Hackers Launch Global Script Attack to Secretly Mine Cryptocurrency

A sweeping wave of website hacks has exposed millions of users to cryptojacking, the cybercrime that covertly hijacks devices to mine cryptocurrency. Security researchers discovered a campaign in which stealth JavaScript miners breached over 3,500 websites, signaling the resurgence of browser-based attacks.

Site visitors remain unaware as their devices silently join a vast illicit network, generating cryptocurrency for attackers every time a tampered site loads. The revenue comes at the cost of device performance, privacy, and security.

How the Stealth Mining Operation Works

Investigators revealed that the attack relies on complex, heavily obfuscated JavaScript code. Once loaded, the script silently scans a visitor’s device, estimating its power and allocating mining tasks in the background. By using parallel Web Workers, the operation maximizes computational resources while keeping the user experience largely unaffected.

But the true genius, and danger, lies in its WebSocket-based architecture. The miner fetches dynamic tasks from a remote server, tailoring workloads in real time. If a device runs hot or starts to lag, mining intensity is quietly reduced. 

Did you know?
Some cryptojacking JavaScript miners adjust their CPU usage to avoid detection, allowing them to persist on websites for months without notice.

Tactics to Evade Detection and Persist

The scripts’ adaptive design is the key to their stealth. Both users and security tools struggle to detect resource drains, since the code self-throttles and varies resource use. Many security products focus on brute-force consumption, making these nuanced approaches even harder to spot.

Obfuscation disguises the JavaScript’s true purpose. Attackers increase the difficulty for both automated scanners and human administrators by concealing key functions and network destinations. The campaign’s infrastructure also overlaps with Magecart credit card skimming operations, indicating a flexible network designed for multiple forms of cybercrime.

Website Breaches and Exploited Platforms

Attackers have increasingly set their sights on widely used content management systems, such as WordPress and OpenCart. While the specifics of each breach differ, the majority of successful compromises hinge on exploiting multiple vectors within these popular platforms.

Their techniques include injecting malicious scripts through seemingly legitimate plugins, altering critical site files like wp-settings.php to stealthily embed harmful code, and leveraging tools such as Google Tag Manager to deliver rogue JavaScript.

In some cases, even trusted plugins, like Gravity Forms, have been distributed in backdoored versions straight from what appear to be official sources. These approaches enable intruders to maintain long-term, covert access, frequently updating their payloads and sidestepping traditional signature-based detection methods.

The Human and Financial Cost

For affected site owners, the consequences are severe. Once discovered, cleanup is complex, often requiring full rebuilds of affected pages, removal of injected code, and tightening of server controls. Some attacks have blocked routine updates, complicating recovery further.

Meanwhile, visitors might experience sluggish devices, increased battery drain, and increased energy bills, all without realizing they're under attack. The risk escalates when cryptojacking overlaps with card-skimming or data-stealing campaigns operating from the same infrastructure.

ALSO READ | CoinDCX Hacked for $44M in Major Crypto Security Breach

Security Industry Urges Vigilance and Proactive Defense

Cybersecurity analysts say this wave of cryptojacking attacks reflects a new phase of sophistication. Instead of relying on noisy, short-lived resource hijacking, threat actors are now prioritizing stealth and persistence. They aim to quietly exploit website infrastructure over long periods, maximizing illicit crypto-mining profits while minimizing the risk of detection.

To defend against these threats, website administrators should routinely audit site files for unexpected changes, restrict the use and permissions of third-party extensions, and ensure timely updates to all CMS components, themes, and plugins.

Monitoring for spikes in resource usage or unusual traffic patterns is also key. For end users, signs like unexplained device slowdowns or constant fan activity may indicate in-browser mining. Using a trusted browser security add-on can help block crypto-mining scripts before they compromise performance.

A Warning for the Future

With cryptojacking once again on the rise, security researchers believe attackers are only becoming more sophisticated. The convergence of obfuscation, real-time task management, and infrastructure reuse points to a future where browser-based threats become more persistent, less visible, and more lucrative for cybercriminals.

In the wake of this campaign, website security and user vigilance are crucial. As attackers refine their strategies, only a proactive approach will help resist the lure and the danger of covert, browser-based crypto mining.