Hackers are using your site's visitors to mine cryptocurrency. Visitor browsers freeze, your rankings drop, and your server bills climb.
Cryptomining malware uses your visitors' CPUs to mine cryptocurrency (usually Monero) for the attacker. The JavaScript miner runs invisibly in the background while someone browses your pages, quietly generating coins that get sent to the attacker's wallet.
Your visitors notice quickly — their laptops get hot, fans spin up, browsers slow down. They leave and don't come back. Google notices too: drive-by mining is explicitly flagged as a Safe Browsing violation, which can add your domain to the malware blacklist.
Miners are typically injected via compromised plugins, themes with known vulnerabilities, or through advertising code in compromised ad networks. The mining scripts are often obfuscated and loaded from third-party domains to evade static analysis.
Likely — visitor CPU spikes and laptop fan noise are hard to miss. Once the miner is removed, your site's performance returns to normal immediately. Consider a short apology/explanation post on your blog to rebuild trust if the infection was prolonged.
Client-side miners (running in visitor browsers) don't directly hurt your server, but server-side miners — which run on your hosting account — can crash the server from CPU overload. We check for both types and remove whichever is present.
Google's Safe Browsing program actively detects drive-by mining as a Unwanted Software violation. Once flagged, browsers (Chrome, Firefox, Safari) show red warnings to visitors. Cleanup + Search Console removal request restores normal access, usually within 72 hours.
The longer malware stays, the harder recovery becomes.