Risk Assessment of Cryptojacking Attacks on Endpoint Systems: Threats to Sustainable Digital Agriculture

Abstract

Digital agriculture has rapidly developed in the last decade in many countries where the share of agricultural production is a significant part of the total volume of gross production. Digital agroecosystems are developed using a variety of IT solutions, software and hardware tools, wired and wireless data transmission technologies, open source code, Open API, etc. A special place in agroecosystems is occupied by electronic payment technologies and blockchain technologies, which allow farmers and other agricultural enterprises to conduct commodity and monetary transactions with suppliers, creditors, and buyers of products. Such ecosystems contribute to the sustainable development of agriculture, agricultural engineering, and management of production and financial operations in the agricultural industry and related industries, as well as in other sectors of the economy of a number of countries. The introduction of crypto solutions in the agricultural sector is designed to create integrated platforms aimed at helping farmers manage supply lines or gain access to financial services. At the same time, there are risks of illegal use of computing power for cryptocurrency mining—cryptojacking. This article offers a thorough risk assessment of cryptojacking attacks on endpoint systems, focusing on identifying critical vulnerabilities within IT infrastructures and outlining practical preventive measures. The analysis examines key attack vectors—including compromised websites, infected applications, and supply chain infiltration—and explores how unauthorized cryptocurrency mining degrades system performance and endangers data security. The research methodology combines an evaluation of current cybersecurity trends, a review of specialized literature, and a controlled experiment simulating cryptojacking attacks. The findings highlight the importance of multi-layered protection mechanisms and ongoing system monitoring to detect malicious activities at an early stage.

1. Introduction

The digital agricultural ecosystem [1] is a synthesis of methods, solutions, and technologies for improving the technological cycle of agricultural production and management of agricultural enterprises. It includes many well-known solutions, including precision farming using satellite navigation and UAVs, robotic processes for harvesting, weeding, spraying, and plant monitoring, big data analytics for making management decisions, and blockchain for managing financial transactions. Crypto solutions in the agricultural sector use data, algorithms, and analytics based on regulation and human capital. Countries with a high share of agricultural production and exports in the overall economy issue agrotokens [2]. An earlier study [1] summarizes the development trends of digital agricultural ecosystems in the Philippines, Brazil, and Argentina. Figure 1 shows the main elements of the digital agroecosystem and the interactions between the links of the structure.

Cryptojacking (the illegal use of computing power to mine cryptocurrencies) can pose a serious threat to the sustainable development of agriculture:

• It increases the load on energy resources, which increases energy costs and reduces its availability for agricultural purposes, increasing carbon emissions, which negatively affects the environment and ecosystems and contradicts the principles of sustainable development.
• System recovery from cryptojacking attacks negatively affects the financial viability of agricultural enterprises.
• Reduces data security: cryptojacking malware can disrupt the operation of information systems, which will lead to data loss and reduced management efficiency in agriculture.

In recent years, cryptojacking has become a serious problem for both organizations and end users. By injecting malicious code into legitimate websites, software applications, or software updates, attackers can stealthily exploit CPUs and GPUs at endpoints. This can go undetected for long periods of time, resulting in significant risks: degraded system performance, increased energy costs, hardware degradation, and potential reputational damage [3,4]. The increasing prevalence of cryptojacking is due to the popularity of blockchain-based digital assets and the perceived anonymity associated with cryptocurrency transactions [5,6].

The distributed nature of endpoints—ranging from personal computers in remote work environments to mobile devices—exacerbates this threat, as these systems may lack the robust security controls typically found in centrally managed servers [7]. Consequently, the ability of organizations’ IT departments to maintain endpoint security measures is often limited, making such devices prime targets for cybercriminals [8,9].

Despite the growing awareness of cryptojacking, many organizations rely on qualitative approaches to assess cyber risks [10]. These are useful for preliminary categorization of threats, but may not capture all the financial impacts of cryptojacking attacks, including intangible costs associated with lost productivity and reputational damage [11]. In order to implement a successful risk management strategy, in addition to qualitative assessment, quantitative indicators of assessment models are also necessary. With their help, it is possible to allocate resources while taking into account the level of risk, as well as to align cybersecurity costs with business goals [11,12].

In this study, we aim to provide an examination of cryptojacking threats by focusing on their attack vectors, operational mechanisms, and detection challenges. Particular attention is given to the inclusion of quantitative risk assessment frameworks to improve decision-making processes.

Cryptojacking attacks often serve as a gateway to more sophisticated intrusions, allowing lateral movement into the victim’s network and potential data exfiltration [7]. Attackers can gather intelligence on network configurations, user behavior, and security protocols while continuing to mine cryptocurrency. The dual-purpose use of cryptojacking highlights its complexity, where financial gain from mining is the immediate incentive, and the expanded penetration capabilities allow for additional tasks such as espionage or ransomware deployment [4,6]. Therefore, organizations should consider cryptojacking as not just an isolated threat, but as an entry point for more serious compromises of critical assets and data. This paper quantifies the risks of cryptojacking based on established methodologies [10,11]. Various detection and mitigation strategies are outlined, ranging from technical measures (network monitoring tools, endpoint security solutions) to organizational measures (policy adjustments, employee training). The Section 5 and Section 6 summarizes the findings and suggests future research directions, offering ideas for strengthening endpoint security against cryptojacking.

2. Literature Review

Over the past few years, cryptojacking has evolved from a niche attack vector to a widespread threat with significant financial and operational implications for organizations. Palko et al. [13] trace the evolution of basic browser-based mining scripts into sophisticated malware that lingers on endpoints beyond a single browsing session. The article [14] compares the profitability of cryptojacking with ransomware, where the continuous hijacking of victims’ computing power can yield comparable or greater profits without the explicit ransom demands typically associated with ransomware campaigns. Adjibi et al. [15] reveals the widespread presence of cryptojacking in mobile ecosystems, where malicious apps throttle CPU usage to avoid user detection.

Risk assessment is central to addressing both the immediate and long-term impacts of cryptojacking. Bijmans et al. [16] point out that fileless cryptomining complicates quantification of operational risk because it evades signature-based antivirus measures. Tekiner et al. [17] highlight the financial burden when cryptojacking occurs in auto-scaling cloud environments, inadvertently increasing the attackers’ potential profits and inflating victims’ cloud computing bills. Cryptojacking is a highly adaptable, multi-platform threat with implications far beyond simply reducing productivity [13,14,15,16,17]. Carlin et al. [18] show how cryptojacking campaigns are using increasingly sophisticated attack vectors to penetrate endpoint systems. Sudhakar and Kumar [19] highlight that cryptojacking often involves off-world tactics—particularly via PowerShell and Windows Management Instrumentation (WMI)—thus evading traditional antivirus solutions. Rani et al. [20] examine supply chain compromise, pointing out how legitimate updates inadvertently spread cryptomining scripts to a large number of endpoints.

Varlioglu et al. [21] focus on the emergence of fileless cryptojacking malware that resides solely in volatile memory, complicating detection and forensics. Caprolu et al. [22] illustrate how stealth methods exacerbate the challenges of quantifying risk, as organizations must measure ongoing infrastructure usage, hidden energy costs, and reputational damage. Laimon et al. [23] analyze how increased CPU/GPU usage leads to accelerated hardware depreciation and inflated energy bills, which are not detectable by traditional qualitative assessments. The model proposed by Senova et al. [24] is based on the Monte Carlo method and allows enterprises to estimate potential financial losses from cyberattacks by simulating cryptocurrency price fluctuations and different durations of intrusions. Le et al. [25] present an adaptation of FAIR (Factor Analysis of Information Risk) to cryptojacking by examining the annualized loss expected (ALE) in cloud deployments.

