AWS systems targeted by crypto mining scam using hijacked IAM credentials

• Attackers used stolen high‑privilege IAM credentials to rapidly deploy large‑scale cryptomining on EC2 and ECS
• They launched GPU‑heavy auto‑scaling groups, malicious Fargate containers, new IAM users, and protected instances from shutdown
• AWS urges strict IAM hygiene: MFA everywhere, temporary credentials, and least‑privilege access

Cybercriminals are targeting Amazon Web Services (AWS) customers using Amazon EC2 and Amazon ECS with cryptojackers, expert have warned.

The cloud giant warned about the ongoing campaign in a recent report, saying that it has since been addressed, but urged customers to be careful because attacks like these can easily reappear.

In early November 2025, Amazon GuardDuty engineers detected the attack after observing the same techniques appearing across multiple AWS accounts. A subsequent investigation determined that the miscreants were not exploiting any known, or unknown vulnerabilities in AWS itself. Instead, they relied on compromised AWS Identity and Access ...