“Invisible Miners”: AWS Admin Credentials Hijacked in Sophisticated Cloud Crypto Heist

It started with a whisper in the logs - then it became a roar. In early November 2025, Amazon’s security sensors tripped on a chilling discovery: an unknown adversary was hijacking powerful AWS admin credentials to spin up sprawling, hard-to-kill cryptocurrency mining operations, draining cloud resources and ducking detection with alarming skill.

The Anatomy of a Cloud Breach

The breach began when attackers got hold of privileged AWS Identity and Access Management (IAM) credentials - keys to the kingdom. With these, they conducted a rapid-fire survey of available resources, using the clever “DryRun” flag to test what they could do without actually leaving a costly or obvious trail. Within ten minutes, crypto miners were humming across Amazon’s Elastic Compute Cloud (EC2) and Elastic Container Service (ECS), exploiting every ounce of computational muscle available.

But this wasn’t just smash-and-grab. The attackers’ persistence techniques set this campaign apart. By using the “ModifyInstanceAttribute” action to enable “instance termination protection,” they locked down their mining operations, preventing standard deletion and frustrating both automated and manual incident response efforts. Victims had to jump through extra hoops just to regain control, buying the criminals more time to rake in digital profits.

The operation scaled with industrial ambition. Attackers created dozens of ECS clusters - sometimes more than 50 - and manipulated auto-scaling groups to balloon from 20 to nearly 1,000 EC2 instances, targeting everything from high-end GPU rigs to general compute nodes. Malicious Docker images, now removed from DockerHub, delivered the mining payloads. Lambda functions with broad permissions were set up, even granting access to Amazon’s Simple Email Service (SES) for potential phishing attacks.

This campaign demonstrates a deep understanding of AWS’s security mechanisms and common response playbooks. By weaving together privilege escalation, automated deployment, and anti-remediation tactics, the perpetrators maximized both profit and persistence - all while trying to stay one step ahead of cloud defenders.

Lessons for the Cloud Era

Amazon’s response is blunt: secure your credentials, use multi-factor authentication (MFA), minimize privileges, and constantly monitor for unusual activity. As cloud infrastructure grows more complex and lucrative, so too do the threats. Today’s attackers aren’t just after data - they’re after your compute power, and they’re willing to fight for every stolen cycle.

The incident is a stark reminder: in the cloud, invisible miners may be your most expensive guests.

WIKICROOK

• IAM (Identity and Access Management): IAM is a system that manages and controls who can access specific digital resources, ensuring only authorized users have the right permissions.
• EC2 (Elastic Compute Cloud): EC2 is Amazon’s cloud service that lets users run virtual computers to host websites, apps, and more, without managing physical servers.
• ECS (Elastic Container Service): Amazon ECS is a managed AWS service for deploying, scaling, and securing Docker containers, supporting both serverless and EC2-based workloads.
• DockerHub: DockerHub is an online platform for storing, sharing, and distributing Docker container images, enabling collaboration and secure management of containerized applications.
• Multi: Multi refers to using a combination of different technologies or systems - like LEO and GEO satellites - to improve reliability, coverage, and security.