A sophisticated cyberattack campaign targeting cryptocurrency firms has been uncovered by cybersecurity firm Ctrl-Alt-Intel. The attackers exploited multiple entry points, primarily using the React2Shell vulnerability in a popular web framework to scan for and breach crypto platforms running outdated software. In a separate intrusion vector, attackers used stolen Amazon Web Services (AWS) credentials to gain access to a crypto exchange's cloud infrastructure.
The campaign's objectives were extensive. Attackers searched cloud environments for private keys, wallet credentials, and sensitive configuration files. They specifically targeted Terraform state files, which often contain infrastructure secrets. The breach exposed the backend source code of a USDT staking platform and led to the theft of proprietary software, including five Docker images containing cryptocurrency exchange logic from infrastructure provider ChainUp's customer systems.
Investigators traced the attack infrastructure to servers in South Korea, with the main server operating at IP address 64.176.226[.]36. Attackers used tools like VShell and FRP tunneling for command-and-control. Security analysts note strong tactical similarities to past operations by North Korean state-sponsored hacking groups, specifically the TraderTraitor group, which has a history of targeting crypto supply chains. While attribution to North Korea is assessed with moderate confidence, the evidence points toward their involvement.
The scale of potential damage is significant. By mapping entire AWS environments, accessing Kubernetes clusters, and harvesting secrets from AWS Secrets Manager, the attackers have laid the groundwork for future large-scale cryptocurrency thefts. The investigation also revealed that compromised servers were simultaneously hosting malware from other criminal groups, including XMRig mining tools.
