Have you been cryptojacked? Here’s how to detect and remove cryptominers

Cryptojacking is a relatively new form of hacking, where hackers use your Mac, PC, or even tablet or smartphone to mine cryptocurrency that they keep for themselves.

What is cryptocurrency?

You’ve probably heard of Bitcoin. It’s just one of several cryptocurrencies that have been created over the last few years. They are digital currencies, stored in online wallets, and can be used to pay for an increasing number of goods and services online. In order to generate ‘coins’, so-called ‘miners’ have to solve increasingly difficult cryptographic puzzles. As more currency is generated, and the maximum limit is approached, puzzles get more and more difficult and so need and increasing amount of computing power to solve them. Huge server farms are used to generate currency. But these are very expensive, and so hackers have turned to using other people’s computers to solve the puzzles, and that’s cryptojacking.

Cryptocurrencies have rocketed in value in recent years, and while Bitcoin seems to have peaked at the end of 2017, when it was worth $20,000 per coin, most cryptocurrencies are still considered valuable. However, the resources needed to mine them are increasingly expensive, and so hackers and other criminals have sought ways to mine currency without spending money buying servers. And that method is to install cryptominers on unsuspecting users’ computers.

What is cryptojacking and how does it work?

Cryptojacking is the act of hijacking a computer, tablet, or smartphone in order to use it to mine cryptocurrency. The code that is used in cryptojacking is called a cryptominer. There are several ways cybercriminals can put cryptominers on your computer.

1. Emails

Simple phishing scams are sometimes used to install cryptominers. Like other phishing scams, the cybercriminal sends out thousands of seemingly genuine emails to unsuspecting users. The emails contain links and the text urges the recipient to click the link to reset a password, download an update, or some other purpose. And when the link is clicked, code is downloaded to the user’s computer that then starts to mine cryptocurrency.

2. Web adverts

These adware scams don’t download any code to the user’s computer, when the user clicks a link to visit an infected page, an advert displays and the code runs in the background while the webpage is active. That code mines currency.

These are the two most common methods and often work in tandem to maximise use of the computer’s CPU. Unlike other forms of malware, cryptominers don’t usually cause harm to the host computer. However, they consume resources, slowing it down, making it difficult to use other programs, and steal battery cycles and electricity.

Even big, mainstream websites can be affected. In 2017, it was reported that the Showtime streaming site had cryptominers running in the background, hijacking users’ resources. And in 2018, a researcher found cryptojacking code on the LA Times website.

How to detect cryptominers

There are a number of telltale signs that your Mac may have been hijacked by a cryptominer. Notice that we said ‘may have’, because the symptoms of cryptojacking are the same as the symptoms of other types of malware and so noticing them doesn’t mean your Mac has definitely been cryptojacked. It does, however, mean that you should take further steps to investigate and find out what’s going on. We’ll cover those steps later. For now, here are the signs that your Mac may have cryptominers stealing its resources.

  • Your Mac is running unusually slowly

If this slowdown is sudden, for example when you click on a website link, it could be that the webpage that opens has adware that has started running cryptojacking code in the background. Try closing the tab or browser window and see if your Mac recovers.

  • Your Mac starts overheating

Often when malware, including a cryptominer, starts running on your Mac it will consume a huge chunk of its CPU cycles. When this happens, your Mac will start to get hot and the fans will spin up and become much louder than usual.

  • Your Mac becomes unresponsive

Because cryptominers use lots of resources, they leave little CPU power or RAM for other processes. This means applications that normally run smoothly can hang completely. Persistent beach balling — where the beachball spins almost every time you try and do anything — is a sign that you may have been cryptojacked.

What about cryptolocker for Mac?

While its name sounds similar to cryptojacking and cryptominer, cryptolocker is nothing to do with mining cryptocurrency. Cryptolocker is a trojan horse that when it’s downloaded to a computer, encrypts files and folders and then demands a ransom to unencrypt them so the user can gain access to them again. Thankfully there was never a cryptolocker Mac version.

How to prevent cryptojacking

The methods for preventing cryptojacking are very similar to those for protecting your Mac against other forms of malware. Vigilance and common sense are key. Here are the best ways to prevent cryptojacking.

1. Don’t click links in email messages

As we described above, email phishing is one of the ways in which cryptominers can be installed on your Mac. The solution is to never click on a link in an email message unless your 100% certain it’s safe. That means you should only click on links in messages that you know have come from family or friends, or sources you trust. Even then, it’s much better to copy the link and paste it into a browser, instead of clicking on it. If you’re unsure about an email, don’t click the link.

2. Install ad-blocking software

Most web browsers, including Safari, allow you to install ad-blocking extensions. These prevent adverts from running or from opening new tabs or windows in your browser. As adware is one of the most common ways that cryptominers hijack your web browser and steal computer resources, ad-blockers can help prevent them running on your Mac.

3. Don’t ignore browser warnings

If your web browser warns you that a page you’re trying to open is not safe and might harm your computer, don’t ignore it. Close the tab. While there have been reports of cryptominers running on large, mainstream websites, most run on sites that host other kinds of adware and malware and so it’s important to heed warnings.

4. Don’t click on suspicious looking pop-ups

One favourite tactic of malware distributors is to generate panic among users and make them click on a link out of fear. This could be done by using a pop-up to tell you, for example, that Adobe Flash is out of date and needs to be upgraded. Or it could warn you that you’ve been hacked or your computer is at risk if you don’t click the link. Whatever you do, don’t ever click a link on a pop-up that tries to cause alarm by insisting you do something to protect your Mac.

How to find cryptominers

Not all cryptominers are downloaded to your computer, some run on web servers and cryptojack your Mac when you open a web page. To find cryptominers that have been installed on your Mac, you should use a malware detection and removal tool.

CleanMyMac X has its own malware tool that scans your Mac, folder by folder, looking for nasty code that could harm your Mac or steal its resources. CleanMyMac X’s malware database is updated regularly and knows all about the last cryptojackers. So, one way to find cryptominers on your Mac is to download and install CleanMyMac X and run its malware tool.

  1. Download CleanMyMac (for free).
  2. Launch the app.
  3. Choose Malware Removal tab.
  4. Click Scan.
  5. Click Remove to neutralize the detected threats.
Malware scan in process

How to remove cryptominers from Mac

CleanMyMac X’s malware tool can remove cryptominers it detects at the click of a button. Another option is to download an antivirus tool — there are several available for the Mac — and use that to scan for malware. Some antivirus tools only allow you to scan for free and will require you to pay for the tool in order to remove malicious code such as cryptojackers, others will remove it free.

The third option is to remove the files manually. To do this, however, you’d need to know which cryptominer had been installed and where to find it on your Mac. You’d need to also make sure that you had deleted every trace of it. It can be done, but it’s a task probably best carried out by more advanced users.

Cryptojacking isn’t as damaging to your Mac as other forms of malware. However, it steals resources from other process and slows it down. And having any kind of malware on your computer is unpleasant. Fortunately, thanks to antivirus tools and to CleanMyMac X’s malware tool, detecting and removing cryptominers isn’t too difficult. However, it’s much better to never have to remove malware and to avoid downloading it and the way to do that it is to be vigilant and use common sense, particularly when it comes to clicking links in emails. If in doubt, don’t click.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.