A mid-year threat report from cybersecurity firm SonicWall has revealed a staggering 399% increase in global cryptojacking volume during the first half of 2023, as threat actors pivot from traditional ransomware toward stealthier, lower-risk attack methods. The findings signal a fundamental shift in how cybercriminals operate in the cryptocurrency space, with significant implications for organizations of all sizes.
The Threat Landscape
The 2023 SonicWall Mid-Year Cyber Threat Report paints a complex picture of evolving cyber threats. While global ransomware attempts declined by 41% — the lowest first-half totals since 2020 — other attack vectors have surged dramatically. Cryptojacking volume reached record levels, with North America seeing a 345% increase and Europe experiencing an extraordinary 788% jump compared to the same period in 2022.
SonicWall researchers also observed increases in IoT malware (+37%) and encrypted threats (+22%). The company discovered 172,146 never-before-seen malware variants during the period, underscoring the rapid pace of threat evolution. Overall intrusion attempts climbed 21% year-over-year.
“The seemingly endless digital assault on enterprises, governments and global citizens is intensifying, and the threat landscape continues to expand,” said SonicWall President and CEO Bob VanKirk. The data suggests that increased law enforcement activity, heavy sanctions, and victims’ refusal to pay ransom demands have altered criminal behavior, pushing threat actors toward alternative revenue streams.
Core Principles
Cryptojacking — the unauthorized use of computing resources to mine cryptocurrency — has become attractive to threat actors for several key reasons. Unlike ransomware, cryptojacking operates silently, often going undetected for extended periods. The victim’s computing resources are hijacked to mine privacy coins like Monero, generating a steady stream of income for the attacker without requiring direct interaction with the victim.
SonicWall Vice President of Product Security Bobby Cornwell explained: “Bad actors are pivoting to lower-cost, less risky attack methods with potentially high returns, like cryptojacking.” The economics are compelling: minimal development costs, low risk of detection, no need for ransom negotiations, and a continuous revenue stream that scales with the number of compromised systems.
Tooling and Setup
Organizations looking to defend against cryptojacking should implement a multi-layered security approach. Network monitoring tools that detect unusual outbound traffic patterns are essential, as cryptojacking scripts communicate with mining pools through identifiable connection patterns. Endpoint detection and response (EDR) solutions can identify unauthorized mining processes running on individual machines.
Browser-based cryptojacking remains a significant vector, often delivered through compromised websites or malicious browser extensions. Organizations should enforce browser security policies, use content filtering to block known mining domains, and educate users about the risks of installing unverified browser extensions.
Cloud infrastructure is increasingly targeted, with attackers exploiting misconfigured containers and serverless functions to deploy mining operations at scale. Cloud security posture management tools and proper access controls are critical for organizations running workloads in public cloud environments.
Ongoing Vigilance
The SonicWall report warns that the decline in ransomware is likely temporary, with researchers anticipating a rebound in the second half of 2023. The combination of cryptojacking’s stealth and ransomware’s profitability creates a dual threat environment where organizations must defend against both simultaneous attack vectors.
Education and government sectors have been particularly hard hit, with opportunistic threat actors targeting institutions that often lack robust cybersecurity budgets. Financially motivated threat actors continue to search for the weakest points of entry with the lightest possible repercussions, limiting their risk while maximizing potential profits.
Final Takeaway
The 399% surge in cryptojacking is not a temporary anomaly — it represents a strategic shift by sophisticated threat actors toward attacks that are harder to detect and prosecute. With Bitcoin trading around $29,210 and Ethereum near $1,860 at the time of this report, the financial incentive for cryptocurrency-related cybercrime remains strong. Organizations must adapt their security strategies to address both the loud, disruptive threat of ransomware and the quiet, persistent threat of cryptojacking. The most dangerous attack is not the one that makes headlines — it is the one you never notice.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified cybersecurity professionals for your specific needs.
788% jump in europe is nuts. my companys kubernetes cluster got hit last month, someone deployed a hidden xmrig container
kubernetes clusters are the perfect target. most teams dont monitor resource usage closely enough to catch a single xmrig pod among hundreds
we found a xmrig pod in our cluster last quarter. it was disguised as a metrics exporter. been running for 3 weeks before anyone noticed the CPU spike
cpu_thief kubernetes clusters are basically free money for attackers. most teams cant even tell you how many pods they have running let alone catch one mining xmrig
Ransomware dropping 41% while cryptojacking surges makes perfect sense. Why deal with hostage negotiations when you can silently steal compute cycles?
ransomware requires negotiation skills and OPSEC. cryptojacking is set-and-forget. the economics made this inevitable
ransomware also requires cashing out, which exposes the attacker. cryptojacking mines directly to your wallet. the opsec advantage is massive
^ exactly this. lower risk, steadier payout, and most victims dont even notice for weeks
788% jump in europe is insane. my SOC team caught a xmrig pod last month disguised as a prometheus exporter. ran for 2 weeks before anyone noticed the CPU allocation
788% jump in europe and my company still doesnt have runtime threat detection on our containers. some people never learn until they get the AWS bill