Kure et al. [26] map endpoint vulnerabilities to operational significance: servers dedicated to mission-critical tasks may suffer disproportionately high financial and reputational losses from cryptojacking. Pendleton et al. [27] criticize the lack of standardized metrics in cryptojacking risk models. The above work suggests that a better understanding of the harm caused by cryptojacking can be achieved using quantitative risk assessment methods: probabilistic processes, cost analysis, and continuous monitoring. Varlioglu et al. [21] highlight how dynamic resource throttling allows rogue miners to continuously modulate CPU and GPU usage, effectively evading static thresholds and anomaly-based detection by blending in with legitimate processes. Poh et al. [28] describe how deep packet inspection or SSL interception—potentially critical for detecting cryptomining traffic over encrypted channels—often conflict with data protection requirements (e.g., GDPR).

Ferdous et al. [29] highlight cross-platform heterogeneity, with attacks spreading across Windows, macOS, Linux, mobile OS, and IoT devices. Caprolu et al. [22] note inconsistent data collection across many enterprises, which hinders the calibration of probabilistic models needed to accurately assess the financial impact of cryptojacking.

Laimon et al. [23] note that limited disclosure of incidents further hampers large-scale empirical research; many victims choose to remain silent to avoid reputational damage, resulting in a dearth of reliable cryptojacking data. As a result, the broader community lacks the evidence to validate or refine advanced risk assessment frameworks.

Table 1. Key unresolved challenges in cryptojacking risk assessment.

Unresolved Problem	Description	Potential Solutions
Dynamic Resource Throttling	Cryptominers adjust CPU/GPU consumption in real time, staying below typical detection baselines.	Implement adaptive ML models that compare current to historical usage; deploy high-frequency performance counters to detect subtle resource spikes [21].
Cross-Platform Heterogeneity	Attacks span Windows, macOS, Linux, mobile, and IoT environments, each demanding specialized risk assessment.	Create modular frameworks for OS-specific telemetry; consolidate unified risk scoring across various platforms [28].
Inconsistent Data Collection	Many organizations lack standardized logs or real-time endpoint telemetry, undermining probabilistic modeling of cryptomining losses.	Adopt uniform logging protocols; incentivize anonymized data sharing (e.g., via industry consortia) to improve model accuracy [22].
Privacy and Compliance Barriers	Deep packet inspection or SSL interception can violate data protection laws, limiting detection of encrypted cryptojacking traffic.	Pursue selective decryption under strict governance; refine legal frameworks to permit cryptojacking detection within privacy constraints [28].
Limited Incident Disclosure	Organizations often do not report cryptojacking attacks, restricting the availability of large-scale empirical datasets.	Encourage transparency through regulatory or insurance incentives; develop safe-harbor policies shielding proactive disclosures from punitive repercussions [23].

summarizes the key issues and their relevance to cryptojacking risk assessment and recommends potential mitigation strategies.

Ferdous et al. [29] notes that segmentation of internal networks and verification of each transaction between endpoints can reduce the lateral spread of malicious miners and generate high-resolution telemetry invaluable for risk assessment. Rose et al. [30] point out that zero-trust frameworks often include multi-factor authentication and micro-segmentation, which thwart cryptojacking campaigns.

Böhme et al. [31] call for standardized financial metrics such as cost per CPU cycle to allow for clearer comparison of cryptojacking losses across different infrastructures and regions [32] emphasize the importance of insurance incentives and regulatory safe harbors, preempting disclosure without penalizing victims for admitting security breaches. Such measures could lead to richer databases of cryptojacking incidents. One persistent problem is the lack of standardized loss metrics, as indirect costs such as reputational damage, downtime, or service degradation are typically overlooked or treated strictly qualitatively [14,23,27]. At the same time, dynamic resource throttling tactics continue to evolve, allowing rogue miners to mimic legitimate CPU or GPU usage patterns [21].

Another pressing issue is cross-platform heterogeneity, as cryptojacking has spread across Windows, macOS, Linux, mobile systems, and IoT devices [19]. Organizations may be reluctant to report cryptojacking due to reputational concerns or regulatory requirements, resulting in incomplete data sets to refine detection algorithms and risk models [22,23,31]. Tensions over privacy and regulation often arise when defenders rely on deep packet inspection (DPI), SSL interception, or logs to detect covert cryptomining traffic—methods that may conflict with data protection requirements [28,32].

To overcome these obstacles, many researchers point to Monte Carlo simulations as a valuable method for quantifying the risk of cryptojacking. By randomly sampling from cryptocurrency price distributions, intrusion timeframes, CPU/GPU utilization, and potential detection rates, Monte Carlo models offer a robust way to predict financial losses under a variety of scenarios [17,24,25]. This approach is particularly useful in cloud or auto-scaling environments, where resource spikes can be unpredictable and stealthy miners use on-demand provisioning to amplify their gains.

Monte Carlo outputs such as value-at-risk (VaR) or probability distribution functions (PDFs) of expected losses can help security managers allocate resources proportionally to their actual risk. To improve the applicability of Monte Carlo, some authors integrate machine learning (ML) pipelines that detect anomalies in CPU/GPU utilization and then feed this telemetry into probabilistic risk models for real-time updates [16,19,21]. This synergy allows organizations to capture both the immediate signals of cryptojacking (limited resource consumption patterns) and the long-term financial impacts arising from equipment degradation, energy bills, and potential downtime [14,23].

In parallel, cross-platform monitoring frameworks aim to aggregate OS-specific telemetry into a single risk dashboard, reducing fragmentation [19]. Zero-trust principles can further limit the lateral spread of cryptojacking, even if an attacker compromises a single endpoint [29,30]. Regulatory safe harbors and standardized cost metrics incentivize organizations to share anonymized data on cryptojacking incidents without facing legal or reputational repercussions [31,32]. Taken together, these unsolved issues and promising solutions support an integrated strategy that combines adaptive ML pipelines, Monte Carlo simulations, modular endpoint agents, and zero-trust architectures with coordinated policy efforts.

Using Monte Carlo as a risk assessment tool along with advanced ML-based detection offers a comprehensive plan to mitigate the impact of cryptojacking. Cryptojacking has rapidly evolved from simple browser-based scripts to sophisticated multi-platform malware capable of evading traditional detection methods. Research by Palko et al. [13] confirms that hijacked computing power can generate revenue comparable to or greater than ransomware, but with less visibility and less direct interaction with the victim. This trend is reinforced by findings on mobile cryptojacking [15] and fileless infections [16,20], indicating that malware authors are increasingly using stealth, legitimate utilities, and dynamic resource throttling.

