Publishers running programmatic advertising generally expect their ad inventory to deliver content: a banner, a video, or a native placement. What they do not expect is for that inventory to silently turn every visitor’s device into a cryptocurrency mining node. Cryptojacking via ad scripts does exactly that, leaving no obvious trace in standard campaign reporting.
The attack is not new, but its mechanics have evolved. After Coinhive, the mining service most associated with early browser-based cryptomining, shut down in March 2019, the assumption in some quarters was that the threat had peaked. It had not.
The infrastructure moved to less visible pools, delivery methods diversified, and cryptojacking remained profitable thanks to its low operating costs.
Here, we will break down how cryptojacking enters ad inventory, what it does on devices, why it is harder to detect than other forms of malvertising, and how responsible platforms address the problem.
Contents
- What Cryptojacking Is And What Makes It Different from Other Malvertising
- How the Script Gets Into Ad Inventory
- What Happens on the Device: The Mechanics of In-Browser Mining
- Why Advertisers and Publishers Pay the Price
- Detection Signals: What Cryptojacking Looks Like in the Data
- How Ad Platforms Defend Against Cryptojacking
- FAQ
What Cryptojacking Is And What Makes It Different from Other Malvertising
Most malvertising is designed to redirect: it pushes the user to a destination they did not intend to reach, either via a forced landing page, a fake alert, or a drive-by download. The goal is immediate and visible, which also means it is relatively easy to detect and report.
Cryptojacking works on a different logic. The script does not need the user to click anything, install anything, or notice anything. It loads silently in the browser, identifies idle CPU cycles, and uses them to perform the hash calculations required by cryptocurrency mining.
From the user’s perspective, the page loaded normally. Their device just runs a little hotter and a little slower than usual – easy to attribute to a heavy page, a background app, or an aging battery.
That invisibility is the defining characteristic. Cryptojacking is not about stealing credentials or redirecting traffic. Instead, it’s trying to go unnoticed for as long as possible, extracting value from the device’s processing power rather than from the user’s data or actions. The longer it runs undetected, the more it earns.
This changes the detection problem significantly. The signals that catch standard malvertising – redirect chains, suspicious landing page domains, user complaints about unexpected navigation – do not apply.
The signals for cryptojacking are performance-based: CPU load, browser process behavior, and device temperature. Most ad monitoring setups are not instrumented to catch these.
How the Script Gets Into Ad Inventory
There are three main entry points, each with different implications for who is responsible and where the defense needs to sit.
Three Entry Vectors for Cryptojacking Scripts in Ad Inventory
Where in the supply chain each attack originates — and where defense must sit
Path 01
Compromised Creative
Attacker
Submits creative with obfuscated mining script in JavaScript
Platform
Creative passes review if scanning is insufficient
Trigger
Script executes on ad render
Defense point
Creative scanning at submission
Path 02
Supply Chain Injection
Attacker
Compromises a legitimate ad tag or third-party script after approval
Injection
Mining script added at network or CDN level — advertiser and publisher unaware
Trigger
Trusted tag executes; miner runs under legitimate cover
Defense point
Tag integrity monitoring at runtime
Path 03
Malicious Bid
Attacker
Fraudulent DSP wins auction with a legitimate-looking creative
Delay
Mining script loads as secondary payload after a delay — timed to fall outside scan window
Trigger
Miner activates after render; evades post-bid scanners
Defense point
Demand-side vetting + post-render behavioral analysis
All three paths — same outcome
User device CPU hijacked. Mining runs silently in the browser.
Source: ADEX Security Operations
- The first vector is a compromised creative submitted directly through the ad platform. The mining script is embedded in the creative’s JavaScript, typically obfuscated to avoid signature-based scanners. This is the most straightforward form of the attack, and also the most likely to be caught by a platform with rigorous pre-flight creative review. However, on platforms with rigorous pre-flight creative review – like Adex – this attack simply does not reach delivery.
- The second vector is more insidious: supply chain injection. A legitimate third-party tag, ad-serving component, or JavaScript library that is already trusted within the ad stack is compromised at the source. The original creative is clean; the mining script is introduced through a dependency. From the publisher’s perspective, the creative was approved, and the tag was verified. The infection entered through a route that neither the publisher nor the platform was monitoring at that layer. Again, platforms like Adex that treat tag verification as ongoing rather than a one-time checkpoint close this vector entirely.
- The third vector is a malicious bidder winning impressions through a programmatic auction. The winning creative looks legitimate at render time but loads the mining script as a secondary payload after a brief delay, specifically to evade post-bid creative scanners that inspect immediately on render. The delay is calibrated to fall outside the scan window.
