AWS Detects Cryptocurrency Mining Via Stolen Credentials

Amazon Web Services detected a campaign on November 2, 2025, where attackers used stolen IAM credentials to deploy EC2 and ECS resources for cryptocurrency mining. GuardDuty correlated signals across multiple compromised accounts and flagged persistence techniques like termination protection and staggered deployments, prompting AWS to halt many instances and notify customers. The incident underscores the need for MFA, credential rotation, and automated anomalous-usage monitoring.
Key Points
- 1Hijackers use stolen IAM credentials to deploy EC2 and ECS instances for sustained cryptocurrency mining.
- 2Attackers enable termination protection and stagger deployments to evade detection and maintain mining uptime.
- 3Organizations must enforce MFA, rotate keys regularly, and monitor anomalous resource usage to prevent abuse.
Scoring Rationale
High operational impact and actionable mitigations, but limited novelty because credential-based cloud mining is a recurring, well-known attack.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