Furthermore, cryptojacking’s adverse effects—ranging from performance degradation and heightened electricity costs to potentially significant reputational damage—underscore the necessity for thorough risk assessment. While Monte Carlo simulations [17,24,25] and FAIR-based modeling [25] offer promising paths to quantifying financial loss expectancy, key challenges persist: cross-platform heterogeneity [19], inconsistent data collection [22], and privacy or regulatory obstacles tied to deep packet inspection [28]. Ultimately, integrating machine learning pipelines for anomaly detection with probabilistic frameworks (e.g., Monte Carlo) appears vital for capturing both immediate indicators of covert mining and the broader economic impacts of long-term, persistent infections. Complementary measures—such as zero-trust architectures [29,30], standardized cost metrics [31], and safe-harbor policies [32]—can enhance collaboration and data sharing, reducing underreported incidents while guiding effective resource allocation. This synthesis of technical innovation, quantitative modeling, and policy reforms stands out as the most comprehensive strategy for mitigating cryptojacking’s evolving threat.

The need for a more qualitative risk assessment is due to the increase in user losses from cryptojacking, namely a drop in the productivity of hardware resources, an increase in electricity consumption and, importantly, reputational losses.

Despite advances in cryptojacking research, significant gaps remain in standardized quantitative risk assessment, particularly with respect to indirect costs and dynamic attack vectors. To overcome these limitations, this paper proposes a methodology that combines attack tree analysis and Monte Carlo simulation to provide a more accurate and actionable cryptojacking risk assessment:

-

A graphical attack tree analysis method to determine the probability of cryptojacking attacks;

-

A Monte Carlo method to obtain the final risk assessment results (in particular, by predicting potential losses through the generation of random cost values).

The research hypothesis can be formulated as follows: the proposed quantitative risk assessment model provides a more accurate assessment of potential financial losses from cryptojacking attacks on end-systems in digital agriculture compared to qualitative risk assessment methods.

3. Method

3.1. Algorithm for Cryptojacking Risk Assessment and Forecasting

The best cryptojacking risk analysis comes from a structured approach that includes statistical and predictive models, as well as financial analysis. Threat types are constantly changing, so risk assessment methods need to be tailored to the evolving strategies of attackers.

Unlike traditional cyberattacks that focus on data theft or system disruption, cryptojacking emphasizes stealth and resource hijacking. Attack probabilities are quantified using Bayesian networks [33], Monte Carlo simulations [34], and graphical attack trees to systematically model how cryptojacking penetrates finite systems [35]. Probabilistic modeling methods are particularly relevant in assessing the risk of cryptojacking due to the stochastic nature of attack occurrence. For example, Bayesian networks allow risk probabilities to be continuously updated based on new observed data, making them highly effective in dynamic threat environments. Monte Carlo simulations, on the other hand, allow cybersecurity analysts to account for uncertainty by generating a range of possible attack outcomes based on variable input data. Graphical attack trees further complement these methods by visually displaying the various paths an attacker could take to achieve cryptojacking on a system, enabling enterprises to prioritize mitigation efforts against high-risk attack vectors.

The fundamental equation used in cybersecurity risk modeling defines risk as

$$R=I·E$$

(1)

where R represents the total risk, I is the probability of an attack, and E is the expected financial or operational impact. The probability component is further expressed as

$$I=T·V$$

(2)

where T is the threat likelihood, and V is the vulnerability level of the system [10].

These equations form the basis of modern risk assessment methodologies, including NIST SP 800-30 [10] and FAIR (Factor Analysis of Information Risk) [11]. Their applicability to cryptojacking risk assessment is particularly valuable because they allow analysts to quantify both the likelihood of an attack and the financial impact. By decomposing likelihood into threat probability (T) and vulnerability level (V), organizations can differentiate external risks (e.g., increased cryptojacking campaigns) from internal security gaps (e.g., outdated endpoint defenses). To further refine this risk analysis, attack tree models are used to systematically map cryptojacking attack paths and identify high-risk entry points [13]. Figure 2 shows an example of an attack tree used to assess cryptojacking risk. Each node represents a decision point in the attack chain, where probability values (e.g., a hypothetical 50% for clarity in Figure 2) and financial losses are assigned based on predefined parameters.

Probability values (Figure 2) and the associated financial losses for each node of the attack tree are derived through expert assessment and analysis of available information. Given the specificity of cryptojacking threats in the digital agriculture sector, where empirical data on incidents is often limited or unavailable, it is necessary to rely on gathering expert knowledge. This includes consultation with cybersecurity experts and agritech specialists who assess the probability of success of each attack step and the corresponding losses.

Figure 2 shows the use of different attack paths to quantify risk using the attack tree method. Risk is defined as the overall probability of an attack in any part of the tree using the logistic AND operator in the formula

$$P\left(X\right)=\bigcap _i^{n}p\left(x_i\right)=p\left(x_1\right)\cap p\left(x_2\right)\cap \dots \cap p\left(x_n\right),$$

(3)

where $x_n$ represents individual events in the attack tree, $p\left(x_n\right)$ is the probability of each independent event, and $P\left(X\right)$ is the total probability of the attack occurring [36]. This mathematical framework is instrumental in determining the conditional probabilities of multi-stage cryptojacking attacks. In scenarios where an attacker must complete multiple distinct actions—such as gaining access to a vulnerable system, executing a malicious script, and maintaining persistence—the probability of the attack’s overall success is the intersection of these conditional probabilities.

Since cryptojacking attack components often operate independently, the overall attack probability can be computed using the multiplication rule for independent events:

$$P\left(X\right)=\prod _i^{n}p\left(x_i\right)=p\left(x_1\right)·p\left(x_2\right)·\dots$$

(4)

This equation is particularly relevant when modeling large-scale cryptojacking campaigns, where individual systems are compromised autonomously, without relying on pre-established network toeholds. The infection probability for each device can be treated as independent, allowing for more accurate risk assessment in environments with varying security configurations. For example, an organization with a mix of patched and unpatched endpoints may exhibit heterogeneous attack probabilities across its network, requiring independent probability calculations for each subset of systems. This formula is particularly useful when modeling multi-stage attacks, such as supply chain infections, where an initial software compromise leads to malicious execution of the cryptojacking payload on multiple endpoints [20,37,38]. Multi-stage cryptojacking attacks often follow a structured kill-chain process, in which attackers use a series of sequential actions to infiltrate the network and deploy mining scripts. Incorporating probabilistic models into these scenarios allows security teams to identify the most vulnerable points in their supply chain and implement proactive mitigation measures.

Using data on past breaches and Bayesian probabilities, companies can quickly change their risk assessments to stay on top of new attacks. This adaptive approach improves the effectiveness of risk models.

Attack trees effectively model contention strategies, and fault trees provide an alternative structure for analyzing the security failures that contribute to successful cryptojacking incidents. A fault tree diagram (Figure 3) represents the logical dependencies between security failures that lead to a cryptojacking event. The diagram shows how various vulnerabilities and misconfigurations affect the success of an attack, allowing organizations to identify key weaknesses for remediation.

Instead of deterministic models with fixed outcomes, Monte Carlo simulations simulate multiple hypothetical scenarios, allowing businesses to visualize in a convenient form (including graphically) the probability distribution function of losses from cryptojacking. This method is particularly valuable in the context of cybersecurity, where attack frequencies, financial losses, and system vulnerabilities exhibit stochastic behavior.

The technique randomly selects probability distributions derived from historical data on cryptojacking incidents [24], attack trends [8], and operational losses [23]. The estimated financial loss from a cryptojacking attack is calculated as

$$C_{total}=C_{energy}+C_{hadware}+C_{downtime}+C_{cloud}$$

(5)

where

$C_{energy}$ represents the excess electricity costs [23].

