INTRODUCTION
There is something unsettling about a crime that leaves no visible wound. Cryptojacking, the covert hijacking of another person’s computing resources to mine cryptocurrency, operates precisely on that principle. Unlike ransomware, which announces itself with a demand, or data theft, which eventually surfaces in a breach notification, cryptojacking can persist for months without the victim ever noticing. The harm is diffuse: electricity bills creep upward, systems slow almost imperceptibly, and somewhere on the other side of the internet, an attacker accumulates digital currency at the victim’s expense.
This article traces how cryptojacking emerged, how existing legal frameworks have been stretched to address it, where those frameworks still fall short, and what a more coherent response might look like.
FROM BITCOIN TO BROWSER SCRIPTS: A BRIEF HISTORY
When Bitcoin was introduced in 2009, mining it required nothing more sophisticated than a personal computer. The network was young, the cryptographic puzzles comparatively simple, and the community small. As the network matured and the computational difficulty of mining increased, that accessibility vanished. By 2017, a different calculation had taken hold among a subset of cybercriminals. Rather than investing in expensive mining hardware they started using someone else’s hardware.
The vehicle was JavaScript. Attackers began embedding lightweight mining scripts, most commonly targeting Monero, a privacy focused cryptocurrency particularly amenable to CPU based mining, into compromised websites and advertising networks. Any visitor to an infected site would, without any awareness, contribute their processor’s cycles to the attacker’s mining operation. The compromise of The Los Angeles Times website, where a mining script was inserted into the weather page and silently ran in the browsers of thousands of visitors, became one of the early emblems of the technique.[1]
Within a relatively short period, major cybersecurity firms were reporting cryptojacking as among the most rapidly expanding categories of cybercrime.[2] As defences against browser-based mining improved and the Coin hive mining service shut down in 2019, attackers pivoted to cloud environments: corporate servers, misconfigured containers, and compromised cloud service accounts offered vastly more computational power. It began as a nuisance which evolved into organised digital theft.
HOW THE LAW HAS RESPONDED
Unauthorised Access and Computer Misuse
In both the United States and the United Kingdom, the primary legislative instruments remain statutes drafted well before anyone had conceived of blockchain technology. The Computer Fraud and Abuse Act 1986 (CFAA) and the Computer Misuse Act 1990 (CMA) were designed to criminalise intrusions into computer systems, and courts have applied them with reasonable flexibility to cryptojacking conduct. A brief comparison reveals that the US Computer Fraud and Abuse Act (CFAA) focus on unauthorized access to protected computers and permits both criminal and civil actions, enabling victims to seek damages directly. By contrast, the UK Computer Misuse Act (CMA) primarily emphasizes criminal liability for unauthorized access and system interference, offering more limited direct civil remedies for cryptojacking victims. (60 words)
Theft, Fraud, and the Misappropriation of Services
Cryptojacking also maps, with some effort, onto traditional theft and fraud frameworks. In United States v Charles O Parks[3], the defendant defrauded cloud providers of computing capacity worth millions of dollars in order to mine cryptocurrency.[4] Charged with wire fraud and ordered to forfeit his proceeds, the case illustrated prosecutors’ willingness to reach for economic crime statutes when computer misuse provisions alone seem inadequate. The forfeiture element is particularly significant: it signals that the benefits of cryptojacking are recoverable, not merely subject to a custodial sentence.
Cryptocurrency as Property: The Civil Dimension
Recognising cryptocurrency as property provides cryptojacking victims with practical civil remedies beyond criminal prosecution. Victims may seek proprietary injunctions, trace misappropriated crypto through exchanges and wallets, freeze assets, and pursue claims in conversion, unjust enrichment, or restitution. This increases the likelihood of recovering losses and holding perpetrators financially accountable.
Asset Recovery and Forfeiture
Once mined, crypto jacked coins present a laundering challenge. Attackers typically route proceeds through mixing services or decentralised exchanges to obscure the trail. Despite this, asset forfeiture frameworks, the Proceeds of Crime Act 2002 in the United Kingdom and 18 USC section 981 in the United States, provide mechanisms for confiscating the proceeds of such crimes. In United States v Thompson[5], which involved both data theft and crypto mining, the court treated mined cryptocurrency as a financial benefit subject to restitution and forfeiture orders. An English court’s characterisation of 61,000 Bitcoins as criminal property in R v Qian[6] reinforced the principle that crypto assets derived from criminal conduct are amenable to confiscation, even where their ultimate valuation is contested.
