Crypto crooks co-opt stolen AWS creds to mine coins

'Within 10 minutes of gaining initial access, crypto miners were operational'

by · The Register

Your AWS account could be quietly running someone else's cryptominer. Cryptocurrency thieves are using stolen Amazon account credentials to mine for coins at the expense of AWS customers, abusing their Elastic Container Service (ECS) and their Elastic Compute Cloud (EC2) resources, in an ongoing operation that started on November 2.

The illicit cryptocurrency-mining campaign abuses compromised valid AWS Identity and Access Management (IAM) credentials with "admin-like privileges" - it doesn't exploit a vulnerability - and then uses this access to deploy a SBRMiner-MULTI on ECS and EC2, Amazon security engineer Kyle Koeller said in a blog this week.

"Within 10 minutes of the threat actor gaining initial access, crypto miners were operational," Koeller wrote.

Amazon's GuardDuty threat detection service spotted the cryptomining operation in a handful of customer accounts and alerted customers, we're told. 

After the crooks obtained the compromised AWS credentials, they checked EC2 service quotas to see how many instances they could launch, and tested their credential permissions by calling the RunInstances API multiple times with the DryRun flag enabled. This allowed them to ensure the credentials had sufficient privileges to proceed with their illicit mining, while not yet incurring compute charges and risking detection.

They also created "dozens" of ECS clusters to enable their illegal activities, sometimes exceeding 50 in a single attack, and used auto scaling groups in EC2 to maximize service quotas and resource consumption.

To make disruption more difficult - and thus allow the criminals to collect more cryptocurrency from stolen resources - they used ModifyInstanceAttribute with disable API termination set to true for persistence. This blocks the termination of AWS instances used for mining, and forces victims to take an extra step and re-enable API termination before deleting the impacted resources. 

"The threat actor's scripted use of multiple compute services, in combination with emerging persistence techniques, represents an advancement in crypto mining persistence methodologies that security teams should be aware of," Koeller wrote.

After deploying miners, the miscreants created an AWS Lambda function configured with no authentication and exposed it via a public Lambda Function URL, allowing them to maintain persistent access to the victims’ environments.

To prevent becoming a victim of cryptomining abuse, Amazon recommends strong identity and access management controls, as well as temporary credentials instead of long-term access keys. As always, enforce multi-factor authentication (MFA) for all users, and apply least privilege to IAM. ®

Illicit crypto-miners pouncing on lazy DevOps configs that leave clouds vulnerable: To stop the JINX-0132 gang behind these attacks, pay attention to HashiCorp, Docker, and Gitea security settingsJessica Lyons, 03 Jun 2025China, Iran are having a field day with React2Shell, Google warns: Who hasn't exploited this max-severity flaw?Jessica Lyons, 15 Dec 2025Cryptojacking, backdoors abound as fiends abuse Aviatrix Controller bugThis is what happens when you publish PoCs immediately, hm?Connor Jones, 13 Jan 2025Amazon security boss blames Russia's GRU for years-long energy-sector hacks: 'Sustained focus on Western critical infrastructure'Jessica Lyons, 15 Dec 2025