SCN-002 / Leaked AKID + 14 ASGs + ECS Cluster / 2025

Cryptomining 2025

A single leaked AWS access key was used to spin up 14 Auto Scaling Groups and an ECS cluster mining XMR for hours before billing anomaly detection triggered. Termination protection slowed the cleanup crew.

ASGs spun up

$50K+

documented bill

<10m

leak to compute

ongoing

campaign status

AWS-disclosed campaign · Nov 2025+ →

A single leaked IAM key turned into 10,000+ vCPU of crypto mining in ten minutes - and the attacker enabled termination protection to make cleanup harder.

10K+ vCPU

Exposure

AWS-quantified customer cost not disclosed; attacker spun up 14 ASGs × 999 instances + ECS Fargate tasks

10 min

Time to detect

leaked IAM key to active compute; Nov 2 2025 start, AWS disclosure Dec 16

1 SCP cap

Fix complexity

cap max EC2 ASG desired-capacity + ECS Fargate task CPU units per region

Ask your team this Friday

Do our SCPs cap maximum EC2 Auto Scaling Group capacity and ECS Fargate task CPU units per region?

→ Audit my environment

Select scenario

  
 BASH   
 STEP 01 Scanner picks up a leaked AWS key 
TruffleHog catches an AKID in a public commit
 1# Automated scanner watching github.com/<org>/* commits
2$ trufflehog github --org=any --json | jq 'select(.DetectorName=="AWS")'
3
4{
5  "DetectorName": "AWS",
6  "Raw": "AKIAIOSFODNN7EXAMPLE",
7  "Repository": "github.com/example/infra",
8  "Commit": "a72f1c0",
9  "Verified": true
10} 
External scanner · the same automation that catches keys also validates them within seconds.
  1 / 7  

← back

Executive briefing · blast-audit

Cryptomining 2025

A single leaked IAM key turned into 10,000+ vCPU of crypto mining in ten minutes - and the attacker enabled termination protection to make cleanup harder.

10K+ vCPU

Exposure

AWS-quantified customer cost not disclosed; attacker spun up 14 ASGs × 999 instances + ECS Fargate tasks

10 min

Time to detect

leaked IAM key to active compute; Nov 2 2025 start, AWS disclosure Dec 16

1 SCP cap

Fix complexity

cap max EC2 ASG desired-capacity + ECS Fargate task CPU units per region

Ask your team this Friday

Do our SCPs cap maximum EC2 Auto Scaling Group capacity and ECS Fargate task CPU units per region?

Verified incident

SBRMiner-MULTI cryptomining via stolen IAM credentials

Not publicly attributed by AWS - described only as "threat actors"

How it happened

AWS Security disclosed (Dec 2025) an ongoing cryptomining campaign that began Nov 2, 2025, using compromised IAM credentials to target Amazon ECS and EC2. Operators deploy SBRMiner-MULTI miner via the Docker Hub image "yenik65958/secret" (created Oct 29, 2025, with 100K+ pulls). Mining pool domains observed: asia[.]rplant[.]xyz, eu[.]rplant[.]xyz, na[.]rplant[.]xyz. Auto Scaling Group naming convention: SPOT-us-east-1-G*-* and OD-us-east-1-G*-*. For persistence, operators create AWS Lambda functions with AuthType=NONE and a public Function URL.

Outcome

Detected by GuardDuty Extended Threat Detection. AWS recommends: rotate exposed credentials, scan public repos for leaked AKIDs, enable GuardDuty + IAM Access Analyzer, restrict ec2:RunInstances per region, block Docker Hub image pulls from unknown publishers. No public arrests as of disclosure.

Sources

Open on desktop for the full demo

Cryptomining 2025

Cryptomining 2025

Generate audit report