojacking malware often uses stealth techniques (e.g., throttling usage, masquerading as legitimate processes) that make it harder to detect, delaying response and remediation.

  • Reputation and Compliance Risk: If services are exposed to the internet, attackers may leverage them for illicit purposes, potentially implicating the organization in money laundering or regulatory violations (e.g., FATF VASP guidance).

An unauthorised cryptocurrency service is both a direct operational drain and a red flag for a broader security breach.

Potential solutions/Improvements

If the cryptocurrency service was not intentionally deployed as part of business operations, treat the system as potentially compromised and activate the incident response process

Immediate actions

  • Isolate the affected host to prevent lateral movement and contain any ongoing cryptojacking or exfiltration.

  • Terminate the unauthorized service and remove associated processes, scheduled tasks, and persistence mechanisms.

  • Collect forensic evidence (logs, memory dumps, binary samples) before remediation to support root cause analysis and potential regulatory reporting.

Remediation steps

  • Rebuild from a trusted baseline: For high-confidence recovery, rebuild or reimage the system rather than attempting piecemeal cleanup.

  • Patch and harden: Apply OS and application updates; close unnecessary ports/services; enforce secure configuration baselines.

  • Strengthen access controls: Rotate credentials, enforce multi-factor authentication, and review privileged account activity.

  • Deploy detection and monitoring: Ensure EDR/XDR solutions, SIEM alerts, and anomaly detection are tuned to identify cryptojacking patterns (e.g., abnormal CPU/GPU usage, unauthorised mining pools).

Verification

  • Perform an external vulnerability scan to confirm the service is no longer accessible.

  • Review firewall and ACL configurations to ensure exposure is restricted to trusted networks.

  • Validate that logging and monitoring are in place and producing alerts on anomalous resource usage.

  • Run a threat hunt for Indicators of Compromise (IoCs) linked to known cryptojacking malware.

  • Conduct a post-incident review to identify gaps in detection, response, or patching processes.

External references