Cryptojacking Alert: 3,500+ Websites Secretly Mining Monero – How to Stay Safe

Stealth cryptojacking campaign hijacks over 3,500 websites to mine Monero cryptocurrency

 A large-scale cryptojacking campaign has infected more than 3,500 websites worldwide with hidden scripts that mine cryptocurrency. This signals a resurgence of browser-based attacks that stealthily abuse visitors’ computing resources to generate Monero, cybersecurity researchers revealed this week.

The sophisticated operation, discovered by cybersecurity firm C/side, marks a new evolution in cryptojacking techniques. Instead of the aggressive and easily detectable methods of the past, attackers now prioritize stealth and durability. Unlike traditional malware that steals passwords or holds files hostage for ransom, this campaign quietly uses a fraction of users’ computing power, without their knowledge or consent.

Advanced evasion techniques

What distinguishes this campaign from previous attempts is its sophisticated strategy to remain undetected. According to the C/side report published Friday, the malware deliberately stays under the radar and limits its use of system resources to avoid suspicion or security scans.

The attackers have clearly learned from the mistakes of previous cryptojacking campaigns, such as the infamous Coinhive service, which peaked in 2017 but was shut down in 2019. While older miners often consumed significant CPU power and quickly drained batteries, this new generation follows a “stay low, mine slow” philosophy, as researchers describe it.

By minimizing CPU usage and concealing network traffic within WebSocket streams, the classic signs of cryptojacking are circumvented. The malware is hidden within obfuscated JavaScript code that triggers a miner whenever someone visits an infected website. It uses advanced web technologies, including WebAssembly and WebSocket communication, to ensure persistent presence and complicate detection.

Reuse of existing infrastructure

Security researchers monitoring the campaign suspect the attackers are reusing existing infrastructure from previous cyberattacks. In particular, websites previously targeted by Magecart campaigns, which stole payment data from e-commerce sites, appear to have been targeted again.

“These groups likely still have thousands of compromised WordPress sites and online stores thanks to previous Magecart operations,” an anonymous information security researcher told Decrypt . “Adding the miner was a breeze; they simply added an additional script to load the obfuscated JavaScript using existing access.”

According to C/side, most infected websites are located in Europe and Southeast Asia, with a noticeable concentration of outdated WooCommerce webshops, local news websites, and municipal portals. The campaign demonstrates how vulnerable poorly maintained websites remain.

This approach allows cybercriminals to monetize previously hacked websites by converting that dormant access into a steady stream of cryptocurrency. This signals a shift toward long-term strategies rather than short, aggressive attacks.

Technical operation

Once a user visits an infected site, the script silently analyzes the device’s processing power. It then activates parallel web workers that initiate the mining process.

The miner uses WebAssembly for efficient code execution in the browser and connects to command-and-control servers via WebSockets or encrypted HTTPS requests. This infrastructure ensures that mining tasks are distributed and results are returned without leaving any traces. Because the script uses minimal CPU and bandwidth, users barely notice anything—a subtle but effective form of theft.

C/side estimates that the campaign generates approximately 0.3 XMR per infected website per day. With more than 3,500 infected sites, that equates to a potential weekly revenue of over $125,000 — completely invisible to both the website owner and the visitor.

Monero as favorite cryptocurrency

The attackers deliberately chose to mine Monero (XMR) — a cryptocurrency known for its strong privacy features and difficult-to-trace transactions. Monero is optimized for mining on commodity processors and doesn’t require specialized graphics cards or ASICs, making it ideal for browser-based mining via compromised websites.

Thanks to built-in anonymity (such as ring signatures and stealth addresses), Monero transactions are extremely difficult for law enforcement to trace, making it attractive to cybercriminals.

Impact on users and website owners

While this malware isn’t aimed at stealing digital wallets or personal data, its impact remains significant. For users, it leads to unwanted use of their computing power, increased power consumption, and, over time, potentially accelerated hardware wear and tear. The consequences are subtle but cumulative.

For website owners, the damage is more severe: they risk reputational loss, legal liability, and blacklisting by search engines or antivirus companies. For example, Google automatically detects many cryptojacking scripts, resulting in compromised websites being lowered in search rankings or even disappearing from search results — leading to a loss of traffic, advertising, and customer trust.

Cryptojacking: Resurgence of a Well-Known Threat

Cryptojacking first came to the public’s attention in 2017, when Coinhive offered website owners a legal alternative to advertising through voluntary crypto mining by visitors. However, the concept was quickly abused by malicious actors who embedded mining code on millions of websites without permission.

After Coinhive closed, reports of cryptojacking decreased, but the phenomenon never completely disappeared. The current campaign demonstrates that the threat is alive and well, and more technical and subtle than ever before.

In legal circles, the debate about the responsibility of website owners is growing. In 2023, for example, a court in Germany ruled that a webmaster remains liable for malware on their domain—even if it was unknowingly placed by a third party.

Difficult to detect, difficult to eradicate

The modern techniques used in this campaign make it extremely difficult for traditional security software to detect the malware. The low resource demands, the use of obfuscated scripts, and the deployment of WebAssembly and WebSockets prevent many traditional antivirus and firewall solutions from recognizing the threat.

Website owners are strongly advised to keep their CMS systems, plugins, and themes up-to-date, install real-time monitoring, and perform penetration tests. For regular users, browser extensions (such as NoCoin or minerBlock) are available that block browser mining scripts.

Economic model: the digital vampire

Researchers describe this approach as the “digital vampire model”: not a brute force attack that inflicts massive damage all at once, but a persistent, stealthy exploitation of resources over a longer period. Because thousands of websites are infected instead of a single large one, the attack is more robust, flexible, and difficult to eradicate completely.

Given the rising value of cryptocurrencies and the increasing computing power of today’s devices, this model remains economically attractive to cybercriminals. It also poses a challenge for legislators, who are grappling with the legal classification of such attacks.

The current campaign confirms that cryptojacking hasn’t disappeared, but has evolved into a new phase: more stealthy, more technical, and deeply embedded in the web itself. As the browser platform continues to grow in power, the battle between legitimate use and malicious exploitation will continue to escalate.

At the time of writing, the campaign is still active, and thousands of vulnerable websites and their unsuspecting visitors continue to fall victim to what is now one of the largest documented cryptojacking operations of the last decade.