$C_{hadware}$ accounts for accelerated depreciation of CPU/GPU hardware [27].

$C_{downtime}$ captures lost productivity due to reduced system performance [34].

$C_{cloud}$ reflects cloud infrastructure expenses from excessive resource utilization [17].

This formula encapsulates the primary financial impacts associated with cryptojacking, but additional indirect costs may also be relevant, such as increased cybersecurity monitoring expenses, reputational damage, and potential regulatory fines for failing to prevent unauthorized use of corporate resources. Using these expanded cost factors in a Monte Carlo model allows organizations to develop a more comprehensive financial risk profile that takes into account the direct and indirect consequences of cryptojacking incidents. Each cost component follows a probability distribution, typically modeled as normal, lognormal, or triangular, based on data from real-world incidents [5].

The accuracy of financial impact modeling depends on the choice of appropriate probability distributions. Lognormal distributions, in particular, are effective for modeling financial losses, where large losses are rare but possible. Conversely, normal distributions are effective when losses are symmetrically distributed around the mean, which is often the case for predictable costs such as increased energy consumption. Triangular distributions, on the other hand, allow organizations to incorporate expert judgment by determining minimum, most likely, and maximum loss estimates in cases where historical data is sparse. The annual expected financial loss from cryptojacking (ALE) is calculated using the formula

$$ALE=SLE·ARO$$

(6)

where SLE is the financial loss from a single incident and ARO is the predicted number of cryptojacking incidents per year [25].

The ALE metric serves as a fundamental risk quantification tool, allowing organizations to assess their financial exposure based on historical attack rates and observed financial losses. However, cryptojacking incidents are inherently volatile, as fluctuations in cryptocurrency values directly impact attacker behavior. Therefore, Monte Carlo simulations often include dynamic ARO values that are adjusted based on real-time trends in cryptocurrency markets. When cryptocurrency prices rise, the financial incentive for cryptojacking increases, leading to higher ARO and, in turn, higher ALE. This dynamic modeling approach improves on traditional risk assessments by aligning financial loss projections with real-world economic conditions. Attack trees effectively model mitigation strategies, and event trees provide an alternative framework for analyzing the progression of cryptojacking incidents from the initial breach to potential security outcomes. Figure 4 shows an example of an event tree used to assess cryptojacking risk, demonstrating possible system responses and their associated consequences.

Monte Carlo simulation of financial risks from cryptojacking allows us to display the curves of excess losses [3], which is the probability of exceeding the permissible value. These curves allow management to assess worst-case scenarios and determine the necessary amount of financial reserves. By analyzing the tails of the distributions, extreme losses for cyber insurance can be identified, which is important when planning risk-based security investments [7]. Integrating the loss excess probabilities obtained using Monte Carlo into cybersecurity budget planning allows for informed decisions. If the probability of exceeding the loss threshold is high, it is possible to justify increased investment in improving endpoint cybersecurity, anomaly monitoring, and response software. ROSI, Return on Investment in Cybersecurity, is used as an assessment of the cost-effectiveness of measures to combat cryptojacking:

$$ROSI={\displaystyle \frac{\Delta Loss}{{Cost}_{security}}}$$

(7)

where ΔLoss is reduction of expected losses after the implementation of cybersecurity measures and Cost_security is the cost of security measures, such as anomaly monitoring, greater focus on endpoint protection, and modernization of architecture to support zero trust [29,30,39]. ROSI is a key tool for justifying cybersecurity spending, because it allows for the evaluation of investment effectiveness based on measurable financial risk reduction.

A higher ROSI indicates a more effective investment, justifying allocation of the budget to cryptojacking prevention. Zero-trust networks [31,32], micro-segmentation, and hypervisor-level anomaly detection [33] are among the strategies that have been shown to significantly reduce the risk of cryptojacking. Insurance incentives and regulatory safe harbors encourage organizations to disclose cryptojacking incidents, contributing to increased accuracy of risk modeling [40,41]. Cyber insurance providers are increasingly taking cryptojacking risk into account when assessing premiums and underwriting policies. Organizations that implement robust cryptojacking detection and prevention mechanisms (behavioral analytics and anomaly detection) can qualify for lower insurance rates due to their reduced risk profile. These financial and regulatory incentives create a business case for organizations to take a proactive stance against cryptojacking, reinforcing the importance of ROSI-based security strategies.

ROSI assessment ensures that organizations can prioritize investments based on their effectiveness in mitigating financial damage, increasing the role of artificial intelligence in threat detection, or providing cloud protection [41,42]. This method follows cybersecurity risk modeling standards using FTA and Monte Carlo to accurately assess risks. Improving the accuracy of cryptojacking threat prediction is achieved by combining telemetry data, anomaly detection using machine learning, and cybersecurity investment [43].

By integrating probabilistic models, financial impact analysis, and predictive forecasting, organizations can move beyond reactive security measures and implement proactive risk management strategies. This methodology uses Bayesian networks, Monte Carlo simulations, and attack tree analysis to enable cybersecurity professionals to systematically assess attack probabilities and identify critical vulnerabilities in their infrastructure. The fundamental risk equations

R = I · E

(8)

and

I = T · V,

(9)

provide a quantitative basis for assessing both the likelihood and impact of cryptojacking attacks, offering a clear framework for prioritizing security investments.

Using attack tree models, organizations can map adversarial behavior and estimate conditional probabilities of successful cryptojacking attempts. The models considered in combination with the Monte Carlo method form risk probability distributions, as a result of which enterprises will be able to take into account uncertainties and losses from the occurrence of attacks. Annualized loss indicators (ALEs) are the most accurate risk indicator. Loss exceedance curves provide additional insight into extreme financial losses, offering an important decision-making tool for allocating cybersecurity budgets. Evaluation of cryptojacking mitigation strategies is further supported by the ROSI framework, which ensures that security expenditures are justified based on their measurable financial benefits. The inclusion of real-time telemetry, AI-driven anomaly detection, and automated threat intelligence updates further enhances the scalability and forecasting accuracy of this model, providing a robust foundation for ongoing threat mitigation.

In IoT irrigation systems, cryptojacking can be accomplished by compromising network-connected controllers or sensors themselves. Not only will this result in hidden cryptocurrency mining at the expense of farm resources, but it can also disrupt critical irrigation functions (water control), resulting in significant losses due to crop damage.

The use of smart farming equipment (autonomous tractors, robots, etc.) also creates new vectors for cryptojacking. Attackers can exploit vulnerabilities in their operating systems or network protocols to inject mining software, resulting in decreased equipment performance, increased fuel consumption, and unauthorized use of computing power intended for precision farming.

Drones used to monitor crop conditions and assess livestock health are also potential targets for cryptojacking. Compromising a drone’s onboard computer for cryptocurrency mining can significantly reduce its battery life, reduce the performance of data collection and processing systems, and threaten flight safety.

3.2. Evaluation of Input Data in the Context of Forecasting and Risk Analysis

Quantifying cryptojacking risk requires the use of two main categories of input data: attack probability indicators and financial loss estimates.

Attack probability indicators are typically derived from past incidents within an organization or across an industry. Analysts may consult Security Operations Center (SOC) logs to estimate how often cryptojacking attempts are detected per year, as well as threat intelligence sources that detail spikes or trends in cryptojacking activity.

