- The attackers used stolen high-privileged IAM credentials to rapidly deploy cryptomining at scale on EC2 and ECS.
- They launched auto-scaling groups using a lot of GPUs, malicious Fargate containers, new IAM users, and shutdown-protected instances.
- AWS recommends strict IAM hygiene: MFA everywhere, temporary credentials, and least privilege access
Cybercriminals are targeting Amazon Web Services (AWS) customers using Amazon EC2 and Amazon ECS with cryptojackers, experts have warned.
The cloud giant warned of the ongoing campaign in a recent report, saying it had since been resolved, but urged its customers to be careful as such attacks can easily resurface.
In early November 2025, Amazon GuardDuty engineers detected the attack after observing the same techniques appearing across multiple AWS accounts. Subsequent investigation determined that the attackers were not exploiting any known or unknown vulnerabilities in AWS itself. Instead, they relied on compromised AWS Identity and Access Management (IAM) credentials with high-level permissions to gain access. Once inside, they would use this access to deploy large-scale mining infrastructure in the cloud environment.
Strengthen your passwords
Amazon’s report indicates that most cryptocurrency miners were up and running within minutes of initial access. The attackers quickly enumerated service quotas and permissions, then launched dozens of ECS clusters and large EC2 autoscaling groups. In some cases, these have been configured to grow quickly, to maximize compute consumption.
Hackers approached the attack differently on ECS and EC2. On the first, they deployed malicious container images hosted on Docker Hub, which ran the miner on AWS Fargate.
On the latter, however, they created several launch templates and autoscaling groups targeting high-performance GPU instances, as well as general-purpose compute instances.
Amazon also added that scammers were using instance termination protection to prevent compromised endpoints from being easily shut down or patched remotely.
They also created publicly available AWS Lambda functions and additional IAM users.
Defending against these attacks is easy, Amazon suggests. All it takes is a strong password:
“To protect against similar crypto-mining attacks, AWS customers should prioritize strong identity and access management controls,” the report said. “Implement temporary credentials instead of long-term access keys, enforce multi-factor authentication (MFA) for all users, and enforce least privilege to IAM principals by limiting access to only required permissions.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