Each vector requires a different defensive response, which is part of why cryptojacking has remained persistent even as platform detection has improved. Catching all three simultaneously requires controls at creative submission, tag integrity monitoring, and continuous post-render behavioral analysis – not just one of these.
What Happens on the Device: The Mechanics of In-Browser Mining
When a cryptojacking script executes in the browser, it instantiates a mining worker, typically using the Web Workers API to run the computation in a background thread.
This lets the script use CPU resources without blocking the main browser thread, keeping the page visually responsive and reducing the chance the user notices lag.
The script connects to a mining pool via an encrypted WebSocket, receives a set of computational tasks (finding hash values that meet a defined difficulty target), and begins running them across available CPU cores. Completed hashes are submitted back to the pool; valid ones earn a fraction of the mining reward, which accumulates in a wallet controlled by the attacker.
Modern implementations are designed to manage their CPU footprint. A script that maxes out all available cores will trigger fan noise, visible performance degradation, and battery drain that even a non-technical user will notice. The more sophisticated variants actively throttle their CPU usage, keeping consumption low enough that the device remains functional and no alarm is raised, while still generating yield over a sustained session.
From a security operations standpoint, what makes this particularly difficult to attribute in an advertising context is that legitimate ad-heavy pages already carry elevated JavaScript execution load. A mining script running at moderate throttle on a page with four ad units and two analytics tags does not stand out in a standard performance profile.
The signal is there, but it requires specific instrumentation to separate from background noise.
Adex — Threat Intelligence
What Happens on the Device: In-Browser Mining Mechanics
Mining Worker Instantiated
Script executes in the browser and launches a Web Worker — a background thread that uses CPU without blocking the main page. The page stays visually responsive, reducing the chance the user notices lag.
Connection to Mining Pool
Worker connects to a mining pool via encrypted WebSocket and receives computational tasks: finding hash values that meet a defined difficulty target.
CPU Cores Put to Work
Tasks are distributed across available CPU cores. Completed hashes are submitted back to the pool — valid ones accumulate as fractions of mining reward in the attacker’s wallet.
Throttling to Stay Hidden
Maxing out all cores triggers fan noise, battery drain, and visible slowdown. Sophisticated variants actively throttle CPU usage, keeping consumption low enough to avoid detection while generating yield across sustained sessions.
Blends Into Page Noise
Ad-heavy pages already carry elevated JS execution load. A throttled mining script running alongside four ad units and two analytics tags does not stand out in a standard performance profile.
Detection challenge: The signal is there — but separating it from background noise requires specific instrumentation, not standard page performance monitoring.
Why Advertisers and Publishers Pay the Price
The direct victim of cryptojacking is the user whose device is being used to mine. The downstream victims are the advertiser and the publisher, and the damage runs in different directions.
- For publishers, the damage comes through automated systems rather than user complaints. Security tools and ad verification vendors scan domains for malicious scripts. When a mining script is detected on a publisher’s domain, that domain gets added to blocklists. Browser extensions running on the publisher’s audience will quietly stop loading ads on that domain. Advertiser exclusion lists get updated. The publisher loses ad revenue without a clear explanation – the domain was simply deprioritized by systems that flagged it, and no one sent a notification.
- For advertisers, the issue is where their ads end up. Brand safety tools evaluate the full page environment, not just the ad creative. A page running a cryptojacking script in the background will score poorly in that evaluation. For campaigns in financial services, healthcare, or any category operating under a strict inclusion list, that score can pull a placement out of eligible inventory entirely — or leave it running on a domain that would fail a manual review. The advertiser either loses reach or ends up buying inventory they wouldn’t have approved if they’d looked at it.
- Cryptojacking also distorts campaign data. Mining scripts compete with everything else running in the browser, including the measurement tools that track viewability and engagement. When a script is consuming most of the CPU, viewability measurement may not complete within the required time window — so impressions get logged as non-viewable even if the ad was in full view. Interaction rates drop because the page is slow to respond. The resulting data looks like a traffic quality problem, not a resource problem. Without specific instrumentation that identifies mining activity, the real cause stays hidden.
Detection Signals: What Cryptojacking Looks Like in the Data
Standard ad fraud detection looks at traffic behavior: bot patterns, invalid click sequences, and implausible conversion rates. Cryptojacking does not generate those signals because it is not interacting with the campaign at all. It is running in parallel to the ad, using the page load as its delivery mechanism.
The signals that do exist are performance-based and require a different monitoring layer.