Below is an example of how such input data might be organized. While actual parameter values may vary based on real-world organizational metrics, this illustration demonstrates typical fields and ranges used in cryptojacking risk modeling [22,23,42]. The table references elements such as historical incident frequency, threat intelligence factors, additional CPU usage caused by malicious miners, local electricity rates, and estimated productivity loss, among others. Each metric is directly related to either the likelihood of a cryptojacking attack (e.g., how often attacks are detected or how easily endpoints can be compromised) or the subsequent financial impact (hardware load, downtime, and investigation costs).

The parameters used for cryptojacking risk modelling are based on a synthesis of several sources and methodological approaches. Some of the values are derived from documented behavioral characteristics of cryptojacking malware, such as elevated CPU load and system slowdown. Others reflect practical estimates informed by industry reports, common operational baselines in digital infrastructures, and expert judgment where empirical datasets are limited. This approach ensures the internal consistency of the simulation model and reflects conditions typical for endpoint systems in digital agriculture.

For instance, CPU usage thresholds represent the range typically associated with persistent cryptojacking activity, based on technical documentation and incident analysis. Electricity costs were set according to average commercial rates relevant to agricultural settings, while incident response costs were estimated from the expected duration and complexity of recovery procedures in similar operational environments. These approximations are intended to reflect realistic system conditions and support the reproducibility of the simulation process.

In summary, effective cryptojacking risk assessment requires a careful combination of probability metrics and loss estimates, backed by real-world telemetry, system scans, and financial cost data. By assigning numerical values to each parameter and running analytical or simulation-based models, organizations can better understand their exposure to cryptojacking. To translate these input parameters into a Monte Carlo simulation, an appropriate probability distribution must be assigned to each uncertain factor, such as additional power consumption or additional equipment depreciation. While normal, exponential, lognormal, uniform, PERT, and histogram distributions can all be used in principle, triangular distribution offers particular advantages for cryptojacking scenarios where historical data may be sparse. Because analysts only need to specify the minimum, most likely (mode), and maximum values, triangular distribution simplifies parameter estimation while still capturing the asymmetric or skewed nature of cryptojacking-related losses. Figure 5 below compares several probability distributions to illustrate their respective density shapes. The scipy.stats module, written in Python 3.8.10 is used to plot probability density plots of several types of distributions. The figure shows the differences between these distributions in terms of symmetry, skewness, and required parameters.

Among these curves, triangular distribution stands out with its simple peak at the “most likely” value, given the specified minimum and maximum bounds.

It thus allows cryptojacking risk analysts to incorporate domain expertise (e.g., best, typical, and worst-case incident response costs) without the need for complex or extensive data sets. By using Monte Carlo sampling of these triangular inputs, organizations can generate a range of hypothetical outcomes and assign probabilities to different levels of financial loss, enabling more accurate decisions about remediation costs, endpoint upgrades, and policy adjustments. By combining the simplicity of triangular distribution with the structured parameters described in

Table 2. Sample parameters and example values for cryptojacking risk modeling.

Parameter	Example Value/Range	Description
Historical Attack Frequency	8–12 incidents/year	Number of cryptojacking attempts or detections logged over the past 12 months, providing insight into overall exposure and serving as a baseline for forecasting
Threat Intelligence Factor	Elevated during crypto bull runs	Adjustment to likelihood estimates based on market data, as attackers show more interest in cryptojacking when cryptocurrency prices surge
Unpatched Vulnerabilities	Four critical CVEs/server	Known software or OS flaws that cryptojackers can exploit, often correlated with higher compromise success rates
Defensive Evasion Rate	20–35%	Approximate percentage of attacks bypassing existing security controls, used to refine the probability component of risk equations
Avg. CPU Usage (Malicious)	25–80% additional load	Typical rise in CPU utilization caused by cryptojacking scripts, forming the basis for electricity cost calculations
Electricity Rate	$0.12 per kWh	Average local cost of power, essential for evaluating the extra expenses imposed by unauthorized cryptomining
Hardware Depreciation Factor	1.15–1.25 multiplier	Quantification of accelerated component wear due to sustained 24/7 cryptomining, often resulting in earlier-than-planned hardware replacements
Productivity Impact	10–30% performance slowdown	Estimated reduction in user or system productivity, translating into calculable wage or revenue losses
ARO Sensitivity	±10% based on crypto price	Variation in annual rate of occurrence driven by fluctuations in cryptocurrency market values, introduced into Monte Carlo simulations or Bayesian updates
Incident Response Costs	$5000–$20,000/incident	Staff labor, external consulting, or forensic tools required to investigate and remediate cryptojacking incidents

, cryptojacking risk assessment becomes more transparent and better aligned with real-world scenarios where precise loss distributions are rarely known, but upper and lower bounds are reasonably established.

4. Results

The following scenarios are constructed based on the risk modeling techniques introduced in Chapter 3. Specifically, the Monte Carlo method is used to simulate a wide range of possible financial outcomes under different attack conditions. The structure of each scenario is informed by the risk tree and fault tree models, which define the logical paths and dependencies of cryptojacking incidents. Probabilistic assumptions—such as the likelihood of detection, evasion, and system compromise—are embedded into the scenario design and used as input parameters for simulation.

In this analysis, five scenarios are examined to capture the range of cryptojacking threats that the organization might encounter.

• The first scenario involves cryptomining restricted to a single workstation, offering insight into a relatively contained compromise.
• The second scenario envisions malicious scripts spreading across all workstations, amplifying both direct and indirect losses.
• The third scenario again targets a single endpoint but emerges from a different attack vector, enabling comparison of how cryptojacking might arise under varied infiltration methods.
• The fourth scenario expands the scope by adding the central server to the compromised environment, thereby illustrating the impact of lateral movement and high-value assets on overall risk.
• The fifth scenario explores an insider threat, demonstrating how cryptomining can proliferate if a user with privileged or specialized knowledge enables unauthorized resource usage on selected endpoints.

By covering these five perspectives, the organization gains a more comprehensive understanding of cryptojacking’s potential scale and variability, ensuring that defensive measures are aligned with the full spectrum of threats.

4.1. Scenario 1

Scenario 1 (Figure 6) considers the possibility of cryptomining affecting a single workstation—a potentially contained but still disruptive event, given the workstation’s role in resource-intensive 3D modeling tasks. In this scenario, the attacker throttles the mining software to 60% of the workstation’s total 700 W capacity (420 W) to conceal malicious activity and minimize detection. Figure 7a illustrates the probability density function of the simulated losses, showing how moderate values predominate while still allowing for a long tail of rare but significantly higher costs. The shape of this curve is influenced by variation in how long the attacker can mine undetected, how quickly users or security tools might respond, and whether partial or complete hardware replacement becomes necessary.

Figure 7b plots the individual results of each iteration under the current security posture, revealing a cluster of points around intermediate loss levels and a smaller number of outcomes near both the lower and upper extremes. The majority of generated values lie in the midrange, indicating that most simulations foresee moderate costs driven primarily by elevated electricity usage and reduced productivity. A few points drift closer to two million hryvnias of total losses, largely due to sustained cryptomining across many workdays, compounded by accelerated hardware depreciation and delayed project delivery. Figure 8a shows the exceedance curve, which captures the probability of surpassing any given monetary threshold. Steeper initial sections of the curve signify that moderate expenses are relatively likely, whereas the flatter tail to the right underscores the existence of a small, yet non-negligible, chance of incurring very high losses. This visualization helps stakeholders judge how much financial contingency or insurance coverage might be prudent if a single machine endures prolonged cryptomining.

