Suspected DPRK Threat Actors Compromise Crypto Firms, Steal Keys and Cloud Assets in Coordinated Attacks

A coordinated campaign targeting cryptocurrency organizations has drawn attention from the security community, with evidence pointing to threat actors potentially linked to North Korea’s state-sponsored hacking operations.

The attackers moved systematically across multiple tiers of the crypto supply chain — hitting staking platforms, exchange software providers, and the exchanges themselves — making off with proprietary source code, private keys, and cloud-stored secrets.

The operation combined web application exploitation with stolen cloud credentials, making it one of the more calculated intrusions seen in the cryptocurrency sector in recent months.​

The threat actors used two distinct entry points across victim organizations. In one case, they exploited CVE-2025-55182, a known vulnerability in the React2Shell framework, using mass scanning with WAF bypass techniques to identify exposed crypto staking platforms.

In a separate intrusion, they arrived with pre-obtained valid AWS access tokens, bypassing initial exploitation entirely and moving straight into cloud infrastructure enumeration.

Both approaches point to a level of preparation far beyond opportunistic hacking — these were deliberate operations targeting organizations that handle real digital assets.​

Ctrl-Alt-Intel researchers identified both intrusion chains through a series of exposed open-directories uncovered over a two-week period in January 2026.

Investigators recovered files from the threat actor’s own working infrastructure, including shell history logs, archived source code, and tool configurations.

This rare window into the attacker’s environment provided clear visibility across every phase of the operation, from first commands executed after initial access to command-and-control setup.​

Inside one of the compromised staking platforms, the attackers extracted backend source code that included .env files holding hardcoded private keys for Tron blockchain wallets.

Blockchain records showed approximately 52.6 TRX transferred around the same window of active exploitation, though researchers noted it remains unclear whether the suspected DPRK-linked actors or a separate threat actor made that transfer.

Regardless, the presence of live financial credentials embedded directly in application code gave any attacker immediate access to real funds.​

The broader haul extended to Docker container images pulled from a cryptocurrency exchange.

These images contained hardcoded database credentials, internal service configurations, and proprietary exchange logic built using software from blockchain provider ChainUp — though researchers assessed the attackers compromised a ChainUp customer, not the company itself.

This pattern of stealing backend systems and exchange software fits a documented North Korean strategy of pre-positioning for large-scale cryptocurrency theft rather than extracting funds immediately.​

Inside the AWS Kill Chain

The cloud-focused phase of this attack demonstrated a structured approach to AWS exploitation.

After validating stolen credentials, the threat actors performed a broad enumeration sweep across EC2 instances, RDS databases, S3 buckets, Lambda functions, EKS clusters, and IAM roles.

They filtered S3 contents using grep searches targeting .pem, .key, and .ppk files, along with configuration files containing keywords like “secret,” “cred,” and “pass.”

Terraform state files — which store infrastructure mappings and often contain database passwords and API keys — were downloaded and parsed for credentials.​

The attackers then pivoted into the victim’s Kubernetes cluster by updating the kubeconfig file using the aws eks update-kubeconfig command, authenticating kubectl through AWS IAM.

Once inside, they listed all running pods, extracted ConfigMaps and Kubernetes Secrets in plaintext, and pulled five Docker container images from Elastic Container Registry — saving each as a tar archive before exfiltrating.

For command-and-control, the attackers ran VShell on port 8082 and used FRP as a tunneling proxy over port 53 — a DNS port that commonly escapes standard network monitoring.

Connections to their primary VPS were made over IPv6 rather than IPv4, a choice that sidesteps detection tools built to monitor IPv4 traffic.​

Security teams should patch CVE-2025-55182 immediately and audit all publicly exposed web applications.

AWS environments need least-privilege IAM policies, regular token rotation, and alerts for unusual API calls like bulk S3 listing or unexpected public RDS exposure.

Terraform state files need strict access controls and must not hold plaintext secrets. Source code should never contain hardcoded credentials or private keys.

Network monitoring must cover IPv6 traffic and outbound connections over port 53. Container registries should enforce pull restrictions, and Kubernetes kubeconfig permissions must be limited to authorized principals.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.