Why cryptojacking evades conventional invalid traffic (IVT) detection — and what additional signal layer is required
| Signal Type | Standard Invalid Traffic (IVT) Detection | Cryptojacking Detection |
|---|---|---|
| Traffic behavior | Bot patterns, click farms, implausible session data | Traffic looks normal — no anomalous click or visit behavior |
| Creative interaction | No interaction or scripted interaction | Normal or slightly reduced interaction due to resource contention |
| CPU / process load | Not monitored by standard invalid traffic tools | Elevated and sustained central processing unit (CPU) usage in browser process — particularly in background worker threads |
| Network activity | Suspicious redirect chains, unknown landing domains | Encrypted WebSocket connections to mining pool domains, often on non-standard ports |
| Viewability scores | Often low due to placement fraud | May degrade over session length as device resources are consumed |
| User session length | Abnormally short (bot) or scripted | May shorten due to device heat, battery drain, or user frustration |
Source: ADEX Security Operations
The most reliable detection approach combines three signal layers.
- Layer 1: Network-level domain blocking – mining pools operate from known infrastructure, and maintaining an updated blocklist of mining pool domains and WebSocket endpoints catches the majority of active scripts at the connection level. This is reactive to known infrastructure, so it requires continuous updating as attackers rotate domains.
- Layer 2: Behavioral analysis of creative execution – monitoring JavaScript execution patterns for the specific combination of sustained CPU usage, background worker instantiation, and outbound connection to pool infrastructure. This is more durable than domain blocking because it targets behavior rather than specific addresses.
- Layer 3: User-side signal correlation – elevated CPU during a session on a specific placement, combined with reduced viewability and shortened session length, creates a composite signal that is statistically distinguishable from normal performance variation. This requires instrumentation at the publisher or platform level, not just at the campaign level.
How Ad Platforms Defend Against Cryptojacking
The defensive approach that actually works at scale is layered, and each layer addresses a different entry vector.
A platform that only scans creatives at submission catches the most obvious attacks but misses supply-chain injection and delayed-payload variants. A platform that only monitors known mining pool domains misses established infrastructure and newly registered domains, as well as obfuscated pool connections.
What the Adex team applies across the inventory it monitors works in layers:
- Creative-level scanning checks submitted scripts for obfuscation before they go live.
- Tag integrity monitoring catches supply chain injection by comparing how a tag behaves at runtime against how it behaved at approval — not just checking it once and moving on.
- Post-render behavioral analysis catches delayed-payload attacks: scripts that stay dormant long enough to pass standard scan intervals, then activate later.
A cryptojacking campaign using a freshly registered mining pool domain, running on standard HTTPS ports, with a script obfuscated against current signature databases, will have time before detection catches it. How much time depends on how quickly threat intelligence updates and how fast behavioral analysis identifies the new pattern. Platforms that are transparent about their detection methods and update cycles give buyers and publishers a realistic picture of what that gap looks like.
FAQ
What is cryptojacking in advertising?
Cryptojacking in advertising refers to the use of malicious JavaScript embedded in ad creatives or ad tags to mine cryptocurrency using a website visitor’s device’s computational resources without their knowledge or consent. The script executes when an ad loads, running in the background while the user browses normally. The user’s CPU is used to perform mining calculations, which benefit the attacker.
How is cryptojacking different from other types of malvertising?
Most malvertising attempts to redirect users, install malware, or steal data via a visible or interactive trigger. Cryptojacking requires no user action and produces no visible output. It runs silently in the background, which makes it harder to detect through standard user complaint signals or redirect-chain analysis. Detection requires performance monitoring and behavioral analysis rather than traffic pattern analysis.
How can a user tell if their device was cryptojacked via a malicious ad?
Sometimes, though not reliably. Symptoms include elevated CPU usage visible in the device’s task manager, unusual fan activity, faster battery drain, and general sluggishness during a browsing session. Some browser security extensions detect known mining scripts and display a warning. Most users attribute these symptoms to the site being heavy or their device being slow, rather than identifying the specific cause.
Does cryptojacking affect ad performance metrics?
Yes, indirectly. Mining scripts consume browser resources that would otherwise be available for ad rendering, tracking pixel execution, and viewability measurement. Sessions where mining is running tend to show compressed viewability scores, reduced interaction rates, and anomalous time-on-page data. This can distort campaign performance reporting in ways that are difficult to diagnose without knowing the underlying cause.
What should publishers do if they suspect cryptojacking in their ad inventory?
The first step is isolating which placement or tag is triggering elevated CPU by testing page variants with individual ad units disabled. Network monitoring tools can identify unexpected outbound WebSocket connections to unknown domains during an ad session playback. Publishers should report confirmed cases to their ad platform, including session recordings and network logs, and request a tag integrity audit if the suspected vector is a third-party component rather than a specific creative.