Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign

Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign

A new crypto mining campaign is exploiting compromised AWS IAM credentials to rapidly deploy miners across ECS and EC2 instances, demonstrating sophisticated persistence techniques. The campaign was first detected on November 2, 2025, by Amazon’s GuardDuty service and involved the deployment of malicious Docker images for cryptocurrency mining.

The reality is that cloud environments, while offering scalability, are vulnerable to insider threats and credential compromise, unlike idealized “zero trust” models. The scale of potential damage from such campaigns is significant; compromised AWS accounts can incur substantial compute costs and disrupt services for legitimate users, with potential losses reaching millions of dollars.

Key Insights

• IAM Credential Compromise: The attack hinges on obtaining valid, often admin-level, IAM credentials.
• DryRun API Calls: Attackers utilize the DryRun flag in API calls to validate permissions without incurring costs during reconnaissance.
• Instance Termination Protection: The use of ModifyInstanceAttribute with disableApiTermination=True hinders incident response and remediation efforts, a technique previously demonstrated in April 2024 by Harsha Koushik.

Practical Applications

• Use Case: Attackers target AWS environments with compromised credentials to maximize crypto mining profits by leveraging large-scale compute resources.
• Pitfall: Relying solely on perimeter security without robust IAM policies and monitoring can lead to widespread compromise and significant financial losses.

References:

• https://thehackernews.com/2025/12/compromised-iam-credentials-power-large.html