LeechHijack: Covert Resource Attacks

• LeechHijack is a set of stealthy techniques that exploit trusted infrastructures to hijack computational and informational resources, covering methods from cryptojacking to model extraction.
• It includes detailed analyses of browser-based cryptojacking, autonomous agent exploits, and indirect prompt injections with quantitative data on detection and success rates.
• Emerging defenses emphasize cryptographic provenance, runtime resource accounting, and behavioral audits to mitigate stealth attacks across diverse digital ecosystems.

LeechHijack denotes a collection of techniques and attacks that covertly expropriate computational or informational resources by “leeching” off trusted infrastructures while remaining either stealthy or strictly compliant with allowed privileges. The term encompasses a variety of domains, from parasitic browser-based cryptocurrency mining and adversarial agent tooling, to off-path account takeovers in Internet infrastructure and black-box model extraction in machine learning. While the specific technical mechanisms vary, all instances share the core goal of subverting trust or implicit assumptions to hijack value—such as CPU cycles, credentials, control, or model knowledge—without immediate or explicit detection.

1. Browser-Based LeechHijack: Cryptojacking and Resource Parasites

The archetypal web-based LeechHijack attack is cryptojacking, wherein a malicious actor injects JavaScript/WebAssembly mining code (commonly CoinHive or a fork) into third-party pages. Unsuspecting users then contribute their CPUs to mine cryptocurrencies (e.g., Monero) without consent. The canonical workflow is:

• Automated discovery proceeds in three phases: (1) high-recall candidate detection via browser automation and resource profiling, (2) dynamic CPU sampling to confirm persistent miners, and (3) static fingerprinting to generalize and detect dormant or delayed miners (Musch et al., 2018).
• Prevalence in the Alexa Top 1M approaches 1 in 500 sites; 2,506 confirmed cryptojacking sites were identified in a grounded 3-phase analysis (Musch et al., 2018).

Phase	Technique	Result (Alexa 1M)
Candidate	Heuristic profiling	4,627 “suspicious” sites
Active-Miner	High-res CPU usage	1,939 mining confirmed
Fingerprint	Static code signatures	2,506 total detected

