Cryptojacking is often treated as a nuisance-level threat — low on the priority list compared to ransomware or data exfiltration. But recent campaigns, including those attributed to the threat group JINX-0132, have exposed a far more systemic issue: attackers are abusing control plane misconfigurations in cloud and DevOps environments to quietly hijack compute at scale.

These attacks don’t rely on zero-day exploits. Instead, they capitalize on operational gaps — exposed APIs, lax access controls, and unaudited runtime behavior. The result is often a silent drain on cloud budgets and degraded infrastructure performance that goes undetected until costs spike or workloads fail to meet SLAs.

The Shift in Tactics: Control Plane, Not Code

Groups like JINX-0132 are targeting platforms such as HashiCorp Nomad, Consul, Docker, and Gitea. In many cases, systems are deployed with default settings that leave them publicly accessible or allow anonymous job execution. Once identified, attackers submit jobs or containers that run XMRig or similar mining payloads.

Because these operations use native APIs and run as seemingly legitimate workloads, they often bypass conventional security tools. What’s more, infrastructure teams may not realize that a new job pulling 90% of CPU/GPU over days is unauthorized — until cloud costs or capacity constraints trigger alarms.

Why Traditional Security Isn’t Catching It

The problem isn’t a lack of security tooling — it’s a lack of observability in the right layers. Most detection strategies focus on guest-level behavior or known malware signatures. But these attacks occur above the guest OS, often as authorized actions in an insecure or misconfigured environment.

What’s missing in many organizations is real-time visibility into:

• Infrastructure configuration drift, especially public exposures or weakened ACLs
• Control-plane activity, such as job deployments and container launches
• Anomalous resource utilization tied to previously unseen workloads

This is where infrastructure observability — traditionally seen as a performance or operations function — becomes critical to security.

Mapping the Cryptojacking Chain to Observability Signals

Chart courtesy of Crandall

By embedding observability into these phases, teams can reduce dwell time, contain resource abuse early, and ensure accurate attribution for response and remediation.

5 Practices to Reduce Exposure

1. Audit and monitor infrastructure configurations continuously, especially for cloud-native tools and internal platforms exposed to the internet.
2. Instrument control-plane activity, including job scheduling APIs, container deployments, and image fetches.
3. Establish baselines for workload behavior, then detect and respond to significant deviations in compute, memory, or egress.
4. Correlate operational telemetry with financial data, making cost anomalies a detection vector — not a retrospective audit.
5. Ensure traceability from deployed workloads back to the user, token, or system that triggered them.

Observability as a Security Signal

The infrastructure layer is no longer just a performance concern — it’s a security surface. As attackers increasingly rely on operational blind spots, organizations must evolve their visibility strategies. That means combining traditional performance telemetry with control plane insights and configuration state awareness to detect abuse that evades traditional controls.

Whether the goal is to detect cryptojacking, stop unauthorized lateral movement, or prevent supply chain tampering, the ability to observe and attribute behavior across the full stack is now essential.

Infrastructure observability isn’t just about uptime anymore — it’s about control. And for many organizations, it may be the only line of defense standing between misconfiguration and massive compute loss.