Amazon GuardDuty security engineers detected a coordinated cryptocurrency mining campaign on November 2, 2025, that leveraged compromised AWS Identity and Access Management credentials to deploy miners across Amazon EC2 and Amazon Elastic Container Service infrastructure. The attack, uncovered through GuardDuty Extended Threat Detection, represents a significant evolution in cloud-based cryptojacking persistence techniques and serves as a stark reminder for cryptocurrency users and platforms that rely on cloud infrastructure.
The Exploit Mechanics
The campaign began when attackers obtained IAM user credentials with administrative-level privileges. Within minutes of gaining access, the threat actor systematically enumerated EC2 service quotas and IAM permissions to understand the full scope of resources available for exploitation. The attackers used a DryRun parameter test on the EC2 RunInstances API to confirm permissions without actually creating resources, a technique designed to minimize forensic footprints while validating the attack surface.
Once permissions were confirmed, deployment was remarkably fast. Amazon reported that cryptocurrency miners were operational within 10 minutes of initial access. The attacker deployed a malicious Docker image hosted on Docker Hub under the name yenik65958/secret, which had accumulated over 100,000 pulls before being taken down. This image contained a SBRMiner-MULTI binary configured to execute mining operations using the RandomVIREL algorithm.
The threat actor operated from an external hosting provider and used the AWS SDK for Python, known as Boto3, to automate the entire attack chain. Mining traffic was routed through domains including asia.rplant.xyz, eu.rplant.xyz, and na.rplant.xyz, indicating a globally distributed mining infrastructure.
Affected Systems
The attack targeted multiple AWS compute services simultaneously. In some cases, the attacker created more than 50 ECS clusters within a single AWS account, each configured with task definitions pointing to the malicious Docker image. AWS Fargate was configured to automatically launch mining workloads as soon as clusters were created.
The campaign also exploited EC2 autoscaling groups with aggressive scaling policies. Some groups were configured to scale from a minimum of 20 instances up to a maximum of 999, deliberately pushing EC2 service quotas to their limits. The attackers targeted a broad spectrum of instance types, including GPU-enabled and machine learning instances, compute-optimized, memory-optimized, and general-purpose instances.
Auto scaling groups followed specific naming conventions: SPOT-us-east-1-G for spot instances and OD-us-east-1-G for on-demand instances, where G indicated the group number. This systematic approach suggests a well-organized operation with pre-built automation tooling.
The Mitigation Strategy
Amazon GuardDuty identified the malicious activity through a combination of EC2 domain and IP threat intelligence, anomaly detection, and Extended Threat Detection attack sequence correlation. The system raised a critical severity AttackSequence finding that categorized the activity as EC2/CompromisedInstanceGroup.
AWS has shared relevant findings and mitigation guidance with affected customers. Security teams are advised to monitor for the specific Docker image, automation patterns using Boto3 user agents, and connections to the identified mining domains. Organizations should implement least-privilege IAM policies, enable GuardDuty across all regions, and configure automated remediation workflows that can detect and respond to similar campaigns.
Lessons Learned
This campaign highlights several critical security principles for organizations operating in the cryptocurrency and cloud computing space. First, the speed of deployment — miners operational within 10 minutes — demonstrates that attackers have pre-built, highly automated toolchains ready to exploit compromised credentials immediately. Second, the novel use of EC2 termination protection as a persistence mechanism shows that attackers are becoming more sophisticated in disrupting incident response efforts.
The attack also underscores the importance of credential hygiene. The compromised IAM credentials possessed admin-like privileges, far exceeding what was necessary for legitimate operations. Organizations should regularly audit IAM policies, implement credential rotation, and use temporary security credentials wherever possible. With Bitcoin trading above $110,000, the financial incentive for cryptojacking attacks remains extremely high.
User Action Required
Security teams managing cloud infrastructure should immediately review their IAM credential policies, check for unauthorized EC2 instances and ECS clusters, and verify that termination protection has not been enabled on unexpected resources. Organizations running cryptocurrency platforms on AWS should implement additional monitoring for unusual compute spending patterns and ensure that billing alerts are configured to detect sudden resource consumption spikes.
The campaign serves as a reminder that in the current market environment, with Bitcoin at approximately $110,639 and Ethereum around $3,911, the economic incentives for cryptojacking attacks will only intensify. Proactive security measures are not optional — they are essential for protecting both infrastructure costs and operational integrity.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
This is exactly why least-privileged access isn’t just a suggestion anymore. If your IAM credentials are leaked, it’s game over for your cloud budget. Seeing these cryptojacking groups pivot to more “sophisticated” methods shows they’re getting smarter about staying under the radar. Time to double-check those MFA settings and rotation policies, folks.
miners operational within 10 minutes of access. that blast radius is terrifying. kubernetes RBAC alone cant stop a root IAM key leak
completely agree. and the scary part is these attacks are getting more sophisticated every quarter. the six month lead times show real operational security tradecraft
Man, the lengths people go to for some hash power is wild. Using AWS infrastructure to mine is basically getting the cloud provider to pay for your crypto, lol. It’s scary how one small mistake with credentials can lead to such a massive headache. Stay safe out there and keep those keys locked up tight!
bridge security is fundamentally different from single-chain security. the attack surface multiplies with every new connection and most teams dont account for that
couldnt agree more. the state-sponsored angle is what elevates this from normal DeFi risk to a genuine national security concern
It’s concerning to see how these attacks keep evolving. While the tech behind crypto is great, stories like this make it harder for mainstream businesses to feel comfortable adopting it. We need better automated detection tools for these types of anomalies in IAM behavior before the bill reaches thousands of dollars.
Elena Rodriguez makes a fair point about automated detection. AWS GuardDuty caught this one but how many go unnoticed for weeks before the bill spikes
good point about detection gaps. by the time most teams realize they have been compromised the funds are already through a mixer and across three chains