These results establish that, while most outcomes remain in a moderate loss zone, an unfavorable alignment of factors—such as extended undetected mining and frequent hardware stress—can escalate costs substantially. The same simulation rerun with future enhanced cryptojacking detection (Figure 7c and Figure 8b) confirms that the range of potential losses remains structurally similar, but the frequency of high-loss incidents drops noticeably when most unauthorized mining attempts are blocked soon after they begin.

4.2. Scenario 2

In this second scenario, cryptojacking scripts spread across all workstations, causing a substantially greater cumulative impact than a single compromised endpoint (Figure 9).

Because the organization relies heavily on 3D modeling, each hijacked workstation intensifies overall losses stemming from electricity consumption, hardware depreciation, and lowered productivity. Figure 8 illustrates the probability density function for this scenario’s losses, indicating a broader distribution than in Scenario 1. When multiple endpoints are involved, even moderate throttling can lead to a steep increase in energy costs.

Figure 10 plots the generated annual losses for each iteration under the current security posture, showing values that range from moderate—reflecting partial resource usage—to extreme, where cryptojacking consumes nearly all available computing power on multiple machines for extended periods. By reviewing the scatter of points, it becomes evident that, while average outcomes already surpass those in a single-device compromise, some simulations push total costs well beyond two million hryvnias. In many of these high-loss cases, the pronounced performance deficits also create substantial project delays, adding to the indirect costs borne by the business.

Each bar in Figure 10 corresponds to a Monte Carlo iteration, with the x-axis indicating the iteration index (from 1 to 10,000) and the y-axis representing the annual loss in dollars. The upper extremes convey high-loss outcomes emerging from extensive cryptomining across numerous endpoints, whereas the smaller bars illustrate scenarios in which only a fraction of the workstations were compromised or mining activity was detected relatively early. Figure 11 presents the exceedance curve for Scenario 2, enabling decision-makers to evaluate the likelihood of surpassing various financial thresholds.

Compared to Scenario 1, the curve remains significantly higher at more expensive loss levels, which underscores the amplified damage when multiple workstations are commandeered in tandem. Even moderate attacker stealth or sustained mining windows can produce a probability of catastrophic losses that is an order of magnitude greater than in a single-device compromise. However, repeating the simulation under future enhanced detection systems preserves the general shape of the distribution while noticeably reducing its upper tail, highlighting the extent to which early cryptojacking detection mitigates the most severe outcomes (Figure 10c and Figure 11b).

4.3. Scenario 3

In the third scenario (Figure 12), cryptojacking again affects one workstation, but it arises from a different attack vector than the one used in Scenario 1. Instead of a malicious website, for instance, the infection might occur through an email attachment or unauthorized software. Despite the alternate infiltration path, the risk profile remains similar to that of a single-device compromise. The probability density function of the simulated losses, which resembles Scenario 1’s graph, is shown in Figure 13a. The shape of this distribution is primarily influenced by how long cryptomining can remain hidden, how quickly system administrators respond, and whether partial or complete hardware replacement becomes necessary.

Each bar on the x-axis corresponds to a single Monte Carlo iteration (from 1 to 10,000), while the y-axis indicates the estimated annual loss in dollars. High bars show iterations where cryptojacking persisted long enough to drive up costs—through electricity usage, hardware wear, and productivity deficits—whereas lower bars reflect scenarios of shorter or less intensive cryptomining.

Figure 13a presents the loss exceedance curve, highlighting the probability of surpassing various financial thresholds. The relatively steep slope early in the curve indicates that moderate losses are quite feasible, while the flatter tail on the right reflects the smaller but meaningful possibility of incurring substantial damage. From a risk-management perspective, this curve helps the organization decide how much financial reserve or insurance might be prudent for a single-endpoint cryptojacking event that originates from an alternative attack vector. As in Scenario 1, these upgraded measures substantially reduce the frequency of severe losses, confining most outcomes to the lower ranges (Figure 13b). The small fraction of higher-cost events usually arises only if the attacker manages to circumvent the detection system or remains embedded long enough to cause notable hardware strain and project delays. Figure 14b shows the updated exceedance curve under these improved defenses. Although moderate losses remain possible—reflecting short-lived mining before detection—the tail end of the curve is noticeably lower, indicating a significantly decreased chance of incurring catastrophic costs.

Compared to scenarios where cryptojacking spreads across multiple devices, a single-endpoint compromise remains easier to contain, yet vigilance is necessary to ensure infiltration vectors (such as phishing emails or infected software) are not overlooked. Overall, Scenario 3 reinforces that cryptojacking can manifest through various initial access points, warranting a holistic approach to detection, prevention, and timely response.

4.4. Scenario 4

In the fourth scenario, cryptojacking extends beyond individual workstations to compromise the central server, significantly amplifying both financial and operational risks (Figure 15). Unlike past attacks that only infected work computers, this attack on a central server disrupts critical resources such as data storage, processing, and networking. The consequences of unauthorized cryptomining on this infrastructure are severe, as the server operates continuously and possesses considerably higher computational power than standard workstations. This scenario not only escalates direct financial losses related to electricity consumption and hardware strain, but also introduces indirect costs, including workflow interruptions, system downtime, and delays in project execution.

The probability density function for this scenario, shown in Figure 16a, illustrates a broader range of financial losses compared to previous scenarios. With the central server engaged in unauthorized cryptomining, overall power consumption surges, and prolonged exposure accelerates hardware depreciation, leading to potential equipment failure and increased replacement costs. Additionally, since cryptojacking scripts often exhibit stealth tactics, detection and mitigation efforts may be delayed, prolonging mining activity and further compounding financial damage. The simulation results reveal that annual losses for this scenario, under the current security posture, range from a minimum of $1,310,047 to a maximum of $5,552,863, with an average financial impact of $3,175,642. These values emphasize that, even in moderate cases, cryptojacking on the central server represents a substantial financial liability, while in extreme cases losses can reach levels far exceeding those seen in prior workstation-based scenarios.

The distribution of generated losses, illustrated in Figure 16b, demonstrates that outcomes vary widely, depending on the extent of cryptojacking activity, the duration before detection, and the overall computational workload of the server. Unlike isolated endpoint compromises, where the financial impact is often contained, infiltration of the central server presents a systemic risk, capable of disrupting multiple business functions simultaneously. The results suggest that, in certain iterations, cryptojacking persists for extended durations, leading to excessive power consumption and significant productivity losses. In many cases, prolonged mining results in severe system slowdowns, causing cascading delays in enterprise operations.

The loss exceedance curve, presented in Figure 17a, provides further insight into the likelihood of surpassing key financial thresholds. Compared to previous scenarios, the probability of encountering high-impact financial losses is significantly elevated, reflecting the heightened risks associated with high-value infrastructure compromise. While workstation-level cryptojacking can often be isolated and remediated relatively quickly, a breach of the central server results in a more persistent and financially burdensome incident. The curve indicates that the likelihood of incurring costs exceeding $3 million remains high, with worst-case scenarios reach nearly $5.5 million, demonstrating that unmitigated cryptojacking activity within core IT assets can rapidly escalate beyond financially manageable levels.

