In brief

  • A new cryptojacking attack is affecting AWS users.
  • Hackers steal AWS user credentials and deploy their botnets using the victim's computers.
  • The attack is currently active.

Hackers are stealing Amazon Web Services (AWS) credentials, to deploy a new cryptojacking botnet, according to a report by Cado Security, a UK-based cybersecurity organization, this week. AWS is the e-commerce giant’s cloud computing division.

The firm said the malware operation is the first instance of hackers targeting Amazon tools to steal web credentials for crypto mining purposes. So far, over 119 systems have been compromised, according to the security firm.

The bot has itself been active since at least April and was deployed by a cybercrime group called “TeamTNT.” The attack only recently started targeting AWS logins, said the report.


How does the attack work?

Cado Security said that hackers used exposed files—containing plaintext credentials and configuration details for the underlying AWS account and infrastructure—as part of the attack. This allowed them to tap into Amazon’s extensive, and powerful, computing resources to mine Monero.

code for cryptojacking
A snippet of the code used to infiltrate AWS systems. Image: Cado Security

The botnet infects a system’s “Docker,” a software tool to deploy applications, to infiltrate computers that run on top of, or use, the AWS infrastructure. Once compromised, the TeamTNT gang scans for exposed user credentials and other data copies, and uploads both files onto a server that they control. Then they install a Monero mining botnet—and get to work.

Hackers could “seriously boost profits”

Cado Security researchers noted the attacker has not yet used many of the stolen credentials as of August 17. But that does not mean the threat is averted. “Nevertheless, when the attackers decide to do so [deploy the attack], TeamTNT stands to seriously boost its profits,” said the report.

“[This is] either by installing crypto-mining malware in more powerful AWS clusters directly or by selling the stolen credentials on the black market,” it added.

At press time, the attackers have siphoned a total of three Monero (about $300) on the two known wallet addresses connected to various victim computers. However, Cado Security researchers said hackers may have made “many times more,” as they control “thousands” of wallets.


The attack joins another similar, cloud computing-based attack that sees hackers using meme coin Dogecoin to keep their botnets running.

Stay on top of crypto news, get daily updates in your inbox.