Cryptojacking

Through cryptojacking, criminals hijack victims' computing resources to generate newly minted cryptocurrency as direct illicit proceeds. This is the earliest stage of laundering, providing fresh criminal funds before any formal placement, layering, or integration steps.

The ultimate beneficiary is usually invisible (botnet controller, insider, nation-state unit). Accounts that receive mined coin inflows often have no legitimate mining infrastructure or declared source-of-wealth, masking true customer risk.

Through cryptojacking, criminals generate newly minted cryptocurrency entirely outside regulated financial products, bypassing AML scrutiny until assets are ultimately exchanged or converted. This technique exploits the unregulated nature of cryptomining, enabling illicit fund accumulation without the typical AML checks that would apply to regulated or monitored products.

• Records anomalous device behavior, login patterns, malware infections, and endpoint security alerts.
• Correlates internal IT security events (malware detected, EDR logs, unauthorized cloud resource spikes) with downstream financial activity, supporting full-lifecycle tracing of cryptojacking—from compromise to laundering.

• Open sources may reveal campaigns, lists of affected victims, or known malware signatures.
• Helps supplement investigations with public reporting on cryptojacking incidents, associated wallet addresses, or attribution data (e.g., from security research or threat intelligence).

• Documents inflows to and outflows from accounts (especially when cryptojacking proceeds are eventually monetized via fiat bank transfers).
• Helps detect unexplained deposits from exchanges or conversion platforms, inconsistent with the customer’s profile or declared business.

Captures the movement of cryptojacking proceeds through online payment and e-wallet systems, especially as criminals may convert assets into spendable digital balances or funnel them through non-bank payment apps.

Provides details of user sessions, device resource usage (e.g., CPU/GPU consumption), IP addresses, and network connections. This information helps detect unauthorized cryptomining software or unusual outbound traffic to cryptomining pools, enabling timely identification and investigation of cryptojacking activities.

• Includes exchange-level transaction logs, user account information, wallet addresses, and trading volumes.
• Helps trace suspicious conversions of newly mined cryptocurrency into fiat or other digital assets, supporting the detection of cryptojacking proceeds and related laundering activity.

• Enables comparison between claimed business activities (e.g., no declared mining operations) and actual account or transaction patterns.
• Useful for identifying suspicious customers unable to demonstrate legitimate sources for incoming crypto or associated funds.

Offers on-chain transaction records, including wallet addresses, timestamps, and amounts, along with related analytics. By examining repeated small mining-related transfers, anomalous consolidation patterns, and subsequent exchanges, investigators can trace proceeds from cryptojacking and identify layering or integration points in the laundering process.

Require customers with high-volume or suspicious cryptocurrency inflows to provide verifiable evidence of legitimate mining infrastructure and operating costs. Discrepancies between claimed activity and actual resource consumption may indicate covert cryptojacking.

During onboarding and ongoing reviews, validate a customer’s stated sources of cryptocurrency income against external evidence of legitimate mining operations. Cross-check power usage, hardware ownership, and mining pool affiliations to rule out unauthorized cryptojacking, where minimal operational indicators, such as electricity bills, often contradict claimed mining revenues.

Implement advanced scenario rules and real-time analysis to identify suspicious deposit patterns from known cryptomining addresses or rapid conversions of newly minted digital assets that do not align with the customer’s expected profile. By flagging incremental inflows linked to cryptojacking campaigns and large outflows to unregulated exchanges, institutions can detect and escalate illicitly mined cryptocurrency proceeds before further laundering occurs.

Strengthen authentication and monitor privileged accounts to prevent insider-driven cryptomining, unauthorized script deployment, or use of institutional infrastructure for illicit mining.

Leverage blockchain analytics and threat intelligence to trace wallet flows linked to cryptojacking malware, identify micro-payout patterns from mining pools, and disrupt laundering before assets reach mainstream exchanges.

Educate staff on cryptojacking typologies, highlighting small repetitive cryptocurrency inflows, rapid asset conversions, and the absence of transparent operational costs common to unauthorized mining. Provide clear escalation procedures for raised alerts to ensure timely investigations into suspicious cryptojacking-based proceeds.

Integrate open-source intelligence and threat feeds into AML and cyber investigations to validate customer claims and rapidly spot wallet addresses, mining pools, or malware hashes linked to known cryptojacking incidents.