• The mining code is highly monocultural at the binary level (96% CoinHive-derivative WASM), with most operators configuring 50–70% CPU utilization to avoid detection; 15% over-allocate workers above core count.
• Revenue estimation follows $$E = v \times t \times c \times \rho \times \frac{R_b}{D}$$, yielding between $0.22\,\mathrm{XMR}/d$ ($\approx\$50/d$) for mid-volume sites to$1.5\,\mathrm{XMR}/d$$for the top <a href="https://www.emergentmind.com/topics/supersymmetric-so-10-model" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">10</a>.</li> <li>Blacklist-based defenses (NoCoin, MinerBlock, Adblock lists) exhibit poor recall—45–60</ul> <p>These findings emphasize the limitations of static signature approaches and motivate browser-kernel solutions: tab-level CPU budget quotas, visible dashboards for resource spikes, opt-in gating for WebAssembly, and robust behavioral profiling (<a href="/papers/1808.09474" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Musch et al., 2018</a>).</p> <h2 class='paper-heading' id='leechhijack-in-autonomous-agent-ecosystems'>2. LeechHijack in Autonomous Agent Ecosystems</h2> <p>LeechHijack is generalized in the context of <a href="https://www.emergentmind.com/topics/llm-based-intelligent-agents" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">LLM-based intelligent agents</a> integrating third-party tools via the <a href="https://www.emergentmind.com/topics/model-context-protocol" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Model Context Protocol</a> (MCP) (<a href="/papers/2512.02321" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Zhang et al., 2 Dec 2025</a>). Here, the key shift is from explicit resource theft to “implicit toxicity”: malicious yet permission-compliant plugins (so-called “latent embedded exploits”) that surreptitiously divert agent computational cycles to attacker-specified workloads.</p> <ul> <li>Attacker supplies a community tool with a dormant backdoor. When triggered (content, frequency, or context-based), a command-and-control beacon receives a covert payload$$P_\delta$$, which is appended as a normal agent sub-task.</li> <li>Formally, normal tool behavior is$$f_T(x)$, while a LeechHijack tool$f_{T^\delta}(x)$computes$f_T(x) + \delta(x)$, hiding the resource cost$\delta_C$$within normal compute variance.</li> <li>Across Deepseek, GPT-4o, Qwen3, and Gemini, LeechHijack tool implants achieved a$$77.25\%$success rate with$18.62\%$$average resource (token) overhead, and no meaningful drop in user-facing task accuracy (<a href="/papers/2512.02321" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Zhang et al., 2 Dec 2025</a>).</li> </ul> <p>Robust defense requires nontrivial cryptographic provenance: binding every tool invocation to a verifiable provenance record$$(i, h_{in}, c_i, y_i)$, where$h_{in}$is a hash of input and log context, and$c_i$$the resource cost. Auditing then flags any non-matching attestation. Additionally, fine-grained sandboxing and post-hoc behavioral audits by LLM “judge” models can achieve F1 up to 0.96 in detecting off-topic or excessive tool chains (<a href="/papers/2512.02321" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Zhang et al., 2 Dec 2025</a>).</p> <h2 class='paper-heading' id='indirect-prompt-injection-and-resource-hijack-in-web-agents'>3. Indirect Prompt Injection and Resource Hijack in Web Agents</h2> <p>A related LeechHijack modality targets LLM-based web navigation agents through <a href="https://www.emergentmind.com/topics/indirect-prompt-injection-ipi" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Indirect Prompt Injection</a> (IPI), manipulating the Accessibility Tree (A11y Tree) used during HTML parsing (<a href="/papers/2507.14799" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Johnson et al., 20 Jul 2025</a>). The attack flow is:</p> <ul> <li>Attacker controls part of a page’s HTML (ad unit, user content), injecting an optimized trigger string$$x_{trig}$$into the A11y Tree.</li> <li>When the agent serializes this tree into an LLM prompt, the hidden trigger perturbs the agent’s behavior, causing execution of attacker goals (credential exfiltration, forced ad interactions) irrespective of the user’s intent.</li> <li>Optimization searches for$$x_{trig}^* = \arg\min_{x_{trig}\in V^k} -\log P_\theta(y_{targ}\mid x_{pre}\,\|\, x_{trig} \,\|\, x_{post})$$across diverse contexts.</li> <li>Experimental <a href="https://www.emergentmind.com/topics/attack-success-rates-asrs" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">attack success rates</a> (ASR) ranged from$$83\%$to$94\%$$on real sites for targeted actions; credential exfiltration across unseen login pages reached$$27.3\%$for full,$54.5\%$ for partial leakage (Johnson et al., 20 Jul 2025).

Effective mitigations include sanitizing the A11y Tree, restricting action vocabularies, output filtering, and adversarial training against synthetic triggers. However, the attack illustrates the fundamental vulnerability in blind agent trust of complex input serialization.

4. Off-Path Internet Resource Seizure: Infrastructure LeechHijack

LeechHijack also describes structured off-path attacks that subvert DNS and account management protocols to seize control of Internet resources—IP prefixes, ASNs, domains, IaaS accounts, and certificates—by hijacking password-recovery workflows (Dai et al., 2022).

• Core primitive is DNS cache poisoning using Kaminsky-style TXID+port guessing, SadDNS ICMP port inference, or FragDNS IP-fragmentation, to redirect password resets to adversary-controlled mailboxes.
• Once accounts are hijacked, the attacker can manipulate IRR/RPKI objects for stealthy BGP prefix theft, delegate new admin roles, exfiltrate IaaS assets, or obtain fraudulent TLS certificates.
• 68% of IPv4 address space and 31% of Alexa Top 1M domains observed to be vulnerable; 65% of RIR customer accounts and 62% of registrar (top 100K) accounts susceptible (Dai et al., 2022).
• Mitigations include pervasive DNSSEC, unfragmented UDP responses, mandatory non-email 2FA, out-of-band notification, IP-restricted portal logins, and auditable resource registries.

