Security researchers recently identified a fast-moving threat actor that specializes in hijacking AWS accounts to mine cryptocurrency. The attack begins the moment an adversary gains access to IAM credentials with administrative privileges, usually through an external hosting provider. Within ten minutes of the initial breach, the actor conducts a rapid discovery phase to check service quotas and permission levels. They specifically use the DryRun flag in API calls to test their access without launching actual resources, which helps them stay undetected while they map out the target’s infrastructure.

Once the environment is vetted, the attacker begins a complex setup process to ensure their mining operations are both widespread and resilient. They create new IAM roles for AWS Lambda and autoscaling groups, attaching specific execution policies to maintain control. The campaign involves the creation of dozens of ECS clusters, sometimes exceeding 50 in a single session. By registering task definitions that point to malicious images on DockerHub, the actor triggers crypto-mining software on Fargate nodes almost instantly after the roles are established.

The technical core of the operation relies on a customized Docker image designed to execute a mining script using the RandomVIREL algorithm upon deployment. To maximize the financial drain on the victim and the profit for the attacker, the actor configures autoscaling groups to spike from small numbers to nearly a thousand instances. This aggressive scaling is intended to exhaust the account’s service quotas as quickly as possible, ensuring that the maximum amount of compute power is being utilized for the mining software.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

The adversary shows a broad interest in various hardware types to fuel their operations. They have been observed targeting high-performance GPU and machine learning instances alongside standard compute, memory, and general-purpose instances. This versatility allows them to adapt to whatever resources are available in a specific compromised account. Because the actor automates the creation of these resources, the scale of the mining can become massive before a typical administrator notices the spike in activity or cost.

To protect against this campaign, Amazon recommends using automated threat detection services like GuardDuty, which first flagged this activity in November 2025. The attack’s use of unique persistence techniques highlights the need for organizations to strictly enforce the principle of least privilege for IAM users and monitor for unusual API calls involving DryRun flags or sudden cluster creations. Rapid response is critical, as the window between initial access and full-scale resource exploitation is less than a quarter of an hour.

Source: Compromised IAM Credentials Fuel A Large AWS Crypto Mining Campaign Worldwide