Join industry-wide intelligence forums and public-private partnerships focused on cryptojacking campaigns. Share indicators such as malicious wallet addresses, identified mining pool endpoints, and infiltration methods. This collaboration enables faster collective detection of cryptojacked proceeds when they enter financial channels.

Deploy advanced malware prevention and system monitoring to block cryptojacking scripts, monitor for unauthorized compute resource spikes, and address IT vulnerabilities that could enable illicit mining operations.

Regularly review and test AML/CFT and cybersecurity controls to ensure they detect cryptojacking behaviors and wallet flows. Scenario-test monitoring rules against emerging typologies, and update detection logic as new campaigns or mining payout methods are identified.

Cryptojacking operations favor privacy coins such as Monero, which use features like stealth addresses and ring signatures to make mined funds practically untraceable. This enables criminals to safely aggregate and move cryptojacked proceeds without exposing the true source.

Attackers deposit cryptojacked funds into self-hosted or unregulated wallets, avoiding KYC checks and leveraging address proliferation to fragment flows. Regular creation of new wallets or use of hardware wallets further frustrates detection and seizure efforts.

After mining, criminals may quickly exchange proceeds into stablecoins using decentralized or lightly regulated platforms, preserving value and reducing exposure to volatility. This rapid conversion, especially when combined with intermediary wallets, helps mask the original source and movement trail.

Once a critical mass is reached, criminals convert illicitly mined cryptocurrency into fiat currency on exchanges—including those with lax AML controls or via informal OTC brokers. This step integrates the proceeds into traditional financial channels and enables subsequent movement into conventional banking with reduced suspicion.

Cryptojacking malware targets public ledger cryptocurrencies (e.g., Ethereum, Bitcoin), generating new coins that are distributed to attacker-controlled addresses. The transparent blockchain enables splitting and merging funds across numerous addresses, complicating tracking and supporting rapid movement between services or jurisdictions.

• Criminals wrap cryptojacked coins when bridging across multiple blockchains (e.g., wrapping ETH to WETH) to leverage different ecosystems.
• Each cross-chain conversion dilutes the transaction history, making it tougher to link the wrapped tokens back to the original illicitly mined crypto.

Illicit cryptojacking proceeds can be converted into physical cash via cryptocurrency ATMs, informal peer-to-peer sales, or OTC deals, often with minimal or falsified identification. Cash-out further fragments the audit trail and makes it difficult for authorities to link cryptocurrency flows back to cryptojacking activity.

Attackers deposit proceeds into DEXs, lending pools, or mixers embedded in DeFi, mingling funds with legitimate liquidity and evading central oversight.

Direct, user-to-user trades convert cryptojacked assets with minimal oversight, breaking links to source wallets and defeating exchange-level controls.

One-click, non-custodial swaps let criminals flip Monero → BTC → stablecoins in seconds, limiting the window for compliance checks.

Illicitly mined coins are consolidated and liquidated on exchanges; weak-KYC venues let attackers swap privacy-coins for BTC or fiat, completing layering and integration.

Bridging wrapped tokens across chains obscures fund flow and exploits uneven AML standards between ecosystems.

Enables fast cash-out (or cash-in) of mined coins below ID thresholds; physical cash extraction severs the digital audit trail.

Self-hosted or lightly regulated wallets serve as first-hop repositories for mining payouts; attackers create many addresses to fragment inflows and mask ownership.

Cybercriminals deploy malicious cryptomining scripts or malware to hijack victims’ computing resources and mine cryptocurrency without consent. They fragment and aggregate the proceeds across multiple unregulated wallets before converting them into fiat or alternative digital assets. This rapid, opaque movement of funds exploits AML blind spots, complicating detection and due diligence, and leverages layering techniques across exchanges, payment platforms, and P2P channels to further obscure the illicit origin.

Providers of digital wallets, instant swap, or unregulated exchange services may unwittingly enable cryptojacking proceeds to move through their systems; weak KYC/AML frameworks increase this risk.

End-users may act knowingly (as cash-out partners or mixers) or unknowingly (if their compromised wallets are used to receive or forward cryptojacked coins).

PSPs may be exploited as cash-out or layering points when cryptojacked assets are routed through their platforms; failure to detect unusual flows or address anonymity features can aid laundering.

Sometimes recruited to open accounts/wallets, receive cryptojacked funds, and help break the audit trail by consolidating or cashing out assets on behalf of cybercriminals.