- The attackers used stolen high-privilege IAM credentials to quickly perform large-scale cryptomining on EC2 and ECS.
- They launched GPU-heavy auto-scaling groups, malicious Fargate containers, new IAM users, and shutdown-protected instances.
- AWS promotes strict IAM hygiene: MFA everywhere, temporary credentials, and least privileged access
Experts have warned that cybercriminals are targeting Amazon Web Services (AWS) customers using Amazon EC2 and Amazon ECS with cryptojackers.
The cloud giant warned of the ongoing campaign in a recent report, saying that patches have now been applied, but urged its customers to be cautious as these types of attacks could easily re-emerge.
In early November 2025, Amazon GuardDuty engineers discovered the attack after observing the same technique on multiple AWS accounts. Further investigation revealed that the attackers had not exploited any known or unknown vulnerabilities in AWS. To gain access, they relied on compromised AWS Identity and Access Management (IAM) credentials with high-level permissions. Once inside, they used this access to deploy large-scale mining infrastructure in the cloud environment.
Strengthen your passwords
Amazon’s report shows that the majority of cryptocurrency miners were up and running within minutes of logging in for the first time. The attackers quickly created an overview of service quotas and permissions, then launched dozens of ECS clusters and large EC2 Auto Scaling groups. In some cases, these are configured to grow rapidly to maximize IT consumption.
Hackers approached the attack on ECS and EC2 differently. In the first case, they deployed malicious container images on Docker Hub and ran the miner on AWS Fargate.
In the latter case, however, they have created several launch templates and autoscaling groups that target both high-performance GPU instances and general compute instances.
Amazon also added that criminals use instance termination protection to prevent compromised endpoints from being simply shut down or repaired remotely.
Contact me for news and offers from other Future brands.Receive emails from us on behalf of our trusted partners or sponsorsBy submitting your information, you accept this General conditions of sale AND Privacy Policy and be at least 16 years old.
They also created publicly available AWS Lambda functions and additional IAM users.
Amazon notes that it is easy to defend against these attacks. All you need is a strong password:
“To protect against similar cryptomining attacks, AWS customers should prioritize strong identity controls and access management,” the report said. “Implement temporary credentials instead of long-term access keys, enforce multi-factor authentication (MFA) for all users, and enforce least-privilege IAM policies to limit access to only necessary permissions.
