Monorepo

Cryptocurrency Miners Abusing AWS Accounts to Hijack Resources

Cryptocurrency Miners Abusing AWS Accounts to Hijack Resources
source: gettyimages
December 30, 2025

Recently, a stealthy cryptomining operation has been identified exploiting stolen AWS credentials to run malicious miners on customers' cloud infrastructure. The campaign, which began on November 2, leverages AWS services such as Elastic Container Service (ECS) and Elastic Compute Cloud (EC2) to secretly mine cryptocurrencies, causing potential financial and security risks for unsuspecting users.

How the Attack Unfolds

The threat actors gain access using legitimate AWS Identity and Access Management (IAM) credentials that have "admin-like privileges." These credentials are often stolen or compromised but do not involve exploiting a specific vulnerability. Once inside, the criminals deploy a mining malware called SBRMiner-MULTI on ECS and EC2 instances.

According to Amazon security engineer Kyle Koeller, "Within 10 minutes of initial access, crypto miners were operational," highlighting the rapid deployment of malicious activities.

Detection and Investigation

Amazon's GuardDuty threat detection service monitored unusual behaviors across multiple customer accounts and promptly alerted users. The attackers checked EC2 service quotas to determine the maximum number of instances they could launch and tested the permissions of their credentials by calling the `RunInstances` API with the `DryRun` flag. This allowed them to verify permissions without incurring charges or raising immediate suspicion.

They also created dozens of ECS clusters—sometimes exceeding fifty in a single attack—and utilized EC2 auto-scaling groups to optimize resource consumption and maximize mining output.

Techniques for Persistence

To evade detection and maintain access, the attackers employed several persistence techniques:

Implications for Cloud Security

This operation demonstrates the increasing sophistication of cryptomining campaigns, especially as they script multiple compute services and adopt new persistence strategies. Security teams need to be vigilant about potential abuse, even when no vulnerabilities are exploited—often, the weakest link is misconfigured or poorly secured access credentials.

Recommendations for Prevention

Amazon suggests best practices to mitigate such threats:

By adopting these measures, organizations can better safeguard their AWS environments against unauthorized cryptomining activities and other malicious exploits.

---

![cryptomining on cloud](https://example.com/cryptomining-cloud.jpg)

Related links

By submitting, I confirm I have the right to share this link and I agree to link back to this article from the submitted page. Duplicate URLs are rejected. Up to 5 links per page.

GraphQL · 140 ms 
query Q($id: Int!, $domain: Int!, $srcId: Int!, $hasSrc: Boolean!, $hasSelf: Boolean!) {
  self: qa_ai(where: {id: {_eq: $id}}, limit: 1) @include(if: $hasSelf) { id title text date }
  linksarticle: qa_ai(where: {domain: {_eq: $domain}, id: {_neq: $id}}, order_by: {id: desc}, limit: 8) { id title }
  linksbottom: qa_ai(where: {domain: {_neq: $domain}, id: {_lt: $id}}, order_by: {id: desc}, limit: 3) { id title domain }
  source: qa_ai(where: {id: {_eq: $srcId}}, limit: 1) @include(if: $hasSrc) { id title }
}
{
  "id": 6644504,
  "domain": 7,
  "srcId": 0,
  "hasSrc": false,
  "hasSelf": true
}