WHERE THE LAW STILL FALLS SHORT
Attribution and Proving Intent
Criminal liability requires more than establishing that a script ran on a victim’s machine. Prosecutors must prove that a specific defendant deployed that script knowingly and without authorisation. In practice, cryptojacking infrastructure is often layered. Scripts are served through compromised third-party websites, traffic is routed through anonymising services, and mining proceeds land in wallets difficult to connect to any individual. Establishing mens rea demands digital forensics of considerable sophistication, and even then, the evidence can be challenged at trial.[7]
The Definitional Problem
A central legal challenge is determining how computational power should be classified. Treating it as property would extend theft protections to unauthorized appropriation of processing resources, while classifying it as a service would emphasize the unlawful consumption of computing capacity. Alternatively, recognizing computational power as a distinct legal interest may better reflect its unique characteristics as a valuable yet intangible digital resource, enabling tailored remedies and clearer liability standards for cryptojacking.
Jurisdictional Fragmentation
Cryptojacking is almost inherently transnational. A victim’s server may sit in one country, the attacker may operate from another, the mining pool receiving the proceeds may be incorporated in a third, and the exchange eventually used to cash out may be subject to the laws of a fourth. Mutual Legal Assistance Treaties, the primary vehicle for cross border evidence sharing, were designed for a slower era of criminal investigation and routinely fail to match the pace of rapid cyber schemes. The result is that many cryptojacking operations simply go unprosecuted because no single jurisdiction can assemble a complete case.
Quantifying the Harm
Sentencing and civil damages both require harm to be quantified, and cryptojacking makes that uncomfortable. How does one price the degraded performance of a server over three months? Courts have approached these questions inconsistently, sometimes anchoring damages to the cost of computing time at market rates, sometimes to electricity bills, sometimes to the value of coins mined. Without clearer guidance, victims face difficulty establishing damages and defendants face unpredictable sentencing outcomes.
The Regulatory Blind Spot
Legislative reform has been slow to catch up. The EU’s NIS 2 Directive[8] represents a significant step forward in cybersecurity regulation but focuses primarily on protecting network and information systems by indirectly addressing cryptojacking by mandating stronger cybersecurity risk management, incident reporting, supply-chain security, and vulnerability mitigation measures, thereby reducing opportunities for unauthorized cryptocurrency mining attacks. Organisations are not routinely required to report crypto mining incidents, meaning that the true scale of the problem remains unmeasured and enforcement agencies lack the data needed to calibrate their responses.
CONCLUSION
Cryptojacking is, in the fullest sense of the phrase, a crime of the digital age, because it exploits assets and mechanisms that law was not designed to govern. Processing power, electricity, cloud infrastructure are the commodities at stake, and they sit awkwardly within legal frameworks built around physical objects and obvious intrusions.
Courts have responded with admirable flexibility. Cases such as AA v Persons Unknown and United States v Parks demonstrate a willingness to read existing statutes purposively and to treat crypto assets as property amenable to both criminal forfeiture and civil recovery. That is progress. But flexibility has its limits, and the absence of a coherent, internationally harmonised definition of cryptojacking as a distinct offence continues to produce gaps in attribution, in quantification, and in cross border enforcement.
Statutory clarification that the unauthorised use of another’s computational resources for financial gain constitutes a distinct and separately charged offence, accompanied by sentencing guidelines that address the specific harms cryptojacking causes and by strengthened mutual assistance frameworks capable of operating at digital speed is the need of the hour. The crime is silent; the legal response should not be.
Author(s) Name : Priyam Pratik (Allahabad University, Faculty of Law, Main Campus)
References:
[1] Lily Hay Newman, ‘Your Browser Could Be Mining Cryptocurrency For a Stranger’ (WIRED, 28 October 2017) <https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser> accessed 22 October 2025
[2] ‘Mining for Virtual Gold: Understanding the Threat of Cryptojacking’ (Marsh, August 2018) <https://www.marsh.com/content/dam/marsh/Documents/PDF/pl/cryptojacking-understanding-the-threat-marsh-insight-2018.pdf> accessed 22 October 2025
[3] United States v Charles O Parks III [2025] ED NY Docket No 24-CR-105 (EK)
[4] ‘Crypto Influencer Sentenced to Prison for Multi-Million Dollar Cryptojacking Scheme’ (US Department of Justice, 15 August 2025) <https://www.justice.gov/usao-edny> accessed 22 October 2025
[5] United States v Paige A Thompson [2025] No 22-30179 (9th Cir 2025)
[6] R v Zhimin Qian and Seng Hok Ling [2025] Case No T20220112
[7] ‘Legal Defenses in Crypto-Jacking Cases: Understanding Complex Digital Crime’ (Simmons and Wagner LLP, 26 January 2025) <https://www.simmonswagner.com/legal-defenses-in-crypto-jacking-cases-understanding-complex-digital-crime/> accessed 22 October 2025
[8] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) [2022] OJ L333/80

