Cybersecurity Threats in Cryptocurrency: IAM Credentials and Rogue Packages

An ongoing campaign has been detected that targets Amazon Web Services (AWS) customers using compromised Identity and Access Management (IAM) credentials for cryptocurrency mining operations. According to The Hacker News, this activity was first identified by Amazon's GuardDuty service on November 2, 2025.

The threat actor is employing advanced persistence techniques, enabling crypto mining to begin within ten minutes of gaining access. They quickly create multiple ECS clusters and deploy crypto miners using a malicious DockerHub image designed to exploit AWS resources while evading incident response efforts.

Additionally, a rogue NuGet package, 'Tracer.Fody.NLog,' has been discovered that masquerades as a legitimate library while stealing cryptocurrency wallet data. This malicious package, identified by Socket security researchers, has been available for nearly six years and has been downloaded over 2,000 times.

It stealthily exfiltrates wallet data to a Russian IP address by scanning user directories for wallet files. The combination of IAM credential compromise and rogue packages highlights significant cybersecurity threats within the cryptocurrency ecosystem, emphasizing the need for robust security measures in these environments.