To assess the potential reduction in losses after implementing enhanced security measures, the simulation was repeated under an improved security state, incorporating advanced anomaly detection systems capable of identifying resource-intensive cryptomining activities in real time. The updated simulation results, visualized in Figure 16c, indicate that, while cryptojacking attempts still occur, the frequency and severity of financial losses are significantly mitigated. Under this improved security posture, annual losses now range from $1,635,229 to $4,911,687, with an adjusted average of $3,327,459. This reduction in upper-bound financial risk suggests that early detection mechanisms play a crucial role in limiting the long-term impact of cryptojacking on mission-critical IT systems. The corresponding loss exceedance curve, shown in Figure 17b, confirms that proactive threat mitigation significantly lowers the probability of extreme financial losses. Although moderate cryptojacking incidents still lead to noticeable operational costs, the risk of catastrophic financial damage is substantially reduced. The tail end of the curve is noticeably lower, indicating that losses surpassing $5 million are now improbable, reinforcing the effectiveness of early detection and prevention. Even if we have improved security, the results show that we cannot completely eliminate the risks of cryptojacking, so we need to constantly monitor the situation.

Overall, Scenario 4 highlights the significant financial and operational impact of cryptojacking when valuable IT infrastructure is compromised. Unlike endpoint-level incidents, central server breaches create enterprise-wide disruptions, increasing both direct and indirect costs. The modeling results show that enhanced security measures reduce the overall financial burden, but cryptojacking remains an ongoing risk that requires continued investment in detection systems and endpoint protection solutions.

These high losses are partially explained by the central server’s continuous workload and elevated energy demands. However, they are also influenced by latent vulnerabilities in server infrastructure—such as outdated operating systems, critical unpatched CVEs, and insufficient network segmentation—that increase the likelihood of successful and prolonged cryptojacking activity. In practice, such weaknesses can delay detection and remediation efforts, significantly amplifying financial and operational impact.

4.5. Scenario 5

The fifth scenario explores the implications of an insider threat, wherein a privileged user with advanced knowledge of the IT infrastructure facilitates unauthorized cryptomining (Figure 18). Unlike external threats, insider scenarios often involve the intentional deployment of cryptojacking scripts, leveraging legitimate access rights to evade detection. This scenario is particularly challenging because the attacker can use administrative tools and scripts to install and run mining software under the guise of routine maintenance or legitimate administrative tasks [19,23].

The probability density function for this scenario, as shown in Figure 19a, indicates a wide distribution of potential financial losses, reflecting the high variability associated with insider threats.

The ability of the insider to bypass security protocols often results in prolonged mining activity, which in turn amplifies the direct and indirect financial impacts. The Monte Carlo simulation for this scenario revealed that, under the current security posture, annual losses could range from a minimum of $556,410 to a maximum of $2,091,176, with an average expected loss of $1,288,742. These figures emphasize the disproportionate risk posed by insider threats, as the attacker’s knowledge allows for sustained and undetected resource abuse [23]. The annual losses generated under the current security posture are presented in Figure 19b. The scatter of loss values highlights the scenario’s inherent unpredictability, with moderate losses occurring frequently and severe financial impacts emerging in a subset of the simulations. The insider’s ability to maintain cryptomining operations for extended periods often leads to higher cumulative costs, including increased energy consumption, accelerated hardware wear, and productivity losses due to reduced system performance [14,24].

The loss exceedance curve shown in Figure 20a illustrates the probability of surpassing specific financial thresholds. Insider threats demonstrate a relatively steep increase in risk as financial losses escalate, indicating that even minor lapses in monitoring privileged accounts can lead to significant economic consequences. The curve’s shape underscores the need for robust internal controls, including behavioral monitoring of privileged user activities and anomaly detection mechanisms to identify unauthorized cryptomining behavior [16,29]. When advanced security measures are implemented—including enhanced monitoring of privileged accounts and the deployment of machine learning algorithms to detect anomalies—financial losses are significantly mitigated.

The updated Monte Carlo simulation, visualized in Figure 19c, indicates a reduction in potential losses, with the new range spanning from $620,654 to $1,956,912 and the average loss adjusted to $1,224,378. These results validate the effectiveness of preventive measures in limiting the operational and financial impacts of insider-driven cryptojacking [40,41,43]. The updated loss exceedance curve in Figure 20b reflects a marked decrease in the likelihood of extreme financial losses. The curve’s tail is significantly shorter, indicating that the probability of incurring catastrophic costs has been substantially reduced. This improvement demonstrates that continuous monitoring, combined with advanced analytics, plays a crucial role in defending against insider threats, where traditional perimeter-based security measures often fall short [19,32].

Scenario 5 shows that the risks associated with insider threats become much higher, especially when privileged users have the technical ability to covertly install and run cryptojacking software. The results demonstrate the benefit of a multi-layered defense that includes access control, privileged activity analysis, and anomaly detection to effectively counter insider cryptomining [21,44].

4.6. Analysis of the Results

Taken together, these five scenarios highlight the different ways in which cryptojacking can impact an organization, from a single compromised workstation (Scenarios 1 and 3) to multiple endpoints (Scenario 2), through infiltration of a central server (Scenario 4), and even attacks carried out from the inside (Scenario 5). In each scenario, unauthorized cryptomining increases operational costs through energy consumption, hardware depreciation, and productivity losses, consistent with previous research highlighting the hidden financial burden of cryptojacking [19,23,24]. The results further show how long-term mining—especially when attackers exploit privileged access or high-value infrastructure—dramatically increases the likelihood of extreme losses [18,21,42]. Despite the differences in entry vectors and impacted assets, a common theme emerges: early detection and rapid response significantly reduce the frequency and severity of the worst outcomes. Improved monitoring, anomaly detection, and tighter access controls, especially for privileged accounts, have been shown to be effective in mitigating financial losses [12,30,40].

These findings echo broader industry reports (e.g., ENISA [8], Symantec [5], and IBM X-Force [3]) that emphasize multi-layered defenses and proactive threat hunting to counter evolving cryptojacking tactics. As organizations continue to implement resource-intensive workflows, a comprehensive security posture that spans workstations, servers, and insider threats remains essential to effectively manage cryptojacking risk [39,42,43].

Based on the data obtained after the simulation, we will analyze the results. We will calculate the ALE values for the current and future state of the protection means and then determine the ROSI using Equations (6) and (7). The results show that, in the fifth scenario, the return on investment in security is the greatest (Figure 21). All scenarios are transferred to the same system of protection, which can be used to expand the total size of ROSI:

$$ROSI={\sum }_{i=1}^5{ROSI}_i=\mathrm{\$}\mathrm{958,225}$$

(10)

The total ROSI value of $958,225 reflects the cumulative financial benefit from applying enhanced security measures across all five simulated scenarios. While the numerical contributions of each individual scenario are not detailed in tabular form, their relative impact is visualized in Figure 21b.

This figure illustrates the proportional reduction in annual losses per scenario and allows comparison of the return on investment across different types of cryptojacking risks. As expected, scenarios involving high-value infrastructure (e.g., Scenario 4 with the central server) demonstrate a significantly larger share of the overall ROSI, while isolated endpoint compromises contribute more modestly. Let us estimate the losses of a farm from cryptojacking. The farm uses 100 kWh for irrigation and lighting. Cryptojacking on 10% of the farm’s computers can add 5 kWh of additional load, which is 3600 kWh of additional costs per month. At a price of $0.75/kWh, this is $2700 of additional costs.

