AWS systems targeted by crypto mining scam using hijacked IAM credentials

Attacks were up and running within minutes

News By Sead Fadilpašić published 17 December 2025

(Image credit: Shutterstock / nikkimeel) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• Attackers used stolen high‑privilege IAM credentials to rapidly deploy large‑scale cryptomining on EC2 and ECS
• They launched GPU‑heavy auto‑scaling groups, malicious Fargate containers, new IAM users, and protected instances from shutdown
• AWS urges strict IAM hygiene: MFA everywhere, temporary credentials, and least‑privilege access

Cybercriminals are targeting Amazon Web Services (AWS) customers using Amazon EC2 and Amazon ECS with cryptojackers, expert have warned.

The cloud giant warned about the ongoing campaign in a recent report, saying that it has since been addressed, but urged customers to be careful because attacks like these can easily reappear.

In early November 2025, Amazon GuardDuty engineers detected the attack after observing the same techniques appearing across multiple AWS accounts. A subsequent investigation determined that the miscreants were not exploiting any known, or unknown vulnerabilities in AWS itself. Instead, they relied on compromised AWS Identity and Access Management (IAM) credentials with high-level permissions to gain access. Once inside, they would use the access to deploy large-scale mining infrastructure into the cloud environment.

Strengthen your passwords

Amazon’s report states that most crypto miners were up and running within minutes of initial access. The attackers moved quickly to enumerate service quotas and permissions, and then launched dozens of ECS clusters and large EC2 auto scaling groups. In some cases, these were configured to grow swiftly, in order to maximize compute consumption.

The hackers approached the attack differently on ECS and EC2. On the former, they deployed malicious container images hosted on Docker Hub, that executed the miner on AWS Fargate.

On the latter, however, they created multiple launch templates and auto scaling groups that targeted high-performance GPU instances, as well as general-purpose compute instances.

Amazon also added the crooks used instance termination protection to prevent compromised endpoints from being easily shut down or remedied remotely.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors