Crypto Mining Campaigns Exploit AWS Vulnerabilities with IAM Credentials

An ongoing campaign has been identified where compromised Identity and Access Management (IAM) credentials are being exploited to conduct large-scale cryptocurrency mining on Amazon Web Services (AWS).

According to The Hacker News, the activity was first detected by AWS's GuardDuty service on November 2, 2025. The attackers utilize sophisticated techniques to maintain persistence, starting with the exploitation of IAM user credentials with admin-like privileges.

They initiate a discovery phase to probe resources and permissions before deploying mining operations across Elastic Container Service (ECS) and Elastic Compute Cloud (EC2) instances. Within just ten minutes of gaining access, the attackers launch mining operations using a malicious DockerHub image that has since been taken down.

Notably, they create autoscaling groups capable of scaling from 20 to 999 instances, exploiting EC2 service quotas to maximize resource consumption. Furthermore, the attackers employ the ModifyInstanceAttribute action with the 'disableApiTermination' parameter, which complicates incident response efforts by preventing instance terminations.

Amazon is urging AWS customers to implement stronger IAM controls, enforce multi-factor authentication, and monitor unusual CPU allocations to mitigate these threats. This campaign signifies a troubling evolution in crypto mining attack methodologies, reflecting a deeper understanding of AWS security protocols and response measures.