In 2001, a team of researchers at Notre Dame published a paper in Nature describing a technique they called parasitic computing. It exploited something mundane: every time one computer sends a message to another over the internet, the receiving machine performs a checksum — a small calculation to verify the message arrived intact. The researchers realized that if you crafted your messages carefully, you could arrange for those checksums to accidentally solve a mathematical problem you cared about, without the receiving computer having any idea it was doing your work. They demonstrated it by getting distant web servers to compute pieces of a hard satisfiability problem, purely by sending them ordinary-looking HTTP requests. The servers believed they were processing normal traffic. They were, in fact, a free distributed computer the researchers never paid for.
The original technique was a curiosity — inefficient, impractical, more proof-of-concept than threat. But the idea it named turned out to be one of the most durable patterns in computing: parasitic computing — computation that runs on the side effects of other systems' normal operation, profitable to the party doing the exploiting and invisible to the party whose resources are being spent. Two decades later the pattern is everywhere, and it has grown from an academic stunt into an industry.
The pattern, stated plainly
Parasitic computing is defined by a specific asymmetry: someone extracts useful computation from a system by engaging it in interactions it was designed to accept, so that no rule is broken and no alarm is tripped, while the cost — electricity, CPU cycles, wear, money — falls silently on the owner. It is not hacking in the classic sense; often nothing is technically compromised. The genius, and the menace, is that it uses the target's intended behavior against the target's interest. The checksum was supposed to run. The web server was supposed to answer requests. The parasite simply arranges for that legitimate activity to also serve a purpose the owner never agreed to and never sees. Because nothing looks broken, the exploitation can continue indefinitely, which is exactly what makes the pattern so persistent: it hides inside normal operation, where almost nothing is built to look for it.
How it grew up: from checksums to cryptojacking
The pattern's defining modern form arrived with cryptocurrency, which turned stolen computation directly into money and gave parasitic computing an economic engine the 2001 version lacked. In September 2017 a service called Coinhive made it trivial: a few lines of JavaScript embedded in a web page would quietly use each visitor's CPU to mine the cryptocurrency Monero while they browsed. Used legitimately, it was a novel alternative to advertising. Used the other way — injected into hacked websites, or bundled into apps without disclosure — it was theft of computation at scale, and it spread fast: before Coinhive shut down in 2019, it was implicated in more than two-thirds of all cryptojacking. Hacked university and government websites turned their visitors' phones and laptops into unwitting mining rigs. The parasite had found its host: not a single server solving a math problem, but millions of ordinary devices, each giving up a sliver of computation and a sliver of electricity to enrich someone they would never see. The venue kept moving — into cloud accounts, continuous-integration runners, and any free tier that offered computation someone else would pay for — but the shape never changed.
Why the pattern keeps winning
Parasitic computing persists for the same structural reason across all its forms: the cost is small per victim, diffuse across many, and invisible to each. A cryptojacked phone runs a little hotter and a little slower; a cloud account accrues a slightly larger bill; a CI runner takes a bit longer. No single victim feels enough pain to investigate, and the sum of all that unfelt pain is the parasite's profit. This is the same asymmetry the series keeps finding under unglamorous failures — the deferred, diffuse, invisible cost that lets a bad practice run for years because no one's individual incentive is strong enough to stop it. Parasitic computing is that asymmetry weaponized deliberately: an attacker who understands that harm spread thin enough across enough hosts becomes, from any one host's perspective, not worth the cost of noticing.
The counterpoint: not every parasite is a thief
Honesty requires the distinction the word "parasitic" tends to erase, because the same mechanism has legitimate forms. Volunteer distributed-computing projects run computation on millions of machines whose owners consented — the difference between them and a botnet is not the technique but the permission. Content-delivery networks, ad-funded websites, and free tiers all involve one party's activity quietly consuming another's resources, by agreement. The line that separates useful resource-sharing from parasitism is consent and disclosure, not the underlying act of running computation on someone else's hardware. This matters because the defense cannot be "stop letting other people's activity use our systems" — that describes the entire internet. The defense has to target the specific asymmetry: computation extracted without consent, hidden inside legitimate interaction. Which is precisely the hard case, because by design it looks exactly like the legitimate version.
Why it matters more now
The reason to name parasitic computing in 2026 is that the AI era is manufacturing hosts faster than ever. Every AI agent with access to compute, every free inference tier, every automated pipeline that will run whatever it is told is a new surface for the oldest trick — arrange for a system's intended behavior to serve an unintended purpose, and let the cost fall on the owner. An AI agent tricked into doing an attacker's computation is a parasite in the 2001 sense, dressed in 2026 clothes; a free AI tier drained by automated abuse is Coinhive's logic applied to inference instead of mining. The lesson of the Notre Dame paper was never really about checksums. It was that any system which does useful work on request can be made to do someone else's work on request, invisibly, unless it is designed to care who is asking and what it is really being asked to do. That was a curiosity in 2001. It is a design constraint now — and the systems being built fastest are, too often, the ones building it in last.
This is article #76 in The IUBIRE Framework series. Parasitic Computing appears in the IUBIRE concept corpus (concept draft, files7/#81); unlike most entries in this series it does not map cleanly to a single verified source artifact, so it is grounded directly in the primary real-world literature. Real-world data: Barabási, Freeh, Jeong, and Brockman, "Parasitic computing," Nature (August 30, 2001), demonstrating computation via TCP-checksum manipulation to solve a 3-SAT problem on unwitting remote servers; the Coinhive browser-mining service (September 2017–March 2019), implicated in more than two-thirds of cryptojacking, mining Monero on visitors' devices via injected JavaScript; and the pattern's migration into cloud and CI-runner cryptojacking.
Next in series: Ambient Authority (#77)
Comments
Sign in to join the conversation.
No comments yet. Be the first to share your thoughts.