AWS is warning customers about an active cryptomining campaign that does not rely on software vulnerabilities or zero day exploits. Attackers are breaking into cloud accounts using valid credentials and turning them into large scale mining operations almost immediately.
The activity was identified by Amazon’s GuardDuty security team and has been ongoing since at least November 2. In multiple cases, cryptomining workloads were deployed less than ten minutes after the attacker gained access to an account.
This was not an AWS breach. Amazon states clearly that no infrastructure vulnerability was exploited. The attackers logged in using compromised Identity and Access Management credentials belonging to real customer accounts.
This attack does not need exploits
Once an attacker has valid IAM credentials, the cloud perimeter collapses. Firewalls, patching, and network controls are irrelevant. The platform trusts the credentials. Everything else follows from that.
In this campaign, attackers first performed quick reconnaissance to confirm EC2 quotas and IAM permissions. They then immediately deployed cryptomining workloads across Amazon EC2 and Amazon ECS.
Your account becomes their mining rig
On Amazon ECS, the attackers registered task definitions pointing to a malicious Docker Hub image created in late October. That image had already accumulated more than 100,000 pulls before being removed.
Each task was configured with 16,384 CPU units and 32 gigabytes of memory, with multiple tasks running in parallel. On EC2, the attackers created launch templates and auto scaling groups designed to deploy dozens of virtual machines at once, with maximum capacity settings reaching into the hundreds.
The cost of this activity is billed to the compromised customer account. The attacker profits. The victim pays.
Cryptomining starts almost immediately
This campaign shows no interest in stealth or long term access. Mining begins almost as soon as access is confirmed.
There is no attempt to blend in. The attacker spins up as much compute as the account will allow and starts extracting value immediately. Speed matters more than secrecy.
Persistence is built using legitimate features
To slow down response, the attackers enabled termination protection on the EC2 instances they launched. This prevents administrators from remotely terminating instances through standard API calls.
Responders must first disable the protection before shutting systems down. This adds friction, delays remediation, and extends the mining window.
This is not malware evasion. It is the abuse of normal cloud features.
Public images are part of the attack surface
The mining payload was delivered through a public Docker Hub image that bundled an SBRMiner MULTI cryptominer and an automated startup script.
Amazon warns that although this specific image has been removed, similar images can be published easily under new names and accounts. Public registries are a supply chain. Attackers know they are trusted.
Why this keeps happening
Cloud platforms make it easy to provision massive compute resources quickly. That convenience is exactly what attackers exploit.
Credentials are leaked through exposed environment variables, misconfigured repositories, phishing attacks, and reused passwords. Once keys are stolen, attackers do not need exploits.
If an attacker can run miners, they can run anything else.
This is not a harmless nuisance
Cryptomining attacks exhaust service quotas, disrupt legitimate workloads, and generate massive and unexpected cloud bills.
They also demonstrate full account compromise. Treating them as minor incidents ignores the underlying failure.
The warning is simple. If someone steals your cloud credentials, they can turn your infrastructure into their revenue stream in minutes.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
How are attackers accessing AWS accounts
They are using compromised IAM credentials rather than exploiting AWS vulnerabilities
Did this involve a breach of AWS infrastructure
No, Amazon states the attackers used valid customer credentials and did not exploit AWS systems
How fast does cryptomining begin after access
Amazon observed mining activity starting within ten minutes of initial access
What services were abused in this campaign
The attackers used Amazon EC2 and Amazon ECS to deploy large scale cryptomining workloads
Why is this attack dangerous beyond billing costs
It demonstrates full account compromise and the ability to run arbitrary workloads