These vulnerabilities arise from legacy reliance on email/DNS underpinned account security, demonstrating that massive Internet-scale resource hijacking is possible without direct compromise of core infrastructure (Dai et al., 2022).

5. Black-Box Model Extraction: LeechHijack in Machine Learning

An emergent LeechHijack vector involves knowledge distillation from proprietary LLMs via black-box extraction (Model Leeching) (Birch et al., 2023):

• Adversary queries a public LLM API (e.g. ChatGPT-3.5-Turbo) across a natural task corpus, retaining outputs as a synthetic dataset.
• A smaller local model is fine-tuned ($$\mathcal{L}_{leech}(\theta) = \frac{1}{N} \sum_i \ell_{ce}(f_\theta(x_i), y^T_i)$$) to maximize exact-match and F1 similarity to the target LLM.
• $83,335$ valid labels were collected at a cost <$50$, producing a RoBERTa-Large distilled model achieving $0.73$ EM/0.87 F1 against target labels.
• More critically, adversarial inputs crafted on the extracted model transfer with elevated success: AddSent perturbations gain 11% attack success rate when applied back to the original LLM (Birch et al., 2023).

Proposed defenses include API throttling, output randomization, and prompt/output watermarking, but the core threat remains the efficient leakage of LLM task capability to adversaries via accessible APIs.

6. Other Modalities: Peer-to-Peer, PowerShell, WebRTC

LeechHijack further generalizes to settings such as:

• Lotus-Eater style attacks in P2P: Targeting threshold-driven behavior in protocols (BitTorrent, scrip/currency systems) so that select peers are satiated and become non-responders, depriving honest peers of critical service slots (0806.1711). The disruption is $D = b/H = \min(R/(T H), 1)$, emphasizing the relationship between attacker bandwidth, threshold, and honest peerpool size.
• PowerShell runtime: Hijack via stealthy runtime .NET injectors—IL patching, JIT hooking, native trampolines, C-based API hooks—enables monitoring, control, or subversion of PowerShell scripting (e.g., for defense, but methods easily co-opted for attack) (Rousseau, 2017).
• WebRTC in browsers: “LeechHijack” context attacks exploit ICE candidate gathering to extract user IPs (including public IPv6 and VPN-private addresses) via JavaScript, with privacy risks modulated by browser, VPN protocol, and configuration (Al-Fannah, 2017).

Each exemplifies a LeechHijack pattern: subverting protocol, resource, or API assumptions to exfiltrate or abuse target resources covertly.

7. Synthesis and Defenses

LeechHijack typifies the evolutionary arms race at the boundary of privilege, trust, and statistical detection:

• Detection efficacy is throttled by adversarial mimicry of benign behavior, privilege-constrained (implicit) toxic workloads, and evasion of static or blacklist-based controls.
• Robust defenses converge on continuous, cryptographically verifiable provenance (attestation), runtime resource accounting, agent-side memory and action auditing, strong sandboxing, opt-in/consent for intensive operations, and periodic model/behavior retraining.
• The cross-domain pervasiveness of LeechHijack illustrates the urgent need for system-level provenance, real-time auditability, and layered, post-hoc detectability rather than reliance on static signatures or privilege escalation triggers.

In summary, LeechHijack defines a broad, evolving class of attacks whose central tactics are the covert, trust-bound expropriation and reallocation of computational, informational, or infrastructural value, mandating holistic architectural controls across digital ecosystems (Musch et al., 2018, Dai et al., 2022, Zhang et al., 2 Dec 2025, Johnson et al., 20 Jul 2025, Birch et al., 2023, 0806.1711, Rousseau, 2017, Al-Fannah, 2017).