There’s something new to add to your fun mental list of invisible internet dangers. Joining classic favorites like adware and spyware comes a new, tricky threat called “cryptojacking,” which secretly uses your laptop or mobile device to mine cryptocurrency when you visit an infected site.

Malicious miners aren’t new in themselves, but cryptojacking has exploded in popularity over the past few weeks, because it offers a clever twist. Bad guys don’t need to sneak software onto your computer to get it going, which can be a resource-intensive attack. Instead, the latest technique uses Javascript to start working instantly when you load a compromised web page. There's no immediate way to tell that the page has a hidden mining component, and you may not even notice any impact on performance, but someone has hijacked your devices—and electric bill—for digital profit.

The idea for cryptojacking coalesced in mid-September, when a company called Coinhive debuted a script that could start mining the cryptocurrency Monero when a webpage loaded. The Pirate Bay torrenting site quickly incorporated it to raise funds, and within weeks Coinhive copycats started cropping up. Hackers have even found ways to inject the scripts into websites like Politifact.com and Showtime, unbeknownst to the proprietors, mining money for themselves off of another site’s traffic.

'There’s no opt-in option or opt-out. We’ve observed it putting a real strain on system resources.' Adam Kujawa, Malwarebytes Labs

So far these types of attacks have been discovered in compromised sites' source code by users—including security researcher Troy Mursch—who notice their processor load spiking dramatically after navigating to cryptojacked pages. To protect yourself from cryptojacking, you can add sites you're worried about, or ones that you know practice in-browser mining, to your browser's ad blocking tool. There's also a Chrome extension called No Coin, created by developer Rafael Keramidas, that blocks Coinhive mining and is adding protection against other miners, too.

"We’ve seen malicious websites use embedded scripting to deliver malware, force ads, and force browsing to specific websites," says Karl Sigler, threat intelligence research manager at SpiderLabs, which does malware research for the scanner Trustwave. "We’ve also seen malware that focuses on either stealing cryptocurrency wallets or mining in the background. Combine the two together and you have a match made in hell."

What complicates the cryptojacking wave, experts argue, is that with the right protections in place it could actually be a constructive tool. Coinhive has always maintained that it intends its product as a new revenue stream for websites. Some sites already use a similar approach to raise funds for charitable causes like disaster relief. And observers particularly see in-browser miners as a potential supplement or alternative to digital ads, which notoriously have security issues of their own.

Early adopters like the Pirate Bay have made a pitch to their users that the technology is worth tolerating. "Do you want ads or do you want to give away a few of your CPU cycles every time you visit the site?" Pirate Bay asked its users in mid-September. Most commenters on the feedback request supported in-browser mining if it reduced ads, but one noted that if multiple sites adopt the technique, having multiple tabs open while browsing the web could eat up processing resources.

The concerns run deeper among audiences unaware that their devices are being used without their knowledge or consent. In fact, malware scanners have already begun blocking these mining programs, citing their intrusiveness and opacity. Coinhive, and the rash of alternatives that have cropped up, need to take good-faith steps, like incorporating hard-coded authentication protections and adding caps on how much user processing power they draw, before malware scanners will stop blocking them.

“Everything is kind of crazy right now because this just came out,” says Adam Kujawa, the director of Malwarebytes Labs, which does research for the scanning service Malwarebytes and started blocking Coinhive and other cryptojacking scripts this week. “But I actually think the whole concept of a script-based miner is a good idea. It could be a viable replacement for something like advertising revenue. But we’re blocking it now just because there’s no opt-in option or opt-out. We’ve observed it putting a real strain on system resources. The scripts could degrade hardware.”