Have you been cryptojacked? Here’s how to detect and remove cryptominers

Igor Degtiarenko
Writer and blogger at MacPaw, curious just about everything.

Cryptojacking is a relatively new form of hacking, where hackers use your Mac, PC, or even tablet or smartphone to mine cryptocurrency that they keep for themselves.

What is cryptocurrency?

You’ve probably heard of Bitcoin. It’s just one of many cryptocurrencies that have been created over the last few years. They are digital currencies stored in online wallets that can be used to pay for an increasing number of goods and services online. In order to generate ‘coins,’ so-called ‘miners’ have to solve increasingly difficult cryptographic puzzles. As more currency is generated and the maximum limit is approached, puzzles get more and more difficult, and so need an increasing amount of computing power to solve them. Huge server farms are used to generate currency. But these are very expensive, so hackers have turned to using other people’s computers to solve the puzzles, and that’s cryptojacking.

What is cryptojacking and how does it work?

Cryptojacking is the act of hijacking a computer, tablet, or smartphone in order to use it to mine cryptocurrency. The code that is used in cryptojacking is called a cryptominer. There are several ways cybercriminals can put cryptominers on your computer.

1. Emails

Simple phishing scams are sometimes used to install cryptominers. Like other phishing scams, the cybercriminal sends out thousands of seemingly genuine emails to unsuspecting users. The emails contain links and the text urging the recipient to click the link to reset a password, download an update, or perform some other action. And when the link is clicked, the code is downloaded to the user’s computer, and it then starts to mine cryptocurrency.

2. Web adverts

These adware scams don’t download any code to the user’s computer. Instead, when the user clicks a link to visit an infected page, an advert displays, and the code runs in the background while the webpage is active. That code mines currency.

These are the two most common methods and often work in tandem to maximize the use of the computer’s CPU. Unlike other forms of malware, cryptominers don’t usually cause harm to the host computer. However, they consume resources, slowing it down, making it difficult to use other programs, and stealing battery cycles and electricity.

Even big, mainstream websites can be affected. In 2017, it was reported that the Showtime streaming site had cryptominers running in the background, hijacking users’ resources. And in 2018, a researcher found cryptojacking code on the LA Times website.

How to detect cryptominers

There are a number of telltale signs that your Mac may have been hijacked by a cryptominer. Notice that we said ‘may have’ because the symptoms of cryptojacking are the same as the symptoms of other types of malware, so noticing them doesn’t mean your Mac has definitely been cryptojacked. It does, however, mean that you should take further steps to investigate and find out what’s going on. We’ll cover those steps later. For now, here are the signs that your Mac may have cryptominers stealing its resources.

  • Your Mac is running unusually slowly

If this slowdown is sudden — for example, when you click on a website link — it could be that the webpage that opens has adware that has started running cryptojacking code in the background. Try closing the tab or browser window and see if your Mac recovers.

  • Your Mac starts overheating

Often when malware, including a cryptominer, starts running on your Mac, it will consume a huge chunk of its CPU cycles. When this happens, your Mac will start to get hot, and the fans will spin up and become much louder than usual.

  • Your Mac becomes unresponsive

Because cryptominers use lots of resources, they leave little CPU power or RAM for other processes. This means that applications that normally run smoothly can hang completely. Persistent beach balling — where the beach ball spins almost every time you try and do anything — is a sign that you may have been cryptojacked.

What about CryptoLocker for Mac?

While its name sounds similar to cryptojacking and cryptominer, CryptoLocker has nothing to do with mining cryptocurrency. Cryptolocker is a Trojan horse that, when it’s downloaded to a computer, encrypts files and folders and then demands a ransom to unencrypt them, so the user can gain access to them again. Thankfully, there was never a CryptoLocker Mac version.

How to prevent cryptojacking

The methods for preventing cryptojacking are very similar to those for protecting your Mac against other forms of malware. Vigilance and common sense are key. Here are the best ways to prevent cryptojacking.

1. Don’t click links in email messages

As we described above, email phishing is one of the ways to install cryptominers on your Mac. The solution is to never click on a link in an email message unless you are 100% certain it’s safe. That means you should only click on links in messages that you know have come from family, friends, or sources you trust. Even then, it’s much better to copy the link and paste it into a browser instead of clicking on it. If you’re unsure about an email, don’t click the link.

2. Install ad-blocking software

Most web browsers, including Safari, allow you to install ad-blocking extensions. They prevent adverts from running or from opening new tabs or windows in your browser. As adware is one of the most common ways that cryptominers hijack your web browser and steal computer resources, ad-blockers can help prevent them from running on your Mac.

3. Don’t ignore browser warnings

If your web browser warns you that a page you’re trying to open is not safe and might harm your computer, don’t ignore it. Close the tab. While there have been reports of cryptominers running on large, mainstream websites, most run on sites that host other kinds of adware and malware, so it’s important to heed warnings.

4. Don’t click on suspicious-looking pop-ups

One favorite tactic of malware distributors is to generate panic among users and make them click on a link out of fear. This could be done by using a pop-up to tell you, for example, that Adobe Flash is out of date and needs to be upgraded. Or it could warn you that you’ve been hacked or your computer is at risk if you don’t click the link. Whatever you do, don’t ever click a link on a pop-up that tries to cause alarm by insisting you do something to protect your Mac.

How to find cryptominers

Not all cryptominers are downloaded to your computer — some run on web servers and cryptojack your Mac when you open a web page. To find cryptominers that have been installed on your Mac, you should use a malware detection and removal tool.

CleanMyMac X has its own malware tool that scans your Mac folder by folder, looking for nasty code that could harm your Mac or steal its resources. CleanMyMac X’s malware database is updated regularly and knows all about the last cryptojackers. So one way to find cryptominers on your Mac is to download and install CleanMyMac X and run its malware tool.

  1. Download CleanMyMac (for free).
  2. Launch the app.
  3. Choose the Malware Removal tab.
  4. Click Scan.
  5. Click Remove to neutralize the detected threats.
Malware scan in process

How to remove cryptominers from Mac

CleanMyMac X’s malware tool can remove cryptominers it detects at the click of a button. Another option is to download an antivirus tool — there are several available for the Mac — and use that to scan for malware. Some antivirus tools only allow you to scan for free and will require you to pay for the tool in order to remove malicious code, such as cryptojackers, while others will remove it for free.

The third option is to remove the files manually. To do this, however, you’d need to know which cryptominer had been installed and where to find it on your Mac. You’d need to also make sure that you had deleted every trace of it. It can be done, but it’s a task probably best carried out by more advanced users.

Cryptojacking isn’t as damaging to your Mac as other forms of malware. However, it steals resources from other processes and slows your computer down. And having any kind of malware on your computer is unpleasant. Fortunately, thanks to antivirus tools and CleanMyMac X’s Malware Removal tool, detecting and removing cryptominers isn’t too difficult. However, it’s much better to never have to remove malware and to avoid downloading it, and the best way to do that is to be vigilant and use common sense, particularly when it comes to clicking links in emails. If in doubt, don’t click.

Did you enjoy this post?
Share it or subscribe to our newsletter
Igor Degtiarenko
Writer and blogger at MacPaw, curious just about everything.
January 09, 2019
Updated: March 03, 2023
Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.

Free Download

CleanMy® PC will not receive new features and regular updates.

What does it mean?

  • CleanMy® PC remains safe, stable, and fully functional on all PCs that meet the system requirements.
  • Windows 11 is the last operating system to be supported.
  • Only critical bugs in CleanMy® PC will be fixed in the future; no new features or improvements will be added.
Read the full information here. Download Anyway