Cryptojacking is on the rise but massively under-reported, Guidewire’s senior director of cyber-security tells Insurance Times why insurers should be aware of this emerging risk

Cryptojacking – it’s “the umbrella term for malicious and nefarious cryptomining” and both the UK and the US have been “hit heavily” with this particular cybercrime.

This is according to Guidewire’s senior director of cyber security, Matt Honea, and he tells Insurance Times that for insurers, this uptick could potentially lead to lawsuits, which is why the sector needs to be aware. “Cryptojacking is not going away, I think it’s going to continue to rise,” he says.

For example, Unit 42, the threat intelligence arm of cyber security firm Palo Alto Networks, reported that cryptojacking now affects at least 23% of organisations globally that maintain cloud infrastructures – and many firms are known to use the cloud.

When asked about the reason for the rise in cryptojacking, Honea says: “Cryptocurrencies have held their value” and are just like cash, except crypto is a global currency.

With cryptojacking, the end goal is to get cryptocurrencies from companies so that they can be used in the same manner as cash.

Honea defines cryptojacking as “cryptominers with nefarious intent to steal money from companies or other people’s resources”. It has also been defined as unauthorised cryptomining.

As cryptojacking increases, what can the insurance industry do to better prepare and how could these attacks impact insurers’ bottom lines?

Under-reported and undetectable

Honea fears that this crime is going under-reported as it’s not seen as a big problem - this is because it is very difficult to see how embedded attacks are.

“Our ability to find cryptojacking is almost non-existent today because we think about malicious software as taking and encrypting data; we don’t think about malicious software as using the central processing unit (CPU).

“We are not looking at it from this new lens, which is why I think the industry [needs to] evolve and start looking at detection and then we will see under our nose what has been happening this whole time,” Honea says.

Although the ability to detect cryptojacking generally is not available, it may be detectable by a small overspend in a server bill, for example.

Honea says that systems could be infected for a while before cryptojacking is noticed and then when that company tries to claim, stating that they were hacked a year ago, “that could hit the bottom line of insurance companies” – especially if there is a snowball effect.

“The cost of the claim is proportionate to the access” Honea says.


Back in 2018, ransomware dominated headlines, but cryptojacking has since been deemed the most prevalent threat in recent years, according to a report from Webroot Smarter Cybersecurity.

Cryptojacking works when a user unknowingly clicks on a malicious link via a phishing email, for example; this then allows a cryptomining code to be loaded on to the computer.

Meanwhile, Cyence – Guidewire’s risk modelling business - has seen “an uptick in ransomware over all industries, quarter over quarter for the last six quarters. The US is still the dominant target for attackers. The data shows that roughly for every one ransomware attack reported in the UK, there are 40 in the US,” Honea says.

The aim of Cyence is to evaluate the IT hygiene of businesses and Guidewire is on a mission to help insurers understand these risks.


For insurers, Honea says they need to be aware of cyber threat coverage, as like all cyber-based crimes “these things change really quickly”.

“I do not think a lot of policies are defined today, so there might be some exposure there that they are not aware of or that they have under accounted for,” he continues.

Meanwhile, cryptojacking involves penetrating systems and installing the mining software.

For mainframe systems, Honea warns that it could really impact the target company as the idea is to use a firm’s resources to mine a coin in a stealth-like manner, without getting caught, and stay in the system as long as possible.

The risk is if this is misconfigured it could potentially take down an entire mainframe system of a company, and “now that company to going to suffer major business interruption”.

“That’s really important for insurance companies as they [deal with] business interruption and that could be a huge loss. Even if no data was taken, it’s having a server go down for hours or days,” he adds.

However, if an attacker gets in and cannot install their mining software, Honea warns that the cryptojacker could decide to turn this attack into a cyber breach by stealing some data and extorting a company for ransom to get cash.

But Honea says the cryptojackers are not after specific data. “Cryptojacking is designed to be as least intrusive as possible, not evoke suspicions, not be detected by antivirus,” he explains. 

”It’s not supposed to touch very much data because once you start touching data, that’s how people catch you – and that’s not the goal.”

Honea adds: “For an attacker, the ability to deploy one script and infect many is going to drastically affect their return.”

He explains that an attacker only has to infect a few computers or phones without getting caught and that it would create a good profit.

Good hygiene

“The solution is to get better in our detection” Honea adds. He suggests having a baseline temperature for CPUs and checking this regularly.

“For companies, the number one goal is more visibility into their systems. Security is always underfunded, and an uphill battle,” he says.