5. Discussion and Prospects

5.1. Comparison of Risk Assessment Scenarios with Previously Known Ones

The five scenarios examined provide detailed insight into how cryptojacking can penetrate endpoint systems, spread across workstation fleets, target central servers, or exploit insider privileges. Compared to previous studies [19,23,24,42], our results confirm that persistent cryptomining causes significant financial damage through increased energy consumption, accelerated hardware depreciation, and lost productivity. Early detection and rapid intervention substantially reduce loss severity, underscoring the importance of continuous monitoring and adaptive responses [3,5,8,43].

A central contribution is a quantitative modeling approach, providing probabilistic estimates for both moderate and catastrophic loss events, surpassing qualitative assessments [10,11]. The modeling revealed that, while average costs may prevail, rare yet extreme outcomes can impose disproportionately high financial burdens, consistent with other studies [12,18,23]. Scenarios 1 and 3 (individual workstations) show substantial losses from prolonged stealth mining [16,21], confirming that limiting infection to one workstation reduces overall risk [40,41]. Scenario 2 (all workstations) demonstrates amplified costs due to concurrent mining, emphasizing that indirect losses from project delays and reputational harm outweigh CPU/GPU degradation alone [24,31,36].

Scenario 4 (central server) leads to multi-million-dollar losses by disrupting core functions [17,39,44], necessitating continuous monitoring and adaptive security measures [29,30,42]. Scenario 5 (insider threats) confirms that privileged knowledge enables long-term stealth mining, making behavioral analytics and access control critical for prevention [19,21,23,30,44,45,46,47]. Overall, the study highlights the need for multi-layered defense [3,5,8], including network segmentation [29,30,48], and the application of behavioral analytics to detect stealth tactics [40,41,47]. The simulation validates the feasibility of quantifying cryptojacking’s financial exposure, which is crucial for security budgeting and insurance premiums [11,12,32,37,49]. Adapting models to new platforms (IoT, containers) and attack methods requires continuous updates to attack trees and Monte Carlo parameters [17,19,24,28,44]. Insider threat monitoring via PAM and user behavior analytics remains critical [21,29,38,46]. Despite contributions, limitations exist: reliance on input distributions calibrated from prior incidents and assumptions; focus on a specific organizational context; and variability in real-world detection times [21,33,34,45,48,50].

Nevertheless, scenario-based Monte Carlo analysis confirms that cryptojacking risk is pervasive and adaptable, ranging from minor single-device infections to large-scale or insider compromises with multi-million-dollar impacts. Organizations should combine robust endpoint protection with centralized anomaly detection, privileged access governance, and dynamic risk modeling to effectively counteract stealth miners [8,10,11,16]. Future research should explore GPU-focused cryptojacking, containerized or serverless mining, and cross-platform infiltration in hybrid cloud deployments [19,21,34,44,50], alongside integrated strategies addressing technical and organizational aspects [40,44]. The methods described are applicable in diverse fields, including medical security [51], biological and agricultural facilities management [52,53,54,55], economic security of state institutions [56,57,58,59,60], and energy and mechanical engineering enterprises [61,62], with cryptojacking prospects discussed in [63,64].

5.2. Practical Recommendations for Stakeholders

The use of blockchain, artificial intelligence, and computer vision helps to increase crop yields, improve logistics, productivity, and efficiency, and ensure sustainable development of the industry. In 2021, investments in agritech reached $10.5 billion, and by 2025 the market is projected to grow to $22.5 billion [38,45].

To identify potential entry points for cryptojacking, agribusinesses should audit their existing IT infrastructure, including IoT devices, for smart agriculture. The starting point for this audit is common attack vectors and specific vulnerabilities (related to outdated software, weak passwords, unprotected network protocols).

The analysis of the loss exceedance curves obtained in our study allows agricultural enterprises to establish an acceptable level of risk and determine the safety measures necessary to achieve this level.

By combining these digital tools, farmers can improve their decision-making processes, reduce waste, conserve resources, and ultimately create a more sustainable and productive agricultural system.

5.3. Future Research Directions

The authors plan to further collaborate with agricultural enterprises and security operations centers to collect anonymized or aggregated data on cryptojacking incidents. This will be used to refine our risk assessment model, which will improve the accuracy of financial loss predictions.

We aim to compare the risk assessments and financial losses proposed by our model with data on actual cryptojacking incidents. This will strengthen the model’s credibility and practical relevance for the digital agriculture sector.

Future iterations of the model are planned to include network dependencies for the interconnection between various components of the agri-digital infrastructure (e.g., IoT devices, cloud platforms, edge servers, autonomous equipment).

To enhance the value of assessments and improve risk mitigation measures, future research aims to integrate stakeholder-based sensitivity analysis using the following approaches:

• Multi-criteria decision analysis (MCDA);
• Utility-based analysis;
• Stakeholder-based scenario analysis;
• Customizable risk reports.

6. Conclusions

This study aims to create a robust framework for quantifying cryptojacking risks, using tools such as Monte Carlo simulations and Bayesian networks to analyze the probability of attacks and their financial consequences in five different scenarios. The results allow for the creation of loss-exceedance curves that show the probability of exceeding financial thresholds and ROSI calculations to justify security costs. This helps organizations reduce annual losses that range from $1,288,742 (insider attacks) to $3,327,459 (server compromise), while improving cybersecurity and resource efficiency.

The study assesses the risks of cryptojacking by analyzing endpoint vulnerabilities (unpatched OS, PowerShell, and WMI usage), attack vectors such as compromised websites, infected applications, and the supply chain and assessing financial losses. Direct losses include energy overruns ($0.1–$0.15/kWh) and hardware depreciation (12–32% loss in productivity), while indirect losses include reduced productivity. Regarding the impact of cryptojacking on the agricultural sector, three classes of threats can be distinguished:

-

Increased electricity costs (in the agricultural sector, where there are already high electricity costs for irrigation, greenhouse lighting and other processes, the additional burden of cryptojacking can lead to even higher costs). This is especially true for farms that use automated systems and sensors that require constant power.

-

Reduced equipment performance (cryptojacking can slow down computers and other devices used in the agricultural sector for farm management, data analysis, and other tasks). This can lead to delays in decision-making, equipment errors and reduced overall productivity.

-

Cybersecurity risks (cryptojacking is often part of a wider cyberattack that can include data theft, equipment damage and other malicious actions).

In the agricultural sector, where precision farming systems, drones, and other technologies are increasingly used, the risks of cyberattacks are increasing. Implementing cybersecurity measures will help reduce these risks and protect the agricultural sector from cryptojacking and other cyberthreats. Measures aimed at countering cyberjacking in the agricultural sector are the same as in other industries, depending on the scenarios.

In addition to the technical findings, this study proposes a structured framework for assessing cryptojacking risks in digital agriculture by applying established probabilistic methods in a new domain. The combination of scenario-based modelling with financial loss estimation allows for a better understanding of how such attacks can affect agricultural operations. This approach may be further adapted to support risk-based decision-making and investment planning in similar cyber-physical environments.