AWS systems targeted by crypto mining scam using hijacked IAM credentials

News
By published

Attacks were up and running within minutes

A hand holding a phone with the AWS logo in front of the AWS logo on an orange background
(Image credit: Shutterstock / nikkimeel)
  • Attackers used stolen high‑privilege IAM credentials to rapidly deploy large‑scale cryptomining on EC2 and ECS
  • They launched GPU‑heavy auto‑scaling groups, malicious Fargate containers, new IAM users, and protected instances from shutdown
  • AWS urges strict IAM hygiene: MFA everywhere, temporary credentials, and least‑privilege access

Cybercriminals are targeting Amazon Web Services (AWS) customers using Amazon EC2 and Amazon ECS with cryptojackers, expert have warned.

The cloud giant warned about the ongoing campaign in a recent report, saying that it has since been addressed, but urged customers to be careful because attacks like these can easily reappear.

In early November 2025, Amazon GuardDuty engineers detected the attack after observing the same techniques appearing across multiple AWS accounts. A subsequent investigation determined that the miscreants were not exploiting any known, or unknown vulnerabilities in AWS itself. Instead, they relied on compromised AWS Identity and Access Management (IAM) credentials with high-level permissions to gain access. Once inside, they would use the access to deploy large-scale mining infrastructure into the cloud environment.

Strengthen your passwords

Amazon’s report states that most crypto miners were up and running within minutes of initial access. The attackers moved quickly to enumerate service quotas and permissions, and then launched dozens of ECS clusters and large EC2 auto scaling groups. In some cases, these were configured to grow swiftly, in order to maximize compute consumption.

The hackers approached the attack differently on ECS and EC2. On the former, they deployed malicious container images hosted on Docker Hub, that executed the miner on AWS Fargate.

On the latter, however, they created multiple launch templates and auto scaling groups that targeted high-performance GPU instances, as well as general-purpose compute instances.

Amazon also added the crooks used instance termination protection to prevent compromised endpoints from being easily shut down or remedied remotely.

They also created publicly accessible AWS Lambda functions and additional IAM users, as well.

Defending against these attacks is easy, Amazon hints. All it takes - is a strong password:

“To protect against similar crypto mining attacks, AWS customers should prioritize strong identity and access management controls,” it says in the report. “Implement temporary credentials instead of long-term access keys, enforce multi-factor authentication (MFA) for all users, and apply least privilege to IAM principals limiting access to only required permissions.”

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.