Introduction
In late 2025, cloud security researchers uncovered a large‑scale cryptomining campaign abusing compromised AWS Identity and Access Management (IAM) credentials. Instead of exploiting software vulnerabilities, attackers leveraged legitimate cloud APIs to quietly deploy massive cryptomining infrastructure — leaving victims with crippling cloud bills and weakened security posture.
This blog breaks down how the attack works, why it’s effective, and what organizations can do to defend themselves.
How the Attack Begins: Stolen IAM Credentials
The campaign starts with attackers gaining access to exposed or stolen IAM credentials. These credentials are often leaked through:
- Public GitHub repositories
- Misconfigured CI/CD pipelines
- Phishing attacks
- Insecure local storage on developer machines
Once obtained, the credentials provide direct API‑level access to AWS accounts — no malware required.
Reconnaissance Using Legitimate AWS APIs
Attackers first assess what they can do using the RunInstances API with the DryRun flag. This allows them to check permissions without actually launching resources, helping them avoid early detection.
They identify:
- Which instance types are allowed
- Service limits and quotas
- Regions where workloads can be launched
This step enables precise, automated deployment later.
Establishing Persistence in the Cloud
After confirming permissions, attackers create:
- New IAM roles for Auto Scaling and Lambda
- Lambda functions callable by any principal
- Broad permission policies including SES access
These roles ensure the attackers can re‑deploy workloads even if some resources are removed.
Deploying the Cryptomining Infrastructure
The attackers then deploy cryptominers using:
- Amazon ECS clusters
- Malicious Docker images
- Fargate and EC2 compute resources
They rapidly scale across dozens of instances — including GPU and ML‑optimized machines — to maximize mining output using algorithms such as RandomVIREL.
Anti‑Forensics and Defense Evasion
One of the most damaging tactics used is setting:
disableApiTermination = true
This prevents security teams from easily terminating compromised EC2 instances. Incident responders must manually change instance attributes before cleanup — buying attackers more time to mine cryptocurrency.
Impact on Victims
Financial Damage
- Sudden spikes in AWS bills
- High‑cost GPU and compute usage
Operational Risk
- Resource exhaustion
- Degraded performance of legitimate services
Security Exposure
- Potential phishing via SES
- Future lateral movement using Lambda
Why Cloud Cryptomining Is Hard to Detect
Unlike traditional malware:
- No malicious binaries are dropped on endpoints
- All actions use valid AWS APIs
- Activity blends in with normal cloud operations
Without proper monitoring, attacks can persist for weeks.
How to Defend Against IAM‑Based Cryptomining
Best Practices
- Enforce least privilege IAM policies
- Enable multi‑factor authentication (MFA)
- Rotate and audit credentials regularly
- Use temporary credentials (STS)
Monitoring & Detection
- Enable AWS GuardDuty
- Monitor CloudTrail logs for unusual API activity
- Alert on sudden scaling events
Container Security
- Scan container images before deployment
- Restrict public Docker image usage
Final Thoughts
This campaign highlights a critical reality of cloud security: credentials are the new perimeter. Attackers no longer need exploits when they can simply log in.
Organizations must treat IAM security, monitoring, and automation as first‑class defenses to prevent cryptomining abuse and protect cloud environments at scale.
This article is an original analysis inspired by publicly reported cloud security research and industry threat intelligence.
