Codefinger uses pre-compromised AWS access keys (publicly exposed via GitHub, infostealer logs, paste sites) with s3:GetObject + s3:PutObject permissions. For each object in the victim bucket, Codefinger calls s3:CopyObject over the original key with x-amz-server-side-encryption-customer-algorithm: AES256 and a customer-generated key. AWS encrypts server-side and discards the key - only an HMAC of the key is captured in CloudTrail per AWS documentation. This means even AWS Support cannot recover the data. Codefinger then calls PutBucketLifecycleConfiguration to add an Expiration: Days=7 rule, arming the destruction timer that AWS itself executes. A plaintext ransom note (README_RANSOM.txt) is uploaded with a Bitcoin address and the promise to publish the SSE-C key after payment.

Halcyon researchers observed the technique on two AWS-native-software-developer customers in December 2024 and disclosed publicly on Jan 13, 2025. AWS responded by recommending defenders (1) deny SSE-C usage via bucket policy condition keys, (2) alarm on PutBucketLifecycleConfiguration, (3) use cross-account replication to Object-Lock buckets, and (4) rotate any exposed access keys. The technique exploits no AWS vulnerability - it is a misuse of native AWS encryption features. Halcyon notes: "This is the first instance known of leveraging AWS's native secure encryption infrastructure via SSE-C in the wild."