Agentic AI Module Added To NHI Training Course

Amazon Breach: Hacked AWS Accounts Fuel Ongoing Crypto-Mining

In December 2025, Amazon’s AWS (Amazon Web Services) faced a significant security breach that saw compromised accounts being utilized for an ongoing crypto-mining campaign. This incident specifically targeted AWS’s Elastic Compute Cloud (EC2) and Elastic Container Service (ECS), impacting a vast number of users relying on these services for their cloud-based applications and workloads. The breach was particularly alarming due to the scale of the attack, which utilized valid credentials for Identity and Access Management (IAM) from multiple customer accounts. The ramifications of this breach extend beyond Amazon, affecting countless organizations that rely on AWS for their cloud infrastructure. As the details unfold, it becomes critical to analyze how this breach occurred, the methods employed by the attackers, and the implications for both Amazon and its customers.

What Happened

The breach was discovered on December 17, 2025, when Amazon’s AWS GuardDuty security team issued a warning about an ongoing crypto-mining operation linked to compromised AWS accounts. Here’s a chronological account of the breach:

  • November 2, 2025: The operation began with attackers leveraging compromised IAM credentials to access AWS resources.
  • Late October 2025: A malicious Docker Hub image was created, which would later serve as a vector for deploying the crypto-miners, accumulating over 100,000 pulls by the time of the breach’s discovery.
  • December 17, 2025: AWS GuardDuty identified the crypto-mining campaign and alerted customers of the compromised accounts.

Initial detection highlighted that the attackers did not exploit any vulnerabilities in AWS systems; instead, they operated using valid credentials obtained from customer accounts. The types of data compromised included IAM credentials, which allowed the attackers to deploy and run unauthorized crypto-mining software on the EC2 and ECS instances, leading to significant computational resource exhaustion for affected users.

How It Happened

The attack leveraged a combination of social engineering and poor security practices that led to the compromise of valid IAM credentials. Here’s a deeper look into the technical aspects of the breach:

  • Credential Compromise: Attackers obtained IAM credentials through phishing or other means, enabling them to bypass security protocols.
  • Deployment Method: Utilizing a malicious Docker Hub image, which was pulled over 100,000 times, the attackers were able to deploy crypto-miners effectively on the compromised accounts.
  • Persistence Mechanism: The attackers implemented a persistence mechanism that allowed them to maintain control over the mining operations, even after initial detection attempts by incident responders.

The infrastructure weaknesses stemmed from inadequate monitoring of IAM roles and permissions, which allowed the threat actors to establish and maintain exploitation without immediate detection. Attribution to a specific threat actor was not disclosed, but the methodology indicates a sophisticated approach often seen in organized cybercrime.

Impact

The impact of the AWS breach was multi-faceted, affecting both the organization and its users significantly:

  • Immediate Consequences: AWS customers experienced substantial performance degradation due to resource exhaustion caused by the unauthorized mining activities.
  • Customer Impact: Many organizations relying on AWS for critical operations faced increased operational costs and potential disruptions to their services.
  • Financial Implications: AWS had to absorb the costs associated with additional computational resources consumed by the mining operations, potentially reaching into millions of dollars.
  • Regulatory and Legal Consequences: The breach raised concerns regarding compliance with data protection regulations, putting AWS at risk of legal scrutiny.
  • Long-term Reputation Damage: Trust in AWS’s security measures could be undermined, leading to customer attrition and a tarnished brand reputation.
  • Industry-wide Implications: This incident serves as a stark reminder to other cloud service providers, emphasizing the need for stringent security protocols to protect against similar threats.

Overall, the AWS breach not only highlighted vulnerabilities within cloud services but also underscored the need for robust security measures across the tech industry.

Recommendations

In light of the AWS breach, organizations should adopt the following security measures to prevent similar incidents:

  • Enhance IAM Policies: Implement the principle of least privilege to limit access to critical resources.
  • Regular Credential Audits: Conduct frequent audits of IAM credentials to identify any unauthorized access or anomalies.
  • Multi-Factor Authentication: Enforce multi-factor authentication for all access to AWS accounts to mitigate credential theft.
  • Monitoring and Alerts: Utilize AWS tools like GuardDuty to monitor account activity and receive alerts for suspicious behavior.
  • Security Awareness Training: Educate employees about phishing attacks and other social engineering tactics to reduce the likelihood of credential compromise.

By implementing these actionable recommendations, organizations can significantly bolster their defenses against similar breaches and enhance their overall cybersecurity posture.

How NHI Mgmt Group Can Help

Securing Non-Human Identities (NHIs) including AI Agents, is becoming increasingly crucial as attackers discover and target service accounts, API keys, tokens, secrets, etc., during breaches. These NHIs often hold extensive permissions that can be exploited, making their security a priority for any organization focused on protecting their digital assets.

Take our NHI Foundation Level Training Course, the most comprehensive in the industry, that will empower you and your organization with the knowledge needed to manage and secure these non-human identities effectively. 

👉 Further details here

In addition to our NHI training, we offer independent Advisory & Consulting services that include:

  • NHI Maturity Risk Assessments
  • Business Case Development
  • Program Initiation
  • Market Analysis & RFP Strategy/Guidance

With our expertise, we can help your organization identify vulnerabilities and implement robust security measures to protect against future breaches. 

👉 Contact us here

Final Thoughts

The AWS breach serves as a critical wake-up call for organizations utilizing cloud services. The exploitation of valid credentials highlights vulnerabilities that can exist even within established security frameworks. As cyber threats continue to evolve, the necessity for proactive security measures cannot be overstated. Organizations must prioritize cybersecurity to safeguard against potential breaches and protect their digital assets. Staying informed about best practices and emerging threats is essential for maintaining a resilient security posture in today’s digital landscape.

#1 Authority in NHI Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs).

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.